In recent years, large enterprises have undergone unprecedented digital transformation journeys, driven by the pandemic and a rapid shift to the cloud. Application architectures have changed rapidly during this time, fundamentally reshaping how organizations operate and enabling them to adapt quickly to evolving market demands and customer expectations. Central to this evolution has been the proliferation of application programming interfaces (APIs), which streamline processes, facilitate integrations, and accelerate innovation. However, as organizations embrace these new application architectures, they also encounter significant challenges, particularly in the realm of security.
To better understand the financial impact of vulnerable or insecure APIs and automated abuse by bots — two of the greatest security threats impacting large enterprises today — Imperva, a Thales company, engaged the Marsh McLennan Cyber Risk Intelligence Center to quantify the cost of API and bot-related security incidents. The analysis of more than 161,000 cybersecurity incidents reveals that these security threats could cost businesses up to $186 billion annually. In addition, it was found that larger organizations, specifically those with revenue exceeding $100 billion, are more likely to have a higher percentage of security incidents that involve both insecure APIs and bot attacks.
The Correlation Between Increased Revenue and API Attacks
APIs have become omnipresent, facilitating seamless integration and data exchange among applications. Large enterprises rely on them to accelerate innovation, improve collaboration, and enhance the customer experience. But this reliance comes with cost and risk. Enterprises with revenues exceeding $100 billion face the highest risk out of any revenue bracket for API attacks. It’s estimated that up to 18% of their cyber incidents are due to vulnerable or insecure APIs.
The rapid adoption of APIs (the average number of API endpoints was 613 per enterprise in 2023, according to Imperva Threat Research), inexperience of many API developers, and lack of collaboration between development and security teams, creates security issues. Security teams don’t always have visibility into the APIs that development teams are pushing to production, limiting their ability to ensure proper security measures are implemented. It’s no wonder why API-related incidents rose 40% from 2021 to 2022 and increased a further 9% 2023. Today, vulnerable or insecure APIs result in up to $87 billion of losses annually, a $12 billion increase from 2021.
Why Bad Bots Are Targeting Large Enterprises
The widespread availability of attack tools and artificial intelligence has resulted in the evolution of bot attacks, enabling even low-skilled attackers to launch sophisticated bot attacks, with the ability to target multiple businesses simultaneously. Consequently, bot-related security incidents rose 88% in 2022 and 28% in 2023.
For companies with revenues over $100 billion, up to 14% of their cyber incidents are linked to bad bots — the highest risk of any revenue bracket. This is ultimately attributed to the fact that large enterprises have an extensive digital presence and extremely valuable assets. They’re attractive targets for bot operators and attackers to conduct malicious activities such as web scraping, brute-force login attempts, digital ad fraud, denial-of-service attacks, and more. These activities consume bandwidth, slow servers, and steal sensitive data, resulting in financial and reputational damage.
Why Large Organizations Should be Concerned About API Abuse
Attacks on APIs and automated abuse by bots are detrimental enough on their own. When the two threats work together, it’s a troubling partnership.
Bots have emerged as one of the most significant threats to API security. Last year, automated attacks accounted for 30% of all API attacks, with 17% directly linked to bots exploiting business logic vulnerabilities. The increasing reliance on APIs, which provide direct access to sensitive data, has made organizations a target for these automated attacks. Consequently, automated abuse is costing businesses up to $17.9 billion per year. These issues are particularly pronounced in large enterprises, which are 2-3 times more likely to experience automated API abuse by bots compared to small or mid-size businesses. Additionally, API and bot-related attacks account for up to 26% of total cyber incidents in organizations with revenues exceeding $100 billion.
As API usage expands, malicious actors exploit these interfaces using bad bots to manipulate business logic, evade security measures, and steal sensitive information. Because bad bots mimic legitimate user behavior, they’re complicated to detect and mitigate. Successful attacks can have serious impacts on organizations, such as:
- Financial Losses: Automated attacks, such as credential stuffing, fake account creation, and data scraping, can directly lead to unauthorized transactions and data breaches, resulting in both immediate theft and long-term costs related to regulatory penalties and customer compensation.
- Operational Costs: The operational burden of responding to an automated attack on an API requires extensive resources, including investigating breaches, mitigating ongoing threats, restoring normal operations, and deploying additional security and support measures to support those who were impacted by the breach. The investment in these resources detracts from critical business functions.
- Reputational Damage: Organizations face significant reputational damage when they fall victim to these attacks. Customers expect their data to be protected, and any perceived failures can lead to a loss of trust and taking business elsewhere. In addition, partners and stakeholders may question the organization’s reliability, impacting partnerships and future opportunities.
- Compliance and Legal Risks: Automated attacks resulting from data breaches can expose organizations to lawsuits, fines, and other legal actions. Compliance violations can also be particularly damaging, as they involve financial penalties and corrective actions that require additional resources and time.
The Need for Enhanced API and Bot Protection Measures as Companies Grow
As organizations grow and expand their API usage, the complexity of their ecosystems increases, making them attractive targets for cybercriminals. It’s clear that the largest enterprises are the most vulnerable when it comes to API and bot incidents — with vulnerable or insecure APIs and automated abuse by bots accounting for as many as 1 in 4 cyber incidents.
Organizations need to implement comprehensive security strategies that address both API and bot threats, such as:
- Encourage cross-departmental teamwork: It’s crucial for security and development teams to collaborate closely throughout the entire API lifecycle. This partnership guarantees that security is woven into every phase, from initial design to final deployment, allowing for early detection and resolution of vulnerabilities. When addressing bot management, this teamwork must broaden further. Bots present a multifaceted challenge that affects various business areas. To effectively tackle these issues, collaboration among marketing, eCommerce, customer experience, IT, business units, and security is vital. Such extensive cooperation helps pinpoint vulnerable elements, like login pages, checkout workflows, and forms, which are particularly at risk of bot attacks.
- Holistic API discovery and oversight: Organizations need to maintain complete visibility over all their APIs, including those that are shadowed, deprecated, or unauthenticated, to ensure none are missed. Ongoing monitoring and audits are key to uncovering potential vulnerabilities before they can be exploited.
- Combine API and bot management: To effectively counter automated threats to API libraries, it’s essential to integrate bot management with API security. This combined approach facilitates the identification of at-risk APIs, ensures continuous surveillance for automated attacks, and offers actionable insights for quick detection and response. By unifying bot management and API security efforts, businesses can enhance their defenses against advanced automated threats while improving their ability to detect and mitigate risks before they escalate into security incidents.
Proactive, adaptive measures are essential to protect against automated attacks. In light of the increasing digital landscape, organizations must prioritize security to safeguard their valuable assets and maintain the trust of their customers.
By: Erez Hasson