API Security in Peril as 83% of Firms Suffer Incidents
Security experts have warned of the soaring cost and volume of API security incidents after revealing that 83% of UK organizations were impacted over the past 12 months.
Akamai polled 404 UK CIOs, CISOs and other security professionals between June and July 2024, to help compile its API Security Impact Study 2024.
It recorded a 14-percentage point annual increase in UK respondents claiming to have experienced at least one API security incident over the previous 12 months. For US respondents, the figure actually dropped two percentage points.
In the UK, each incident cost over £420,000 ($532,000) in repairs, downtime, legal fees, fines and other charges – significantly more than the equivalent figure in Germany (£335,277).
Read more on API threats: Insecure APIs and Bot Attacks Cost Global Firms $186bn
Worryingly, the share of UK critical infrastructure organizations claiming to have suffered API security incidents over the past year was even higher. It stood at 94% for the country’s public sector, 92% for financial services and 90% for healthcare, according to Akamai.
However, at the other end of the spectrum was the retail/e-commerce sector, where just 68% of respondents reported incidents. It’s no coincidence that they were also more likely than any other to cite API security as a top priority (21%).
“API security has yet to become a key element in a comprehensive security strategy,” said Richard Meeus, director of security technology and strategy EMEA at Akamai. “Organizations mostly treat API threats as emerging, when the attack data – as well as the financial impact and stress on security teams – shows they keep growing.”
Nearly a third (31%) of UK respondents claimed API security incidents led to increased stress, the report found.
Among the potential causes of the UK’s poor performance are a lack of testing and visibility.
The share of respondents claiming to test APIs in real time fell from 18% in last year’s report to 13%, while only 29% of enterprises with full API inventories said they know which APIs return sensitive data – down from 40% in 2023.
API Threats on the Rise
The study chimes somewhat with other reports highlighting the growing threat to APIs. A report out in March 2023 claimed that API attacks increased 400% in the previous six months.
Data on 37 million T-Mobile customers in the US was stolen in late 2022 due to unauthorized access through a single API.
Among the main risks to APIs are unintended exposure, vulnerabilities and misconfigurations, lack of authentication and misfiring security tools, according to the Akamai report.
The security vendor recommended that organizations:
- Enhance visibility and discovery by undertaking a full inventory of the entire API estate and associated microservices
- Invest in pre- and post-production testing
- Audit APIs for misconfiguration and undertake full documentation
- Use runtime detection to highlight abnormal activity
- Respond to suspicious behavior by integrating API security with other security tools
- Proactively investigate and hunt for threats