Organizations lose between $94 billion and $186 billion annually due to vulnerable or unsafe APIs (application programming interfaces) and automated bot breaches. That’s it The economic impact of APIs and bot attacks report by Imperva, a Thales company. The report highlights that these security threats account for 11.8% of global cyber incidents and losses, highlighting the growing risk they pose to businesses worldwide.
Based on comprehensive research by the Marsh McLennan Cyber Risk Intelligence Center, the report analyzes more than 161,000 unique cyber security incidents. The findings show an alarming trend: threats related to vulnerable or unsafe APIs and automated bot abuse are becoming increasingly interconnected and pervasive. Imperva warns that failure to address the security risks associated with these threats could result in significant financial and reputational damage.
API adoption and attack surface expansion
APIs have become indispensable to modern business operations, enabling seamless communication and data exchange between applications and services. They provide everything from mobile applications to e-commerce platforms and open banking. However, their widespread distribution has created significant security problems. According to Imperva Threat Research, the average enterprise managed 613 API endpoints in production last year, and that number is predicted to grow as companies increasingly rely on APIs to drive digital transformation and innovation.
This increased reliance on APIs has dramatically expanded the attack surface, with API-related security incidents increasing by 40% in 2022 and another 9% in 2023. These attacks are particularly dangerous because APIs often serve as direct routes to an organization’s underlying infrastructure and sensitive data. The report estimates that API insecurity is responsible for up to $87 billion in annual losses, up $12 billion from 2021. This can be attributed to a variety of reasons, including the rapid adoption of APIs, the inexperience of many API developers, the lack of standardized security practices, and limited collaboration between development and security teams.
Bot Attacks: A Constant and Evolving Threat
With API attacks on the rise, bot attacks have become a widespread and costly threat, costing up to $116 billion annually. Bots – automated software programs designed to perform specific tasks – are often used for malicious activities such as credential spoofing, web scraping, internet fraud and distributed denial of service (DDoS) attacks.
In 2022, the number of security incidents related to bots increased by 88%, and in 2023 – by another 28%. This alarming growth has been driven by a combination of factors, including the growth of digital transactions, the proliferation of APIs, and geopolitical tensions such as the Russian-Ukrainian conflict. The widespread availability of attack tools and generative AI models has also greatly improved bot evasion techniques and enabled even low-skilled attackers to execute sophisticated bot attacks.
According to Imperva, bots represent one of the most critical threats to API security. Last year, 30% of all API attacks were caused by automated threats, with 17% involving bots exploiting business logic vulnerabilities. The growing reliance on APIs and their direct access to sensitive data has made them prime targets for bot operators. Automated API abuse alone now costs businesses $17.9 billion annually. As bots become more sophisticated, attackers are increasingly using them to exploit APIs business logicbypass security measures and steal sensitive data, making detection and remediation more difficult for organizations.
Larger businesses are more at risk
Large enterprises, especially those with more than $1 billion in annual revenue, face a disproportionately higher risk from APIs and bots. According to the report, these organizations are 2-3 times more likely to experience automated API abuse by bots compared to SMBs. This increased exposure is primarily driven by the complexity and scale of their digital infrastructures.
These companies typically manage hundreds or even thousands of APIs across multiple departments and services, creating vast API ecosystems that are difficult to monitor and secure. In such environments, shadow APIs, unauthenticated APIs, and deprecated APIs present significant vulnerabilities. These mismanaged APIs often lack important security measures such as regular updates, authentication, and continuous monitoring, leaving them open to exploitation.
Similarly, large enterprises are prime targets for bot attacks due to their extensive digital presence and valuable assets. The more complex the digital environment, the more potential entry points for bots there are, from login pages to checkout systems. Due to the vast amounts of sensitive data flowing through their apps and APIs, these companies are a very lucrative target for bot operators.
The risk is even more prominent for businesses with annual revenue greater than $100 billion, where API vulnerabilities and bot attacks account for 26% of all security incidents. This stark number underscores the critical need for comprehensive API security and bot management strategies in large enterprises, where a security incident can result in significant business disruption, significant financial loss, and lasting reputational damage.
Protection against API and bot attacks
Together, vulnerable or unsafe APIs and automated bot abuse account for billions of dollars in annual losses. As enterprises increasingly rely on APIs to enable digital transformation, the risk of security incidents is expected to increase, exposing organizations to greater risk of financial and reputational damage. At the same time, the evolution of bots, often driven by generative artificial intelligence, has increased the challenges of protecting against these threats.
To effectively mitigate these risks, Imperva recommends that organizations take the following proactive measures:
- Develop cross-functional collaboration: Collaboration between security and development teams is critical to building security into every stage of the API lifecycle. This partnership ensures the integration of security measures from design to deployment, enabling the proactive identification and mitigation of vulnerabilities before they can be exploited. When it comes to managing bots, this collaboration should extend even further. Bots are a cross-functional issue that affects many areas of business. To combat them effectively, marketing, e-commerce, customer engagement, IT, line of business and security teams must work closely together. This broader collaboration helps identify vulnerable features such as login pages, checkout processes and forms that are particularly susceptible to bot attacks.
- Comprehensive API discovery and monitoring: Organizations must have complete visibility into all their APIs, including shadow, deprecated and unauthenticated APIs, to ensure that none are missed. Continuous monitoring and auditing are important to identify potential vulnerabilities before they are exploited.
- Integration of API security and bot management: Bot control and API security must be used in tandem to successfully mitigate automated attacks against API libraries. This combined approach helps identify vulnerable APIs, continuously monitor automated attacks, and provides actionable intelligence for rapid detection and response. By integrating bot management and API security, businesses can better defend against sophisticated automated threats while gaining the visibility to identify and mitigate risks before they cause a security incident.
As API ecosystems continue to expand and bots become more sophisticated, the cost of inaction will only grow. Organizations must address the security risks associated with APIs and bots to protect sensitive data, reduce financial losses, and preserve their brand reputation.
