A new report out today from Imperva Inc., a Thales company, is warning that vulnerable application programming interface and bot attacks are costing businesses up to $186 billion annually as incidents have risen sharply in recent years.

The “Economic Impact of API and Bot Attacks” report, based on the analysis of more than 161,000 unique cybersecurity incidents and a study by the Marsh McLennan Cyber Risk Intelligence Center, found that larger organizations were statistically more likely to have a higher percentage of security incidents that involved both insecure APIs and bot attacks.

Enterprises with revenue of more than $1 billion were found to be two to three times more likely to experience automated API abuse by bots than small or mid-size businesses. Large companies were found to be particularly vulnerable to security risks associated with automated API abuse by bots because of complex and widespread API ecosystems that often contain exposed or insecure APIs.

The problem is exacerbated by the sheer number of APIs enterprises rely on, with data from Imperva Threat Research finding that the average enterprise managed 613 API endpoints in production last year. The number is also growing rapidly as businesses face increasing pressure to deliver digital services with great agility and efficiency.

With so many API endpoints, not surprisingly they’ve become a juicy target for bot operations. In 2023, Imperva found that automated threats accounted for 30% of all API attacks. Automated API abuse by bots costs organizations up to $17.9 billion in losses annually. As the number of APIs in production multiplies, the report notes that cybercriminals will increasingly use automated bots to find and exploit API business logic, circumvent security measures and exfiltrate sensitive data.

Key findings in the report include that the rapid adoption of APIs, combined with inexperienced developers and insufficient collaboration between security and development teams, has expanded the attack surface for cyberthreats. Insecure APIs now account for up to $87 billion in losses annually, representing a $12 billion increase since 2021. As APIs continue to be integrated into business processes, the security risks associated with them are expected to grow.

Bot attacks are also proving to be a significant financial burden for enterprises, with up to $116 billion in losses attributed to automated threats each year. Thrown into the mix is the accessibility of attack tools and advancements in generative artificial intelligence, which have made it easier for even low-skilled attackers to launch sophisticated bot attacks. The automated threats are also increasingly difficult to detect and mitigate, further impacting organizations’ bottom lines.

The frequency of both API and bot-related security incidents is also on the rise. For example, in 2022, API incidents grew by 40%, while bot-related incidents spiked by 88%, driven by increased digital transactions and global geopolitical tensions. Although the rate of increase was found to have slowed in 2023, the threats remain persistent, particularly for large enterprises and countries like Brazil, France, Japan and India, where such incidents are most prevalent.

“It’s imperative that businesses across the world address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden,” said Nanhi Singh, general manager of application security at Imperva. “The interconnected nature of these threats necessitates that companies take a holistic approach, integrating comprehensive security strategies for both bot and API attacks. As API ecosystems expand and bots become more advanced, organizations should anticipate a significant rise in the economic impact of automated API abuse by bots unless proactive measures are taken.”

Image: SiliconANGLE/Ideogram