Thales publishes the report “Economic Impact of API and Bot Attacks“. Analysis of cybersecurity incidents reveals the rising global cost of insecure APIs and automated bot abuse, two security threats that are increasingly interconnected and widespread.
The report estimates that API insecurity and bot attacks lead to losses of up to 186 billion US dollars for companies around the world.
The report is based on a study by the Marsh McLennan Cyber Risk Intelligence Center, which found that larger organizations are statistically more likely to have a higher percentage of security incidents involving both insecure APIs and bot attacks.
Organizations with more than $1 billion in revenue are two to three times more likely to experience automated API abuse by bots than small or mid-sized companies.
The study suggests that large organizations are particularly vulnerable to security risks associated with automated API abuse by bots due to complex and pervasive API ecosystems that often contain unprotected or insecure APIs.
Organizations rely heavily on APIs to enable seamless communication between different applications and services. Data from the Imperva Threat Research team shows that the average organization managed 613 API endpoints in production last year. This number is rising rapidly as organizations are under increasing pressure to deliver digital services with greater agility and efficiency.
Due to this increasing dependency and their direct access to sensitive data, APIs have become attractive targets for bot operators. In 2023, automated threats generated by bots accounted for 30 percent of all API attacks, according to data from Imperva Threat Research. Today, automated API abuse by bots costs companies up to 17.9 billion US dollars in losses every year. As the number of APIs in production multiplies, cybercriminals will increasingly use automated bots to find and exploit API business logic, bypass security measures and exfiltrate sensitive data.
“It is imperative that organizations around the world address the security risks posed by insecure APIs and bot attacks or face significant economic impact,” said Nanhi Singh, General Manager of Application Security at Imperva, a Thales company. “The interconnected nature of these threats requires organizations to take a holistic approach and integrate comprehensive security strategies for bot and API attacks.”
The most important trends identified in the report include:
- The increasing adoption and use of APIs is increasing the attack surface: The rapid adoption of APIs, the inexperience of many API developers and the lack of collaboration between security and development teams have resulted in insecure APIs now leading to annual losses of up to $87 billion, an increase of $12 billion over 2021.
- Bots have a negative impact on companies’ bottom lines: The widespread availability of attack tools and generative AI models has improved bot evasion techniques and enabled even low-skilled attackers to launch sophisticated bot attacks. Annual losses of up to 116 billion US dollars can be attributed to automated attacks by bots.
- API and bot-related security incidents are becoming more frequent In 2022, API-related security incidents increased by 40 percent and bot-related security incidents increased by 88 percent These increases were fueled by a rise in digital transactions, the increasing use of APIs and geopolitical tensions such as the Russia-Ukraine conflict. In the following year, 2023, as digital traffic began to stabilize and the surge in internet activity triggered by the pandemic subsided, the frequency of these incidents declined. API-related security incidents increased by 9 percent, while bot-related security incidents increased by 28 percent. The overall upward trend in attacks highlights the increasing persistence and frequency of these threats.
- Insecure APIs and bot attacks pose a significant threat to large companies: Companies with a turnover of at least 100 billion US dollars are most likely to be affected by security incidents related to insecure APIs or bot attacks. These threats account for up to 26 percent of all security incidents faced by such organizations.
Countries around the world are vulnerable to API and bot attacks: Brazil recorded the highest percentage of incidents related to insecure APIs or bot attacks, with the threats accounting for up to 32% of all observed security incidents. This was closely followed by France (up to 28%), Japan (up to 28%) and India (up to 26%). Although the proportion of security incidents related to APIs and bots in the United States decreased compared to previous years, vulnerable APIs or automated abuse by bots still accounted for 66% of all reported cases in the US.
“The reliance on APIs will continue to grow exponentially, driving connections to generative AI applications and large language models,” Singh adds. “At the same time, generative AI will also enable cybercriminals to develop sophisticated bots at an increasingly rapid pace. As API ecosystems expand and bots become more advanced, organizations should expect a significant increase in the economic impact of automated API abuse by bots unless proactive measures are taken.”
(pd/Thales)