Larger organisations are statistically more likely to have a higher percentage of API-related incidents, with ones that chalk up revenues of at least US$100 billion three to four times more likely to experience API insecurity than small or midsize businesses, according to Imperva.
The digital security leader company’s Quantifying the Cost of API Insecurity report, conducted by the Marsh McLennan Cyber Risk Analytics Center, found that nearly 117,000 unique incidents resulted in estimated losses of $41 billion to $75 billion annually.
The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organisations accelerate digital transformation.
An API is the invisible connective tissue that enables applications to share data to improve end-user experiences and outcomes. Nearly half of all businesses have between 50-500 deployed, either internally or publicly, while some have over a thousand active APIs.
Many APIs connect directly to backend databases where sensitive data is stored. As a result, hackers are increasingly targeting APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information.
Imperva said that one in every 13 cyber incidents can be attributed to API insecurity. As the number of APIs in production multiplies, this figure is expected to grow in the coming years.
IT, professional services, and retail are most likely to suffer API-related security incidents.
“The findings of this report highlight that it can be very costly for businesses that do not have a strategy for addressing API security,” says Reinhart Hansen, director of technology at Imperva. “It also correlates with the fact that many organisations simply don’t have the right tools in place to monitor and mitigate the growing volume of API-related security threats.”
When compared to other regions, Asia was found to have a relatively high incident rate with between 16% and 20% of cyber-security events related to API insecurity.
This is likely due to the rapid digital transformation happening across Asia, especially in regards to mobile, as the majority of digital transactions in Asia are done via mobile.
These factors can increase both the volume of APIs in use and the amount of data flowing through them, which raises the chances of an API-related event.
To improve API security, Imperva recommends that companies identify and classify data flowing through every API; automate discovery; and enable API governance.
“This approach requires a mutual working relationship between the security and development team, where security is embedded into the development lifecycle,” said Hansen. “Until then, cybercriminals will continue to target vulnerable APIs to exfiltrate sensitive data.”