API insecurity is responsible for between 4.1% and 7.5% of cyber events and losses globally
SAN MATEO, CA — June 22, 2022 — Imperva, Inc., (@Imperva) the comprehensive digital security leader on a mission to help organizations protect their data and all paths to it, releases “Quantifying the Cost of API Insecurity”, a new study that uncovers the rising global costs of vulnerable or insecure APIs. The analysis of nearly 117,000 unique cybersecurity incidents estimates that API insecurity results in 41 – 75 billion USD of losses annually.
The study, conducted by the Marsh McLennan Cyber Risk Analytics Center, found that larger organizations were statistically more likely to have a higher percentage of API-related incidents. In fact, enterprises with revenues of at least 100 billion USD were 3-4x more likely to experience API insecurity than small or midsize businesses. The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organizations accelerate digital transformation.
An API is the invisible connective tissue that enables applications to share data to improve end-user experiences and outcomes. The volume of APIs used by businesses is growing rapidly; nearly half of all businesses have between 50-500 deployed, either internally or publicly, while some have over a thousand active APIs.
Many APIs connect directly to backend databases where sensitive data is stored. As a result, hackers are increasingly targeting APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information. Today, as many as one in every 13 cyber incidents can be attributed to API insecurity. As the number of APIs in production multiplies, this figure is expected to grow in the coming years.
The study also discovered substantial disparities between industries. IT, professional services, and retail are most likely to suffer API-related security incidents:
| Industry | Estimated percentage of incidents caused by API insecurity |
| IT and Information | 18% – 23% |
| Professional Services | 10% – 15% |
| Retail | 6% – 12% |
| Manufacturing | 4% – 6% |
| Transportation | 4% – 6% |
| Utilities | 4% – 6% |
| Finance and Insurance | 2% – 4% |
| Educational Services | 2% – 3% |
| Healthcare | 0.5% – 1% |
“Without a strategy for addressing API security, businesses around the world will continue losing incredible sums annually,” says Karl Triebes, SVP of Product Management & General Manager, Application Security, Imperva. “To mitigate the growing volume of API-related security threats, organizations need the ability to discover all the APIs in their environment, and to understand what data is flowing through each API.”
At a country level, 57% of all reported API-related events occurred in the United States — more than 9x the volume of the next country, the United Kingdom. Given that U.S. businesses are more digitally mature, many depend on complex software supply chains and an expansive API ecosystem. Both factors increase the likelihood of an API-related security event.
Recommendations for Improving API Security:
- Identify and classify data flowing through every API: Visibility is crucial for understanding the full schema of every API as well as identifying and classifying the data that flows through it so risks can be assessed.
- Automate discovery: APIs are produced quickly and modified often, making them a blindspot for many organizations. Through automation, organizations can eliminate rogue or shadow APIs. Further, by automating API inventory, the security team will have visibility into when developers modify APIs in production.
- Enable API governance: For organizations in highly regulated industries, an API governance model is crucial. This is only possible with visibility that extends beyond the API endpoint and into the underlying payload so sensitive data can be adequately protected.
“At the root of every API-related security incident is data,” added Triebes. “Protecting API requires a mindset shift; one that is focused on classifying data and understanding how data is accessed by every API in production. This approach requires security and development teams to work together to embed security into the development lifecycle. Until then, cybercriminals will continue to exploit vulnerable APIs to exfiltrate sensitive data in greater volumes.”
Additional Information:
- Download a copy of the “Quantifying the Costs of API Insecurity” report for additional insights on the business impact of API-related security incidents.
- See how Imperva API Security can protect your APIs across legacy, hybrid, and cloud-native environments.
- Check out the Imperva Blog for the latest product and solution news, and threat intelligence from Imperva Threat Research.
- Contact Imperva if you’re looking for a solution to mitigate API-related security risks.
About Imperva:
Imperva is the comprehensive digital security leader on a mission to help organizations protect their data and all paths to it. Only Imperva protects all digital experiences, from business logic to APIs, microservices, and the data layer, and from vulnerable, legacy environments to cloud-first organizations. Customers around the world trust Imperva to protect their applications, data, and websites from cyber attacks. With an integrated approach combining edge, application security, and data security, Imperva protects companies ranging from cloud-native start-ups to global multi-nationals with hybrid infrastructure. Imperva Threat Research and our global intelligence community keep Imperva ahead of the threat landscape and seamlessly integrate the latest security, privacy, and compliance expertise into our solutions.
© 2022 Imperva, Inc. All rights reserved. Imperva is a registered trademark of Imperva, Inc.
