API vulnerabilities and bot attacks cost businesses nearly $200 billion annually, a study by cybersecurity firm Imperva, a Thales company, has found.
APIs, short for application programming interfaces, enable rapid development, seamless integration, and enhanced user experience, making them a popular choice for modern software development.
However, these attributes make them a popular target for cybercriminals, resulting in billions in losses annually from abuse.
They warned that insecure APIs and attacks by automated scripts expand the attack surface, a problem that escalates with increased adoption, thus requiring urgent attention.
API vulnerabilities and bot attacks are steadily increasing
The Economic Impact of API and Bot Attacks report found that API vulnerabilities increased by 40% in 2022 and a further 9% in 2023, while bot attacks increased by 88% during the same period. Brazil, France, Japan, and India were mostly affected.
Shadow APIs, which are undocumented endpoints not monitored by cybersecurity teams, averaged about 29 attacks per account. Unauthenticated APIs, which are endpoints requiring no authentication, followed closely at 21 attacks per account.
The study also found that bot-related cybersecurity incidents accounted for 30% of all API attacks, as threat actors continued to invent ways to evade traditional web security.
Reasons for increased API and bot events include the rapid adoption of APIs, lack of collaboration between cybersecurity and software development teams, and inexperienced API developers.
“It would have been interesting to see specific analysis of the economic impact of mobile-originating bots which are a growing threat to APIs,” according to George McGregor, VP at Approov. “These are hard to stop using back-end security techniques because of a lack of visibility to contextual information about [the] use of mobile apps and devices.”
Staggering API and bot attack losses, larger organizations mostly affected
API vulnerabilities accounted for $87 billion in losses, a $12 billion increase from 2021, while bot attacks cost businesses $116 billion. The excess of $17.9 billion resulted from automated API attacks, which formed an intersection between the two.
The study, which analyzed more than 161,000 unique cybersecurity incidents, found that larger organizations had more prevalence of insecure APIs and automated attacks.
For comparison, corporations with more than $1 billion in annual revenue were 2-3 times more likely to experience automated API abuse than their small or mid-sized counterparts. However, bot events were more “evenly distributed risk across revenue buckets” than API events.
“Bot-related events are more common across organizations of varying sizes than API-related events, which tend to become a more significant issue as company revenue size increases,” the report noted.
Nonetheless, bot attacks and API vulnerabilities were a significant problem for organizations of all sizes, “frequently affecting smaller and larger businesses.”
“The analysis emphasizes the pervasive and escalating threat of API and bot attacks across organizations of all sizes,” the researchers warned. “The estimated financial impact of API and bot attacks is staggering, highlighting the urgency of addressing these threats.”
Investment in API security and bot management urgently required
Imperva notes that API use increased revenues and reduced operational costs for 39% and 35% of adopters, respectively. However, many have overlooked API security, thus missing out on the key benefits through API-related losses.
“By investing in comprehensive API security and bot management solutions from the beginning, companies could substantially reduce API-related and bot-related losses, especially as API adoption grows,” the study suggests, noting that a typical enterprise managed roughly 613 API endpoints.
The researchers also noted that the impact of API vulnerabilities and bot attacks extends beyond direct financial losses, potentially resulting in reputation damage and compliance and legal risks.
In addition, API vulnerabilities and automated attacks expanded the attack surface, thus straining the already overstretched security teams. The increased sophistication of bad bots, 60% of which are classified as evasive, and the use machine learning to mimic human behavior, compounded the problem.
With 99% of organizations adopting APIs and 71% of web traffic originating from the same, the researchers warned that underinvestment in API security and bot management only allows the problem to fester.
“Consequently, organizations must implement comprehensive security strategies that address both API and bot attacks, with tailored measures to mitigate the specific risks associated with their size and operational complexity,” the researchers concluded.