Threat intelligence firm Imperva quantified the cost of cybersecurity incidents caused by the lack of API security. An application programming interface (API) refers to the software that allows seamless data exchange between applications.
The study analyzed 117,000 cybersecurity incidents and discovered that API insecurity was responsible for annual losses of between $41- 75 billion globally and $12-23 billion in the US.
The researchers noted that threat actors exfiltrated sensitive data by leveraging API calls to bypass network security and target underlying infrastructure. Thus, APIs offer an alternative attack route because they connect directly to backend systems.
However, unlike enterprise web applications, they lack multiple layers of application security, leading to broken object-level authorization. This situation allows attackers to bypass authentication/authorization and access restricted resources.
Quantifying the API security cyber loss
Imperva estimated the total cyber loss, which represents any damage, loss, claim or cost directly or indirectly attributed to a cyber incident.
Accordingly, the U.S. average annual API-related cyber loss was $300 billion, $1 trillion in the global total annual cyber loss, and $5 billion in the average yearly global insured cyber loss.
With an incident frequency of 4.1-7.5%, the effective cyber loss was $12-23 billion in the US, $41-75 billion globally, while the average annual API-related global insured cyber loss was $205-376 million.
“These estimates provide a view on losses that are entirely avoidable,” the researchers wrote. “If companies made an upfront investment in properly securing all of their APIs, their API-related losses could decrease significantly even as their API adoption continues to increase.”
Large organizations are more vulnerable to API-related cybersecurity incidents
On average, API security incidents accounted for 1 in every 13 cybersecurity incidents globally. However, the number of API-related cybersecurity incidents depends on the industry, the size of the organization, and the geographical location.
According to the study, larger organizations experienced more frequent API-related cybersecurity incidents than their medium- and small-sized counterparts. For example, organizations with annual revenues of over $100 billion experienced 3-4 times more API-related cybersecurity incidents than average. These companies attributed 1 of 4 or 25% of their cybersecurity incidents to API security.
While larger companies had higher frequencies, most API security incidents occurred in companies with annual revenues of less than 50 million.
The researchers explained that the higher frequency of API-related cybersecurity incidents targeting large companies resulted from the digital transformation, with larger organizations leading the pack in the adoption of technology.
Geographically, the United States suffered more API cybersecurity incidents than other countries. The US experienced 9x more API attacks than the next country, the United Kingdom, while 57% of all API attacks occurred in the northern American country. Like larger organizations, the US depends on complex software systems and is digitally mature, thus attracting more API attacks.
Although the US suffered more API attacks than other countries, the proportion of similar attacks in the North American region was much lower than in other locations. The researchers attributed the small percentage of API attacks in North America to the large volume of other cybersecurity incidents in the region, including ransomware.
On average, most countries experienced a frequency of 3-6%, with the Netherlands experiencing the highest rate of 18-24%.
Industrywise, the API top security incident victims were IT and Information (18-23%), Professional Services (10-15%), and retail (6-12%). Manufacturing, transportation, and utilities had API security incidents accounting for 4%-6% of their cybersecurity incidents.
The report demonstrated that the API adoption rate was an indicator of related cybersecurity incidents and associated costs based on the victim characteristics.
Improving API security to reduce costs and protect data
Imperva advised businesses to enhance data security by taking stock of their API inventories and understanding and classifying the information flowing through them.
Similarly, automating the discovery of underlying APIs would eliminate rogue or shadow APIs. Additionally, it would assist the security team in taking stock of API inventory and create visibility for development teams.
The researchers also advised highly regulated industries to adopt API governance by monitoring endpoints beyond their organizations. Additionally, they should monitor the data flowing through them to ensure that sensitive information is protected.
“The rising costs associated with API insecurity correlates with the reality that many organizations simply don’t have the right tools in place to monitor and protect their API ecosystems,” Lebin Cheng, Vice President, API Security at Imperva, said. “What’s more, even if organizations think they have the right defenses in place, they’re not protecting the underlying data, which is ultimately a cybercriminal’s target.”
Cheng proposed a mutual working relationship between cybersecurity professionals and developers while integrating tools than can be embedded in the development cycle.