Recent customer account takeovers have put account protection back on the agenda for Australian businesses. Our 2024 survey of Australian CISOs and CTOs shows how respondents are using MFA, bot protection, WAAP and residential proxy detection to manage credential stuffing and account takeover risk.
Account Protection: Current State and Future Plans
Our survey found 76.23% of Australian businesses use Multi-Factor Authentication (MFA). MFA is widely adopted, but it is not a complete account protection strategy on its own.
39.34% of organisations currently use bot protection. That matters because credential stuffing is automated by design. Another 34.65% of businesses plan to implement bot protection in the future.
The pattern is clear: many organisations are treating MFA as a baseline and looking at additional controls around it.
Current Bot Management Solutions
The survey also asked which bot management solutions Australian businesses currently use. Cloudflare was the clear leader, with nearly half of respondents using its services.
The breakdown of bot management solutions is as follows:
- Cloudflare: 48.24%
- AWS WAF Bot Ruleset: 10.59%
- Other solutions make up the remaining percentage
This distribution is concentrated around Cloudflare. Outside that, the remaining respondents are spread across other solutions rather than one clear alternative.
Tooling matters here. Residential proxy traffic weakens IP reputation and simple rate limits, so detection capability, request grouping and response controls matter as much as vendor name. If residential proxies continue to feature in credential stuffing tooling, this mix may shift as teams look for more advanced protection measures.
The Rising Threat of Residential Proxies
A key finding from our survey is the low adoption rate of residential proxy (resip) detection, with only 13.11% of organisations currently using this technology. Planned adoption suggests teams are starting to account for the risk, but current coverage is still low.
Resips are difficult for account security teams because malicious traffic can look like normal ISP traffic. They enable attackers to:
- Bypass traditional IP-based rate limiting
- Evade geolocation-based restrictions
- Conduct large-scale credential stuffing attacks
- Scrape sensitive data undetected
The planned adoption of resip detection points to a shift in security strategies, away from simple IP-based controls and towards more specific network signals.
Learn more about the threat of residential proxies and how to detect them
Credential Stuffing: A Persistent and Growing Concern
Credential stuffing attacks continue to be a major concern for businesses. These attacks exploit password reuse across multiple sites, allowing attackers to gain unauthorised access to user accounts.
Respondents said they plan to implement several measures to reduce credential stuffing risk:
- 34.65% plan to implement bot protection
- 32.67% intend to add multi-factor authentication
- 31.68% aim to check credentials against known breaches
These plans point to layered account protection rather than reliance on one control.
Mobile Applications: An Emerging Attack Surface
While mobile applications were not directly addressed in our survey, the data suggests a possible gap in mobile security strategies. The low adoption rate of Web Application and API Protection (WAAP) - implemented by only 27.87% of respondents - indicates many businesses may be underprepared to protect their mobile assets.
As mobile apps become primary interfaces for critical operations, this gap leaves businesses exposed to attacks that use the same automation and resip infrastructure seen on web login flows.
Balancing Security and User Experience
The operational problem is familiar: increase assurance without making login unusable. Key considerations for enhancing account protection while preserving usability include:
- Expanding beyond MFA
- Implementing bot protection
- Adopting WAAP solutions
- Monitoring credential leaks
- Focusing on API security
- Implementing residential proxy detection
Explore strategies for balancing security and user experience
Executive vs Engineer Perspectives
Our survey found differences in cybersecurity priorities between executives and engineers:
Figure 3: Comparison of cybersecurity priorities between executives and engineers
The gap matters because budget, architecture, and incident response are often owned by different teams. Account protection plans need to cover both executive risk concerns and engineering realities, including the threat from RESIPs.
Final Thoughts
Our 2024 survey results point to a simple position: MFA is widely used, but it is not the whole account protection strategy. Bot protection, breached credential checks, WAAP and residential proxy detection are still unevenly adopted. That matters because credential stuffing does not depend on one weakness; it combines reused credentials, automation, proxy networks and weak response controls.
Australian businesses do not need every control at once, but they need a layered plan that reflects how account takeover attacks are run now. For teams reviewing their controls, resip detection and mobile/API coverage are worth checking explicitly because both are easy to miss if the programme is still centred on MFA and IP reputation.
