Security

API and Bot Attacks Costing Businesses Billions and Rising

20 September 2024

|

Zaker Adham

Summary

Businesses worldwide are facing a growing financial burden due to the rise of insecure Application Programming Interfaces (APIs) and bot attacks, with large enterprises particularly vulnerable. According to a new study from cybersecurity firm Imperva, these types of security breaches are becoming increasingly frequent and costly, leading to significant financial losses.

The research, which analyzed over 161,000 unique cybersecurity incidents, found that API-related security threats surged by 40% in 2022, followed by a further 9% increase in 2023. Similarly, bot-related attacks spiked by 88% during the same timeframe. For large organizations, these combined incidents accounted for 26% of all security breaches.

In total, these cyberattacks are estimated to cost businesses $186 billion globally each year. Insecure APIs alone contributed up to $87 billion in annual losses—an increase of $12 billion compared to 2021. Bot-driven automated attacks, on the other hand, are responsible for an estimated $116 billion in yearly losses, with $17.9 billion attributed to automated API abuse orchestrated by bots.

"The staggering financial toll from API and bot attacks underscores the urgency for businesses to address these vulnerabilities," the report stated.

As companies continue to expand their digital infrastructure, their attack surface grows, making them more susceptible to breaches. On average, enterprises managed 613 API endpoints last year, a figure that is steadily increasing. APIs are a prime target for hackers as they often provide direct access to sensitive information.

Moreover, shadow APIs—undocumented or hidden APIs that lack proper oversight—pose a significant security risk. These unmonitored endpoints create blind spots, allowing attackers to exploit vulnerabilities. The average enterprise has 29 shadow APIs per account, and 21 unauthenticated API endpoints, which can be accessed without proper verification, further increasing the likelihood of an attack.

Imperva’s researchers also noted that over 60% of malicious bots are now classified as "evasive," meaning they employ advanced techniques like mimicking human behavior and using AI and machine learning to adapt to security measures. These bots can bypass CAPTCHAs and carry out large-scale attacks with fewer requests, reducing the "noise" typically associated with bot traffic.

The rise in combined API and bot attacks, including credential stuffing, fake account creation, and data scraping, now accounts for up to 12% of all cybersecurity losses. Smaller businesses are not immune to these attacks, as opportunistic hackers frequently target organizations of all sizes.

Imperva’s findings highlight the growing and pervasive nature of these threats, stressing the need for businesses to invest in robust security measures to protect against API and bot-related vulnerabilities.