Insecure Application Programming Interfaces (APIs) and bot attacks are costing organizations billions, with large companies particularly at risk.
In a new analysis of more than 161,000 unique cybersecurity incidents, the security firm Imperva found that API-related security incidents rose by 40% across 2022 and by a further 9% in 2023. Bot-related security incidents rose by 88% across the same period.
For large firms, these represented more than a quarter (26%) of all security incidents.
In all, the attacks were found to cost businesses across the globe $186 billion (£140 billion) per year in losses. Insecure APIs alone resulted in up to $87 billion (£65 billion) of losses annually, a $12 billion (£9 billion) increase from 2021, while up to $116 billion (£87 billion) of losses annually can be put down to automated attacks by bots.
The crossover comes via automated API abuse carried out by bots, says Imperva, which accounts for $17.9 billion in losses.
"The estimated financial impact of API and bot attacks is staggering, highlighting the urgency of addressing these threats," said the researchers.
Researchers pointed to the increased burden on security teams as businesses expand their attack surface. The average enterprise managed 613 API endpoints in production last year - and this number's rising, attracting hacker interest, as APIs provide direct access to sensitive data.
With an average of 29 per account, shadow APIs – undocumented or hidden APIs – often escape the rigorous security measures applied to known endpoints, creating blind spots that attackers can exploit. Meanwhile, unauthenticated API endpoints, averaging 21 per account, can be accessed without proper verification.
"Today, over 60% of bad bots we observe at Imperva are classified as evasive – a combination of moderate and advanced bot traffic levels," the researchers said.
"These bad bots are increasingly sophisticated and employ techniques such as mimicking human behavior, using AI and machine learning (ML) to adapt and improve over time, delaying requests, and defeating CAPTCHAs to avoid detection and carry out significant attacks with fewer requests - reducing the "noise" typical of bad bot campaigns."
Combined API and bot-related attacks, such as credential stuffing, fake account creation, and data scraping are also on the rise, amounting to up to 12% of all cyber security losses.
"The analysis emphasizes the pervasive and escalating threat of API and bot attacks across organizations of all sizes. Bot attacks are particularly opportunistic and widespread, frequently affecting smaller and larger businesses," concluded the researchers.
