Global businesses could be exposing themselves to billions in annual losses because they aren’t properly securing their APIs, according to new research from Imperva.
The security firm teamed up with the Marsh McLennan Cyber Risk Analytics Center to analyze nearly 117,000 unique cybersecurity incidents for their report, Quantifying the Cost of API Insecurity.
It revealed that vulnerable and unsecured APIs cause an estimated 7.5% of cyber events and losses globally, rising to 18-23% in the IT and information sector. Professional services (10-15%) and retail (6-12%) rounded out the top three.
APIs are an increasingly common feature of digital transformation projects – connecting applications, data and experiences. Imperva estimated that around half of businesses have 50-100 APIs deployed internally or publicly, although some have thousands.
However, this could unwittingly expand the digital attack surface, it warned.
“At the root of every API-related security incident is data. Protecting API requires a mindset shift; one that is focused on classifying data and understanding how data is accessed by every API in production,” argued Imperva’s general manager of application security, Karl Triebes.
“This approach requires security and development teams to work together to embed security into the development lifecycle. Until then, cyber-criminals will continue to exploit vulnerable APIs to exfiltrate sensitive data in greater volumes.”
In related news, new research from Radware released this week revealed a major visibility and control gap when it comes to API security.
It found that 92% of global respondents believe they have enough API protection in place and 70% believe they have visibility into applications processing sensitive data. However, 62% admitted that one-third or more of their APIs are undocumented.
“For many companies, there is unequivocally a false sense of security that they are adequately protected from cyber-attacks. In reality, they have significant gaps in the protection around unknown and undocumented APIs,” said Radware COO Gabi Malka.
“API security is not a ‘trend’ that is going away. APIs are a fundamental component to most of the current technologies and securing them must be a priority for every organization.