SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Thales report reveals $186bn losses from API bot attacks

Fri, 20th Sep 2024

Leading cybersecurity company Thales has released a report on the "Economic Impact of API and Bot Attacks," highlighting significant financial losses incurred by enterprises due to bot attacks on Application Programming Interfaces (APIs).

The report estimates that businesses worldwide have faced losses amounting to USD $186 billion due to these security issues.

The reliance on APIs for seamless communication between various applications and services is increasing, with the average organisation managing about 613 API endpoints last year. This dependency on APIs and the vulnerabilities it introduces have become a lucrative target for cyber attackers. According to Thales, API insecurity and bot abuse account for up to 11.8% of global cyber events and losses, a figure that continues to rise.

Thales' analysis of over 161,000 unique cybersecurity incidents revealed a significant surge in bot-related security issues. The report indicates that bot-related incidents spiked by 88% in 2022 and by 28% in 2023, severely impacting the financial health of organisations. Additionally, insecure APIs alone led to USD $12 billion more in losses compared to 2021.

Larger enterprises, particularly those with revenues exceeding USD $1 billion, were found to be 2-3 times more likely to experience automated API abuse by bots than smaller companies. This increased vulnerability among large companies is attributed to the complexity and widespread nature of their API ecosystems, which often contain exposed or insecure APIs.

The data provided by the Imperva Threat Research team indicates that automated threats generated by bots now account for 30% of all API attacks. The annual financial impact of automated API abuse by bots is estimated to be USD $17.9 billion. As APIs continue to multiply, bot operators are increasingly exploiting API business logic, bypassing security measures, and siphoning sensitive data.

Nanhi Singh, General Manager of Application Security at Imperva, a Thales company, stresses the urgency for businesses to address these security risks. "It's imperative that businesses across the world address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden. The interconnected nature of these threats necessitates that companies take a holistic approach, integrating comprehensive security strategies for both bot and API attacks."

The report outlined several trends impacting businesses globally:

  • Increased API adoption and usage has expanded the attack surface, with insecure APIs now resulting in up to USD $87 billion in losses annually—a USD $12 billion increase from 2021.
  • Bot attacks have a marked negative impact on organisations' bottom lines. Enhanced tools and generative AI models have made sophisticated bot attacks more accessible, resulting in annual losses of up to USD $116 billion.
  • The frequency of API and bot-related security incidents has increased. In 2022, API-related incidents rose by 40% and bot-related incidents surged by 88%. In 2023, these figures moderated, with API incidents increasing by 9% and bot incidents by 28%, reflecting a continued upward trend in these threats.
  • Large enterprises, particularly those with revenues above USD $100 billion, are most affected by security incidents related to insecure APIs and bot attacks. Such incidents constitute up to 26% of all security events experienced by these businesses.
  • Global exposure to API and bot attacks varies. Brazil reported the highest percentage of events related to these threats at 32%, followed closely by France and Japan at 28%, and India at 26%. Despite a lower percentage of events in the United States, 66% of all reported incidents occurred there.

"Reliance on APIs will continue to grow exponentially, driving connections to generative AI applications and large language models," stated Singh. "At the same time, generative AI will also empower cybercriminals to create sophisticated bots at an accelerated and alarming rate. As API ecosystems expand and bots become more advanced, organisations should anticipate a significant rise in the economic impact of automated API abuse by bots unless proactive measures are taken."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X