Organizations are experiencing staggering financial losses, estimated between $94 billion and $186 billion annually, due to the vulnerabilities present in Application Programming Interfaces (APIs) and the automated exploits conducted by malicious bots. This alarming statistic is highlighted in a report titled “The Economic Impact of API and Bot Attacks,” published by Imperva, a Thales company. The report underscores that these security challenges contribute significantly to global cyber incidents, accounting for up to 11.8% of overall cyber losses, which raises concerns about the increasing threats they pose to businesses globally.
Imperva’s analysis draws from an extensive study by the Marsh McLennan Cyber Risk Intelligence Center, which examined over 161,000 unique cybersecurity incidents. This investigation reveals a worrisome trend; the interdependence and incidence of threats stemming from insecure APIs and bot activities are rising, necessitating urgent attention from organizations. The report warns that neglecting to address the security issues related to these threats could result in severe financial repercussions and damage to reputations.
As APIs have increasingly become crucial for business operations, enabling seamless interconnectivity across applications, they have also opened up significant security vulnerabilities. Imperva Threat Research indicates that the average enterprise managed approximately 613 active API endpoints last year, a number expected to rise as firms lean more heavily on APIs for innovation and digital transformation. However, this heavy dependence has widened the attack surface, with API-related security incidents reportedly increasing by 40% in 2022 and 9% in 2023.
These incidents are particularly concerning given that APIs are often the gateways to an organization’s core infrastructure and sensitive data. API insecurity alone is estimated to result in losses of up to $87 billion annually, reflecting a $12 billion increase from 2021. This surge can be attributed to several factors, including rapid API adoption, the relative inexperience of many API developers, variability in security practices, and inadequate collaboration between development and security teams.
Meanwhile, bot attacks continue to be a pervasive threat, costing organizations as much as $116 billion each year. Bots—automated software utilized for a variety of tasks—are commonly weaponized for harmful purposes such as credential stuffing, online fraud, and DDoS attacks. A significant spike in bot-related security incidents was noted in 2022, which saw an escalation of 88%, followed by an additional 28% in 2023. This rise can be linked to various factors, including the increase in digital transactions and ongoing geopolitical tensions.
Imperva highlights that bots now pose a severe threat to API security, with 30% of all API attacks involving automated threats. Among these, 17% exploit business logic vulnerabilities inherent in APIs. This alarming trend indicates that as APIs gain direct access to sensitive company data, they become primary targets for bot operators. Automated API abuse is currently costing enterprises up to $17.9 billion per year, as attackers increasingly use advanced techniques to circumvent security measures and extract sensitive information, complicating detection and mitigation efforts.
Among large enterprises, particularly those with revenues surpassing $1 billion, the risk of API and bot attacks is significantly magnified, with these organizations being two to three times more likely to fall victim compared to smaller counterparts. The complexity and scale of their digital infrastructures expose them to greater vulnerabilities, particularly as they manage numerous APIs across diverse departments and services. The presence of shadow APIs, deprecated APIs, and instances of inadequate authentication within these environments creates exploitable entry points for attackers.
The urgency for comprehensive API security and robust bot management strategies grows as enterprise revenues climb above $100 billion. In such cases, API insecurity and bot-related issues account for nearly 26% of security incidents, reflecting the critical need for organizations to proactively address these vulnerabilities to mitigate potential operational disruptions and financial downturns.
To navigate these evolving threats, organizations must adopt a multi-faceted approach. Fostering collaboration between security and development teams is essential to embed security within every phase of the API lifecycle. It ensures robust security protocols are integrated early, enabling the identification and mitigation of risks before they manifest. Furthermore, organizations must maintain a clear overview of all their APIs, including shadow and deprecated endpoints, to identify vulnerabilities regularly. By managing API security in conjunction with bot management, businesses can enhance safeguards against automated attacks while ensuring they are equipped to address sophisticated threats before they culminate in security incidents.
As the landscape of API ecosystems continues to evolve and bots become increasingly adept at circumventing security measures, the imperative for action grows more pressing. Organizations must prioritize addressing the security risks associated with APIs and automated threats that can compromise sensitive data and tarnish their reputations.
