Imperva has released “Quantifying the Cost of API Insecurity”, a new study that exposes the rising global costs of vulnerable or insecure APIs.
The study by the Marsh McLennan Cyber Risk Analytics Center found that larger organizations were statistically more likely to have a higher percentage of API-related incidents. Companies with at least $100 billion in revenue were three to four times more likely to experience API insecurity than small or medium-sized businesses.
The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organizations accelerate digital transformation.
An API is the invisible connective tissue that allows applications to share data to improve end-user experiences and outcomes. The number of APIs used by businesses is growing rapidly; nearly half of all companies have between 50 and 500 implemented internally and publicly, with some having over a thousand active APIs.
Many APIs connect directly to backend databases where sensitive data is stored. As a result, hackers are increasingly turning to APIs as a path to the underlying infrastructure to exfiltrate sensitive information. Today, as many as 1 in 13 cyber incidents can be attributed to API insecurity. As the number of APIs in production increases, this number is expected to grow in the coming years.
The study also found significant differences between industries. IT, professional services, and retail are most likely to suffer from API-related security incidents:
Estimated percentage of incidents caused by API insecurity:
IT and information: 18% – 23%
Professional services: 10% – 15%
Retail: 6% – 12%
Production: 4% – 6%
Transport: 4% – 6%
Utilities: 4% – 6%
Finance and insurance: 2% – 4%
Education services: 2% – 3%
Healthcare” 0.5% – 1%
“The findings of this report highlight that it can be very costly for companies that lack a strategy to address API security,” said Reinhart Hansen, director of technology, Office of the CTO, Imperva.
“It’s also related to the fact that many organizations simply don’t have the right tools to monitor and mitigate the growing number of API-related security threats,” he says.
“To address this, organizations must first understand all the APIs in their environment and the underlying data associated with them, which is ultimately the target of cybercriminals.”
Asia was found to have a relatively high incident rate, compared to other regions, with between 16% and 20% of cybersecurity events related to API insecurity. This is likely due to the rapid digital transformation happening in Asia, especially regarding mobile, as most digital transactions are done via mobile.
Australia (which does not belong to Asia) was also found to have a relatively high incident rate, with between 12% and 16% of cybersecurity events related to API insecurity. This is likely because Australian companies with complex software supply chains are generally more innovative and digitally mature.
These factors can increase both the volume of APIs in use and the amount of data flowing through them, increasing the likelihood of an API-related event.
Recommendations for improving API security:
Identify and classify data flowing through each API: Visibility is critical to understanding the full schema of each API and identifying and organizing the data flowing through it so that risk can be assessed. Automate discovery: APIs are quickly produced and frequently modified, making them a blind spot for many organizations. Automation allows organizations to eliminate fraudulent or shadow APIs. In addition, by automating API inventory, the security team can understand when developers change APIs in production. Enable API governance: An API governance model is critical for organizations in highly regulated industries. This is only possible with visibility beyond the API endpoint, and into the underlying payload, so sensitive data can be adequately protected.
“The foundation of any API-related security incident is data,” says Hansen.
“Protecting APIs requires a change of mindset, one that focuses on the discovery of each API and the classification of the data flowing through it,” he says.
“This approach requires a reciprocal working relationship between the security and development team, with security embedded in the development lifecycle. Until then, cybercriminals will continue to target vulnerable APIs to exfiltrate sensitive data.”