Sydney, Australia – Application Program Interface (API) insecurity and automated abuse from bots are increasingly becoming interconnected and prevalent, costing businesses in Australia US$2b of losses every year. This is according to the latest research from cybersecurity firm Thales, which also revealed that four cybersecurity incidents in the country are causing these costs.
Data from the report found that in 2023, the Asia-Pacific region experienced 17.7% global API and bot-related security incidents, resulting in more than US$16.6b in business losses.
With 14% of global API-related attacks and 24% of bot-related attacks, the region also recorded the highest rate for API incidents and second highest globally after Africa.
Larger organisations were also noted to statistically be more likely to have a higher percentage of security incidents that involve both insecure APIs and bot attacks. On the other hand, enterprises with revenues of more than US$1b were 2-3x more likely to experience automated API abuse by bots than small or midsize businesses.
These figures implied the increasing vulnerability of large companies to security risks associated with automated API abuse by bots because of complex and widespread API ecosystems.
Furthermore, the study also revealed the average enterprise managed 613 API endpoints in production last year, noting the number’s rapid growth as businesses face mounting pressure to deliver digital services with greater agility and efficiency.
Due to this increased reliance and their direct access to sensitive data, APIs have also become attractive targets for bot operators.
In 2023, automated threats accounted for 30% of all global API attacks, according to data from Imperva Threat Research.
Recently, it was observed that automated API abuse by bots costs organisations up to US$17.9b every year. These incidents can be attributed to the rising API in production, which cybercriminals expected to use automated bots in finding and exploiting API business logic, circumvent security measures, and exfiltrate sensitive data.
Apart from these findings, Thales also reported rapid adoption of APIs, inexperience of many API developers, and lack of collaboration between security and development teams has led insecure APIs to now result in up to US$87B of losses annually, a US$12b increase from 2021.
Interestingly, the widespread availability of attack tools and generative AI models has enhanced bot evasion techniques and enabled even low-skilled attackers to launch sophisticated bot attacks. The report found that up to US$116b of losses annually can be attributed to automated attacks by bots.
Additionally, API and bot-related security incidents are becoming more frequent, with API-related security incidents rising by 40% and bot-related security incidents spiked by 88% both in 2022. In the following year, API-related security incidents grew by 9%, while bot-related security incidents jumped by 28%.
Insecure APIs and bot attacks were further observed to pose a significant threat to large enterprises, reporting companies with revenue of at least US$100 billion being most vulnerable to experiencing security incidents related to insecure APIs or bot attacks.
“Many businesses across APJ are unaware that undesirable bot traffic is impacting their bottom line by targeting their applications, APIs, and infrastructure. Business leaders can’t manage this risk if they’re unaware of it or don’t fully understand it,” said Reinhart Hansen, director of technology, Asia Pacific and Japan, at Imperva, a Thales company.
He further continued, “The same can also be said about lack of visibility across an organisation’s API endpoint assets and the data they exchange, internally, publicly, and directly with third parties. Without an accurate and continuously updated API endpoint inventory and security assessment, organisations remain open to significant security risks, such as large-scale data loss and exfiltration.”
“API ecosystems will continue to grow exponentially, driving connections to generative AI applications and large language models. In parallel, cybercriminals will leverage emerging technologies to create sophisticated bots at an accelerated and alarming pace. Business leaders should take proactive measures to assess and interpret the potential risk to their bottom line and adopt a holistic solution that covers the entire application landscape without impacting the end-user experience, concluded Hansen.”