Businesses are facing annual losses ranging from $94 to $186 billion due to vulnerable or insecure APIs (Application Programming Interfaces) and the automated exploitation by bots. This data is derived from The Economic Impact of API and Bot Attacks report published by Imperva, a Thales company. The report reveals that these security vulnerabilities are responsible for up to 11.8% of global cyber incidents and financial losses, underscoring the escalating threats confronting companies worldwide.
Analyzed from a meticulous study by the Marsh McLennan Cyber Risk Intelligence Center, the report scrutinizes over 161,000 distinct cybersecurity breaches. The results signify a troubling pattern: the risks posed by vulnerable or insecure APIs and automated bot exploitation are increasingly intertwined and prevalent. Imperva cautions that disregarding these security threats could culminate in considerable financial losses and reputational harm.
Adoption of APIs and the Expanding Attack Surface
Modern business activities heavily rely on APIs, which enable seamless connectivity and data transmission among applications and services. APIs serve a multitude of purposes, from empowering mobile applications to supporting eCommerce platforms and open banking systems. Nevertheless, the widespread embrace of APIs has brought forth significant security dilemmas. According to Imperva Threat Research, the average enterprise administered 613 API endpoints in production the past year, with projections indicating a surge as organizations embrace APIs to propel digital revolution and innovation.
This augmented dependence on APIs has substantially broadened the attack surface, with incidents related to API security escalating by 40% in 2022 and by an additional 9% in 2023. These attacks pose grave threats as APIs often provide direct access to a company’s foundational infrastructure and confidential data. The report approximates that API vulnerabilities account for up to $87 billion in yearly losses, marking a $12 billion uptick from 2021. This spike can be attributed to various causes, including swift API adoption, lack of experience among several API developers, absence of standardized security protocols, and inadequate collaboration between development and security teams.
Bot Attacks: An Ongoing and Evolving Menace
Parallel to the surge in API attacks, bot attacks have transformed into a widespread and financially burdensome menace, leading to potential annual losses of up to $116 billion. Bots—automated software tools devised to execute specific functions—are often weaponized for malevolent activities like credential stuffing, web scraping, online deceit, and distributed denial-of-service (DDoS) assaults.
In 2022, security breaches linked to bots soared by 88%, followed by an additional 28% escalation in 2023. This dramatic rise was fueled by multiple factors, including the increased frequency of digital transactions, proliferation of APIs, and geopolitical tensions like the Russia-Ukraine conflict. The wide availability of attack mechanisms and generative AI models has notably elevated bot evasion techniques, empowering even entry-level attackers to orchestrate sophisticated bot attacks.
Imperva highlights that bots now pose a substantial threat to API security. Last year, 30% of all API attacks were instigated by automated threats, with 17% specifically attributed to bots exploiting vulnerabilities in business logic. The mounting reliance on APIs—and their direct link to sensitive data—has rendered them inviting targets for bot operators. Solely from automated API exploitation, businesses are reeling under annual losses up to $17.9 billion. As bots evolve strategically, attackers increasingly exploit them to manipulate API business logic, sidestep security controls, and siphon off confidential information, heightening the difficulty of detection and mitigation for entities.
High-Risk Profiles: Large Enterprises under the Radar
Large corporations, especially those with annual revenues exceeding $1 billion, face significantly heightened susceptibility to API and bot attacks. Per the report, these enterprises are 2-3 times more predisposed to experience automated API exploitation by bots compared to small or mid-scale businesses. This elevated risk stems primarily from the intricacy and scale of their digital frameworks.
Such companies typically oversee hundreds or even thousands of APIs spanning various departments and services, which culminates in sprawling API ecosystems that present monitoring and security challenges. Within these settings, shadow APIs, unauthenticated APIs, and outdated APIs constitute major vulnerabilities. These mishandled APIs frequently lack essential security measures, such as routine updates, authentication protocols, and ongoing surveillance, rendering them susceptible to exploitation.
Likewise, large enterprises make ideal targets for bot attacks owing to their expansive digital presence and valuable assets. The more intricate the digital landscape, the higher the number of potential entryways for bots to exploit, ranging from login interfaces to checkout processes. With massive datasets coursing through their applications and APIs, these organizations present prime hunting grounds for bot perpetrators.
The risks are even more accentuated for enterprises with annual revenues surpassing $100 billion, where API insecurities and bot attacks account for nearly 26% of all security incidents. This glaring statistic underscores the imperative requirement for comprehensive API security and bot oversight approaches in expansive corporations, where any security breach could trigger operational disruptions, substantial financial repercussions, and lasting reputational harm.
Mitigating API and Bot Exposure
Combined, the vulnerabilities tied to insecure APIs and automated bot manipulation culminate in annual losses worth billions of dollars. With organizations increasingly reliant on APIs for fostering digital innovation, the likelihood of security breaches is anticipated to soar, exposing businesses to heightened financial and reputational risks. Concurrently, the evolution of bots, frequently powered by generative AI, has exacerbated the complexity of thwarting these threats.
To effectively circumvent these risks, Imperva advocates that organizations undertake the following proactive measures:
- Promote cross-functional collaborations: Fostering cooperation between security and development teams is critical to integrating security measures across the API lifecycle. This coalition ensures that security features are intertwined from conception to implementation, facilitating the proactive detection and mitigation of vulnerabilities before they are exploited. When it comes to managing bots, this collaboration should expand further. The challenge posed by bots spans multiple business areas. To effectively combat them, teams from marketing, e-Commerce, customer service, IT, Line of Business, and security must collaborate closely. This collective effort assists in identifying vulnerable functionalities, such as login interfaces, financial transactions, and forms, which are particularly prone to bot manipulations.
- Thorough API exploration and monitoring: Organizations must have complete oversight of all their APIs, encompassing shadow, outdated, and unauthenticated APIs, to ensure no security gaps go unnoticed. Consistent monitoring and auditing are essential for pinpointing potential vulnerabilities before they are exploited.
- Integrate API security and bot management: Combining bot monitoring and API security measures is imperative for effectively combating automated threats targeted at API repositories. This holistic strategy aids in identifying weak APIs, unceasingly monitoring for automated attacks, and providing actionable insights for swift identification and response. By merging bot oversight with API security, firms can enhance their defenses against advanced automated threats while gaining enhanced visibility for identifying and mitigating risks before they escalate into security crises.
As API infrastructures expand and bots grow more sophisticated, the cost of inattention will only escalate. Organizations must confront the security challenges associated with APIs and bots to safeguard valuable data, minimize financial losses, and uphold their brand reputation.
About Author
