According to a multi-year data analysis, increasing use of vulnerable APIs, especially in large organizations, will attract costly, damaging cyber risks

Based on an analysis comprising over 161,000 unique cybersecurity incidents encountered by a “cyber risk intelligence center” and commissioned by cybersecurity firm to examine the impact of attacks linked to application programming interfaces (APIs) and bots, some findings have been released.

First, the data suggests that the larger organizations were statistically more likely to have a higher percentage of security incidents involving both insecure APIs and to bot attacks. Enterprises with revenues of more than US$1bn were two to three times more vulnerable to the two security risks.

Second, the average enterprise in the data was managing 613 API endpoints in production in 2023, a growing number as businesses face mounting pressure to deliver digital services with greater agility and efficiency. Automated threats accounted for 30% of all API attacks in the analyzed data, costing affected organizations in the analysis up to US$17.9b of losses.

Other findings

Third, in the data for the Asia Pacific and Japan region, insecure APIs had resulted in up to US$4.6bn of losses per year. Also

  • Up to US$12.8bn of losses in the APJ region were attributed to automated attacks by bots and the widespread availability of attack tools and generative AI models for enhancing bot evasion techniques and democratizing sophisticated bot attacks.
  • In the multi-year data, API-related security incidents in 2022 had risen by 40% year on year, and bot-related security incidents had spiked by 88% year on year, assumed to be linked to increases in digital transactions, the expanding use of APIs, and geopolitical tensions like the Russia-Ukraine war. In 2023 data, the frequency of these incidents had moderated: API-related security incidents had grown by 9%, while bot-related security incidents had jumped by just 28% year on year.
  • 17.7% of global incidents were attributed to API and bot-related security incidents in the APJ region, comprising 14% of API-related, and up to 24% bot-related attacks.
  • In the data, Brazil experienced the highest percentage of events related to insecure APIs or bot attacks, accounting for up to 32% of all observed security incidents. This was closely followed by attacks in France (up to 28%) and three markets in APJ – Japan (up to 28%), India (up to 26%) and Australia (up to 23%).

According to Nanhi Singh, General Manager (Application Security), Imperva, the firm that commissioned the analysis: “It’s imperative that businesses across the world address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden. The interconnected nature of these threats necessitates that companies take a holistic approach, integrating comprehensive security strategies for both bot and API attacks.”