scorecardresearch
Thursday, October 17, 2024
YourTurnSubscriberWrites: Weakest link in the security chain is human element
YourTurn

SubscriberWrites: Weakest link in the security chain is human element

Every year, organisations lose between $94 to $186 billion due to automated bot misuse and weak or insecure APIs – Application Programming Interfaces.

Representational image | Flickr
Abhinav Ankit

Thank you dear subscribers, we are overwhelmed with your response.

Your Turn is a unique section from ThePrint featuring points of view from its subscribers. If you are a subscriber, have a point of view, please send it to us. If not, do subscribe here: https://theprint.in/subscribe/

The term “cybersecurity” applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories. It is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It’s also known as information technology security or electronic information security.

As we all know, the rapid advancement in technology also leads to increased vulnerabilities. So it’s crucial to stay informed about current news to remain vigilant and aware of these developments.

Bot attacks and vulnerable APIs cost businesses up to $186 billion  yearly

Every year, organizations lose between $94 to $186 billion due to automated bot misuse and weak or insecure APIs (Application Programming Interfaces). That’s according to Imperva, a Thales firm, in their paper The Economic Impact of API and Bot Attacks. The research emphasizes the growing dangers that these security threats represent to enterprises globally by pointing out that they can be responsible for up to 11.8% of global cyber incidents and losses. 

The research examines more than 161,000 distinct cybersecurity events and is based on a thorough investigation carried out by the Marsh McLennan Cyber Risk Intelligence Center. The results show a troubling trend: automated abuse by bots and vulnerabilities presented by unsecure or vulnerable APIs are becoming more common and related. Imperva recommends that serious financial and reputational harm might result from ignoring the security dangers connected to these attacks. 

The Expanding Attack Surface and the Adoption of APIs 

APIs have become essential to modern company processes, due to their ability to provide smooth data interchange and communication across various applications and services. They power everything, including open banking, eCommerce systems, and mobile applications. However, there are now serious security issues as a result of their broad implementation. According to research from Imperva Threat Research, the typical company handled 613 API endpoints in production last year, and that number is expected to climb as organizations depend more heavily on APIs to promote digital transformation and creativity. 

The attack surface has been greatly increased by this increased reliance on APIs; in 2022 and 2023, there will be an extra 9% and 40% increase in API-related security incidents. Because APIs frequently provide easy access to sensitive data and an organization’s core infrastructure, these assaults are especially risky. According to the research, losses from API insecurity might reach $87 billion annually, an increase of $12 billion from 2021. There are several causes for this, such as the quick adoption of APIs, the lack of standardization in security procedures, the inexperience of many API developers, and the poor coordination between the security and development teams. 

Bot Attacks: An Ever-Evolving and Constant Threat 

Bot attacks have become more prevalent and an expensive concern with the growth of API assaults, with losses reaching $116 billion yearly. Automated software programs known as bots are created to carry out specific tasks. These programs are often used illegally for things like distributed denial-of-service (DDoS) attacks, online fraud, site scraping, and credential stuffing. 

Bot-related security incidents increased by 88% in 2022 and then by 28% more in 2023. A number of causes, including the increase of digital transactions, the spread of APIs, and geopolitical events like the war between Russia and Ukraine, contributed to this concerning trend. Additionally, the general availability of attack tools and generative AI models has greatly improved bot evasion strategies and made complex bot attacks possible even for low skilled attackers. 

Bots are currently one of the biggest dangers to API security, according to Imperva. Automated threats accounted for 30% of all API assaults last year, with bots notably responsible for 17% of these attacks by taking advantage of business logic flaws. Due to their increased dependence and easy access to sensitive data, APIs are now a popular target for bot operators. Businesses are already losing up to $17.9 billion a year due to automated API misuse alone. Attackers are progressively utilizing more complex bots to bypass security protocols, abuse API business logic, and exfiltrate sensitive data, making it harder for enterprises to detect and mitigate bot attacks. 

Large Businesses at Higher Risk

Big businesses are disproportionately more vulnerable to bot and API assaults, particularly those with yearly sales of $1 billion or more. As to the research, the possibility of automated API misuse by bots is 2-3 times higher for big enterprises in comparison to small or mid-sized businesses. Their digital infrastructures’ complexity and size are the main causes of this increased vulnerability. 

These businesses sometimes handle thousands or even hundreds of APIs that are distributed over several departments and services, resulting in expansive API ecosystems that are difficult to keep safe and secure. Unauthenticated APIs, deprecated APIs, and even shadow APIs all pose serious security risks in these kinds of settings. These poorly maintained APIs are vulnerable to abuse because they frequently lack essential security features like ongoing monitoring, authentication, and upgrades. 

Similarly, because of their significant online presence and priceless assets, big businesses are easy pickings for bot assaults. There are more possible entry points for bots to exploit in a complex digital environment, from checkout systems to login sites. These businesses provide a very attractive target for bot operators because of the massive amounts of sensitive data that pass via their apps and APIs.

For businesses generating more than $100 billion in sales annually, the danger is significantly greater because up to 26% of security incidents are caused by API vulnerabilities and bot assaults. This shocking statistic emphasizes the vital need for comprehensive bot management and API security measures in large companies, where a security event may cause major operational interruptions, severe financial losses, and irreversible harm to an organization’s reputation. 

Protection Against API and Bot Attacks

Annual losses up to billions of dollars are caused by both automated misuse by bots and weak or insecure APIs. As businesses increasingly depend on APIs to enable digital transformation, the probability of security incidents is expected to rise, putting organizations at greater risk of financial and reputational harm. Also the development of bots, which often get driven by generative AI has made protection against these dangers more difficult.

Organizations take the following proactive actions to successfully reduce these risks: 

  • Foster cross-functional collaboration: Integrating security controls throughout the API lifetime requires cross-functional cooperation between the development and security teams. Proactive vulnerability discovery and mitigation are ensured by this alliance. Teams from marketing, eCommerce, customer experience, IT, Line of Business, and security must collaborate in bot management to discover weak points in checkout procedures, forms that may be attacked by bots, and login sites.
  • Extensive API discovery and monitoring: To make sure none are ignored, organizations need to have complete visibility into all of their APIs, including shadow, deprecated, and unauthenticated ones. To find such vulnerabilities before they are exploited, ongoing monitoring and audits are crucial. 
  • Establish API security and bot management: To effectively prevent automated assaults on API libraries, bot security and security must be utilized in concert. This integrated strategy offers actionable information for quick detection and reaction, continually monitors for automated assaults, and assists in identifying vulnerable APIs. Businesses may strengthen their defenses against sophisticated automated attacks and get visibility into potential security incidents by combining bot management and API security.

The penalty of inactivity will only increase with the growth of API ecosystems and the sophistication of bots. To secure confidential information, reduce financial losses, and maintain the integrity of their brand, organizations need to manage the security concerns posed by bots and APIs. 

These pieces are being published as they have been received – they have not been edited/fact-checked by ThePrint

 

Subscribe to our channels on YouTube, Telegram & WhatsApp

Support Our Journalism

India needs fair, non-hyphenated and questioning journalism, packed with on-ground reporting. ThePrint – with exceptional reporters, columnists and editors – is doing just that.

Sustaining this needs support from wonderful readers like you.

Whether you live in India or overseas, you can take a paid subscription by clicking here.

Support Our Journalism

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Follow us

Copyright © 2024 Printline Media Pvt. Ltd. All rights reserved.