Following a recent report by cyber-security company Imperva about the rising costs to businesses of bot attacks and vulnerable APIs, we look at why it’s happening and what can be done.
Vulnerable APIs & Bot Attacks Costing Businesses $186 Billion
Imperva’s report was based on Marsh McLennan Cyber Risk Intelligence Centre’s study of data from 161,000 cybersecurity incidents related to vulnerable APIs and bot attacks. The key findings were that businesses face an annual (estimated) economic burden of up to $186 billion due to vulnerable APIs and automated bot attacks. Also, the study found that these two security threats often work in tandem, are becoming increasingly prevalent, and pose significant risks to organisations worldwide.
APIs
An API (Application Programming Interface) is a set of rules and protocols that allows different software applications to communicate with each other. Businesses adopt and use APIs because they enable seamless integration between apps and services, improving efficiency and automation. Mulesoft1 figures show that 99 per cent of organisations have already embraced APIs. An API can, for example, connect a company’s CRM system with its email marketing platform, thereby automatically syncing customer data. APIs also enhance customer experiences, like allowing users to log in via their Google or Facebook accounts. They help with scalability, such as a small business using cloud storage services via APIs to expand without building infrastructure. By using APIs for payments (like Stripe) or shipping (like FedEx), businesses can quickly innovate and offer services without developing them in-house. APIs also enable secure data sharing, such as a fintech company offering real-time stock market data through an API, while fostering partnerships, like travel booking sites combining flight, hotel, and rental services from different providers. This makes businesses more agile, efficient, and competitive in a connected world, thus highlighting positive outcomes of API adoption.
The financials of using them are illustrated by Mulesoft1 figures which suggest that many organistaions which are using APIs are reporting increased revenues, e.g. up to a 35 per cent increase, plus they are reporting reduced operational costs.
Why Are APIs Vulnerable?
APIs are particularly vulnerable because they expose numerous endpoints, each acting as a potential entry point for attackers. As businesses increasingly adopt APIs to improve agility and efficiency, the number of these exposed endpoints has surged—on average, enterprises managed 613 API endpoints in 2023. This rapid expansion has created a larger attack surface, making APIs an attractive target for cybercriminals.
Also, with enterprise sites handling 1.5 billion API calls annually, the sheer volume makes the likelihood of encountering vulnerabilities greater.
What Kind of Vulnerabilities?
The kind of business logic vulnerabilities in APIs include, for example, weak authentication, insufficient access controls, and improper data validation, all of which can allow attackers to exploit these APIs, leading to data breaches or system compromises.
What’s The Link Between Vulnerable APIs and Bot Attacks?
Put simply, the link between vulnerable APIs and bot attacks is that:
– Greater API adoption (and a growing reliance upon them by organisations) has expanded the attack surface.
– Cybercriminals have realised that automated bots are a great and inexpensive way to attack the increasing number of vulnerable APIs, due to the scalability, speed, and efficiency of automated bots. Imperva, for example, highlights the fact that even low-skilled attackers can launch sophisticated bot attacks.
– Bots can quickly exploit multiple API endpoints – averaging 613 per enterprise in 2023 (Marsh McLennan) – making them ideal for large-scale attacks. Their low cost and 24/7 operation allow cybercriminals to probe for weak spots continuously, extracting sensitive data, executing fraudulent transactions, or launching disruptive denial-of-service attacks. Also, vulnerable APIs often lack strong security measures, thereby making them easy targets for bots, which can monetise stolen data or cause significant disruptions. As API adoption grows, bot attacks offer cyber-criminals a high-reward, low-effort method for exploiting these weaknesses, contributing to billions in annual financial losses.
This is why the Marsh McLennan Cyber Risk Intelligence Centre figures featured in the report show an 88 per cent rise in bot-related security incidents in 2022, followed by another 28 per cent increase in 2023. In essence, the more vulnerable APIs there are, the more bots are being used to attack them and as APIs become more integral to business, they become prime targets for bot attacks.
More Sophisticated
One other key point highlighted in Imperva’s report is that the increasing sophistication of bad bots is a growing concern. For example, Imperva reports that over 60 per cent of bad bots detected today are classified as evasive, i.e. they use a mix of moderate and advanced techniques to carry out attacks. Worryingly, these bots can now mimic human behaviour, leveraging AI and machine learning to adapt and evolve over time. They can also delay requests and bypass common security measures like CAPTCHAs, making them harder to detect. This allows them to launch significant attacks with fewer requests, thereby reducing the typical “noise” associated with bot campaigns, making their actions stealthier and more effective.
The Financial Toll
As mentioned at the beginning of this article, bot attacks on APIs are contributing significantly to financial tolls for organisations – up to $186 billion annually, with API-related breaches costing organisations up to $87 billion annually – an increase of $12 billion from 2021. Specifically, automated API abuse by bots now accounts for a massive $17.9 billion of these losses each year, thereby illustrating the immense economic impact of API vulnerabilities combined with bot-driven attacks.
Biggest Companies At Highest Risk
Reseach appears to show that large enterprises (those with over $100 billion in revenue) face the greatest risk, with bot-related incidents making up as much as 14 per cent of all cyber incidents. Imperva’s report attributes the fact that they’re prime targets to their high visibility, extensive digital presence, and valuable assets.
Global Vulnerability
Imperva’s report also highlights the global nature of API and bot attack threats, with countries like Brazil, France, Japan, and India now seeing high percentages of security incidents related to insecure APIs and bot activity. Although the proportion of such events in the United States is lower compared to these countries, the U.S. still accounts for 66 per cent of all reported incidents, highlighting its significant exposure to these growing threats.
What Does This Mean For Your Business?
The financial and operational costs of API and bot attacks are escalating at an alarming rate. With global losses reaching as high as $186 billion annually, these threats are becoming a major concern for organisations of all sizes. The rapid adoption of APIs, while improving efficiency and agility, has also expanded the attack surface, making businesses more vulnerable. Automated bots, with their scalability and increasing sophistication, are exploiting these vulnerabilities at an unprecedented rate. Imperva’s report, featuring the findings of Marsh McLennan Cyber Risk Intelligence Centre’s study, appear to illustrate the severity of the situation. This situation appears to be worsening too as bots become more evasive, using advanced techniques like AI and machine learning to mimic human behaviour, evade detection, and carry out stealthy, highly effective attacks.
Larger enterprises, with extensive digital infrastructures, are particularly exposed, with bot-related incidents accounting for up to 14 per cent of all cyber incidents. These companies face significant financial risks due to their high-value assets and complex API ecosystems, making them prime targets for automated bot attacks. That said, smaller businesses are also frequently targeted due to potentially weaker security measures, meaning that businesses of all sizes should sit up and take notice.
It also appears that this threat is global, e.g. countries like Brazil, France, Japan, and India have experienced surges in API and bot-related incidents (although the U.S. remains the most affected).
As the digital landscape evolves, the overlap between API and bot vulnerabilities highlights the critical need for businesses and organisations of all kinds to adopt proactive, comprehensive security strategies. Businesses must tailor their defences to the specific risks associated with their size and complexity. For example, large enterprises managing hundreds of API endpoints need robust API security testing frameworks that regularly assess vulnerabilities, ensuring all endpoints are secure. This could include adopting authentication mechanisms like OAuth 2.0 or implementing rate limiting to restrict how many requests can be made to the API in a short period, which helps prevent bot-driven attacks.
Smaller businesses may want to focus on securing their APIs with proper encryption and multi-factor authentication to minimise exposure. They can deploy web application firewalls (WAFs) with bot management features, such as those provided by services like Cloudflare or Imperva, to detect and block malicious bot traffic before it reaches critical endpoints.
Both small and large businesses should adopt continuous monitoring for abnormal behaviour and invest in AI-powered security tools that detect patterns characteristic of bot activity. Also, penetration testing should be part of regular security audits to simulate attacks on API endpoints, exposing any weaknesses before they can be exploited by cybercriminals.