A new Imperva, Inc. study uncovers the rising global costs of vulnerable or insecure APIs. The analysis of nearly 117,000 cybersecurity incidents estimates that API insecurity results in $41-75 billion of losses annually, according to Imperva.
The Quantifying the Cost of API Insecurity study, conducted by the Marsh McLennan Cyber Risk Analytics Center, found that larger organizations were statistically more likely to have a higher percentage of API-related incidents. In fact, enterprises with revenues of at least $100 billion were 3-4x more likely to experience API insecurity than small or midsize businesses. The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organizations accelerate digital transformation.
An API is the invisible connective tissue that enables applications to share data to improve end-user experiences and outcomes. The volume of APIs used by businesses is growing rapidly; nearly half of all businesses have between 50-500 deployed, either internally or publicly, while some have over a thousand active APIs.
Many APIs connect directly to backend databases where sensitive data is stored. As a result, hackers are increasingly targeting APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information. Today, as many as 1 in every 13 cyber incidents can be attributed to API insecurity. As the number of APIs in production multiplies, this figure is expected to grow in the coming years.
The study also discovered substantial disparities between industries. IT, professional services, and retail are most likely to suffer API-related security incidents:
Industry |
Estimated percentage of incidents caused by API insecurity |
IT and Information |
18% - 23% |
Professional Services |
10% - 15% |
Retail |
6% - 12% |
Manufacturing |
4% - 6% |
Transportation |
4% - 6% |
Utilities |
4% - 6% |
Finance and Insurance |
2% - 4% |
Educational Services |
2% - 3% |
Healthcare |
0.5% - 1% |
At a country level, 57% of all reported API-related events occurred in the United States, more than 9x the volume of the next country, the United Kingdom. Given that U.S. businesses are more digitally mature, many depend on complex software supply chains and an expansive API ecosystem. Both factors increase the likelihood of an API-related security event.
Recommendations for Improving API Security:
- Identify and classify data flowing through every API: Visibility is crucial for understanding the full schema of every API, as well as identifying and classifying the data that flows through it so risks can be assessed.
- Automate discovery: APIs are produced quickly and modified often, making them a blind spot for many organizations. Through automation, organizations can eliminate rogue or shadow APIs. Further, by automating API inventory, the security team will have visibility into when developers modify APIs in production.
- Enable API governance: An API governance model is crucial for organizations in highly regulated industries. This is only possible with visibility that extends beyond the API endpoint and into the underlying payload so sensitive data can be adequately protected.