Enterprises are bleeding between $94 – $186 billion yearly due to exposed or weak APIs (Application Programming Interfaces) and mechanized abuse by robots. As highlighted in The Economic Impact of API and Bot Attacks, a study from Imperva, a Thales company, reveals that these security menaces contribute to up to 11.8% of global cyber incidents and damages, emphasizing the growing dangers they present to global businesses.
By leveraging a thorough examination conducted by the Marsh McLennan Cyber Risk Intelligence Center, the report delves into over 161,000 distinct cybersecurity occurrences. The outcomes showcase a concerning trajectory: the risks linked to exposed or weak APIs and mechanized abuse by robots are becoming more intertwined and widespread. Imperva cautions that ignoring security threats stemming from these issues could result in considerable financial losses and harm to reputation.
API Uptake and the Broadening Assault Perimeter
APIs have evolved into critical components of contemporary business activities, facilitating seamless interaction and data exchange across applications and services. They fuel a myriad of operations, from mobile apps to online marketplaces and open banking. Nonetheless, their extensive acceptance has brought about notable security hurdles. According to data sourced from Imperva Threat Research, the typical corporation managed 613 API endpoints in production last year, and this figure is set to surge as enterprises lean more heavily on APIs to steer digital transformation and innovation.
This augmented reliance on APIs has significantly enlarged the attack surface, with incidents linked to API security rising by 40% in 2022, followed by an additional 9% uptick in 2023. These assaults are particularly perilous because APIs frequently act as direct entry points to an organization’s core infrastructure and confidential information. The report approximates that vulnerable APIs contribute to up to $87 billion in yearly losses, marking a $12 billion upswing from 2021. This trend can be ascribed to several factors, including the swift integration of APIs, lack of experience among many API developers, absence of universally accepted security protocols, and inadequate collaboration between development and security units.
Robot Assaults: A Prolific and Evolving Peril
In tandem with the surging assaults on APIs, robot attacks have emerged as a widespread and pricey menace, amounting to up to $116 billion in annual losses. Robots—automated software devised to execute specific tasks—are often repurposed for malicious activities such as credential stuffing, web scraping, online fraud, and distributed denial-of-service (DDoS) onslaughts.
In 2022, security incidents attributable to robots soared by 88%, trailed by an additional 28% spike in 2023. This unsettling escalation was fueled by various factors, including the surge in digital transactions, proliferation of APIs, and geopolitical tensions such as the Russia-Ukraine conflict. The ubiquity of assault tools and generative AI models has notably boosted robot evasion approaches and empowered even moderately skilled offenders to carry out sophisticated robot assaults.
According to Imperva, robots now epitomize one of the most severe threats to API security. Last year, 30% of all API attacks were steered by automated threats, with 17% attributable to robots exploiting business logic susceptibilities. The deepening reliance on APIs—and their direct accessibility to confidential data—has rendered them prime targets for robot operators. Solely automated API exploitation is now imposing annual costs of up to $17.9 billion on businesses. As robots grow more sophisticated, attackers are increasingly leveraging them to exploit API business logic, sidestep security measures, and siphon off private data, intensifying the complexity of detection and mitigation for enterprises.
Corporations at Heightened Peril
Notably, substantial enterprises, particularly those with annual revenues surpassing $1 billion, confront a notably amplified risk of API and robot attacks. As per the report, these entities are 2-3 times more predisposed to confronting automated API exploitation by robots compared to small or mid-size businesses, largely due to the intricacy and scale of their digital infrastructure.
These corporations typically oversee hundreds or even thousands of APIs spanning multiple divisions and services, paving the way for sprawling API ecosystems that are difficult to oversee and safeguard. Within such realms, shadow APIs, unauthenticated APIs, and deprecated APIs present substantial vulnerabilities. These neglected APIs often lack essential security measures, such as periodic updates, authentication, and continuous monitoring, rendering them prone to exploitation.
Likewise, colossal enterprises are ripe targets for robot attacks due to their extensive online footprint and valuable assets. The more elaborate the digital setting, the more entry points robots can exploit, ranging from sign-in pages to checkout systems. With vast volumes of sensitive information coursing through their apps and APIs, these corporations represent highly attractive targets for robot operators.
The risk is even more pronounced for enterprises boasting annual revenues surpassing $100 billion, where API security issues and robot attacks account for as much as 26% of all security incidents. This stark reality underscores the imperative necessity for comprehensive API security and robot management strategies in substantial enterprises, where a security breach can lead to significant operational disruptions, substantial financial damages, and enduring harm to reputation.
Safeguarding Against API and Robot Threats
Combined, exposed or weak APIs and mechanized abuse by robots translate to billions of dollars in annual losses. The escalation of reliance on APIs to drive digital metamorphosis is poised to escalate the threat of security incidents, thereby placing organizations at increased risk of financial and reputational repercussions. Concurrently, the evolution of robots, frequently steered by generative AI, has compounded the complexities of safeguarding against these threats.
To holistically mitigate these risks, Imperva advocates for organizations to undertake the ensuing proactive measures:
- Promote cross-disciplinary cooperation: Collaborative endeavors between security and development units are pivotal for ingraining security at every phase of the API lifecycle. This alliance certifies the integration of security measures from conceptualization to implementation, facilitating preemptive identification and alleviation of vulnerabilities before they are exploited. For robot mitigation, this cooperation should transcend the standard. Robots pose a multi-dimensional challenge that influences numerous areas of operations. To efficaciously counter them, squads across marketing, online trade, customer experience, IT, Line of Business, and security must closely collaborate. This extensive collaboration aids in spotting at-risk functionalities, such as sign-in pages, checkout workflows, and forms, that are uniquely susceptible to robot assaults.
- Thorough API discovery and surveillance: Organizations must harbor complete visibility into all their APIs, encompassing shadow, deprecated, and unauthenticated APIs, to preclude any oversights. Continual monitoring and assessment are indispensable for pinpointing likely vulnerabilities before they are exploited.
- Merge API security and robot management: Robot management and API security must be interlinked to efficaciously deter automated assaults on API libraries. This conjoined approach facilitates the identification of vulnerable APIs, perpetual monitoring for automated assaults, and provision of actionable insights for prompt identification and response. Through amalgamating robot management and API security, businesses can better shield against sophisticated automated threats while gaining visibility to detect and mitigate risks prior to causing a security breach.
With API environments incessantly widening and robots growing increasingly advanced, the repercussions of inactivity will only exacerbate. Entities ought to grapple with the security perils tied to APIs and robots to shield confidential information, abate financial damages, and fortify their brand standing.
About Author
