The commitment to API security from senior leadership and security teams across the region has not kept pace despite a growing awareness of API vulnerabilities, according to a report from Akamai Technologies.
This results in costly API attacks that underscore the urgent need to reach a consensus on where API security fits into their cybersecurity priorities, Akamai said.
The report is based on a study that involves a survey of more than 800 IT and security professionals across China, India, Japan, and Australia.
Findings show that with APIs now the backbone of modern digital infrastructure, 85% of organisations in the region reported at least one API-related security incident in the past 12 months.
The financial impact is equally concerning, with the average estimated cost of API security incidents reaching more than US$580,000 across the surveyed markets. However, many enterprises still lack visibility into their API ecosystems and the sensitive data they expose.
“APIs have become mission-critical, powering everything from mobile banking to connected vehicles. But our research shows that organisations across Asia-Pacific are struggling to secure them,” said Reuben Koh, director of security technology and strategy, Akamai Technologies, Asia-Pacific & Japan.
“It is crucial for organizations to reach a consensus on the root cause, impact, and priority levels of API security incidents so that they can implement holistic security strategies to protect critical APIs from development to runtime,” said Koh.
Results show that China leads in API security prioritisation, but gaps remain. Chinese respondents were the only group to rank “securing APIs from threat actors” as their top cybersecurity priority.
However, cost perceptions varied widely, with C-suite executives estimating API incident costs at CN¥3.75 million (US$517,000) and front-line security staff estimating it closer to CN¥6.7 million (US$925,000).
Data from India reveals sharp internal disconnects. While 77% of Indian C-suite leaders claimed to have full API inventories, only 41% of AppSec professionals agreed.
This disconnect extends to sensitive data awareness, with just 11% of AppSec teams confident that they know which APIs return sensitive data.
In Japan, enterprises deprioritise API risks despite industry exposure. API security ranked just fourth on the country’s cybersecurity priority list, even as 96% of organisations in energy and retail industries reported recent API incidents.
Japanese AppSec teams cited reputational damage with boards and executives as the top consequence.
Australian firms are hit hardest by incidents, but slowest to respond. Australia saw the highest incident rate (95%) and incurred significant financial impacts (AU$493,000 on average) yet had the lowest percentage of organisations regularly conducting comprehensive API vulnerability testing (6%).
Across all four countries, the study reveals a critical gap between perception and reality.
C-suite awareness is high, but operational visibility is low as 92% of APAC executives said their organizations experienced an API incident in the past 12 months. However, only 37% of all respondents could confirm that they know which APIs expose sensitive data.
Also, testing remains inconsistent/ Despite high incident rates, only a small percentage of respondents across the region reported real-time API testing, with China at 22%, India at 15%, Japan at 11%, and Australia at 6%.
These disconnects reflect a broader challenge — organizations are deploying APIs faster than they can secure them, creating fertile ground for attackers.
“The problem is no longer theoretical. API abuse is happening right now, with real financial and reputational costs,” added Koh. “Leadership teams must close the gap with security and AppSec professionals working closer together and invest in the right tools, processes, and alignment to protect this critical technology.
