International. That's according to Akamai Technologies, which has published a new study that points to the diminishing visibility into API risks, even though these attacks are on the rise.
For this third edition of the API Impact on Security Study (formerly known as the API Security Disconnect) report, 1207 security experts and decision-makers from the US, UK, and Germany were surveyed. The data suggests that 84% of respondents experienced an API-related security incident in the last 12 months. With this, incursions have already registered three consecutive years of increase and a growth that marks a new historical record, above the 78% of 2023. The figure is in line with another recent study by Akamai, which also points to an increase in API attacks.
"This alarming increase in API attacks is also happening in Latin America where organizations manage huge amounts of customer data, including personally identifiable information. In this way, companies must safeguard consumer data and maintain their trust, as failure to comply with the appropriate security measures can have devastating consequences. Let's imagine scenarios in which in a financial environment the APIs with which sensitive credit card information is exchanged are exposed or in health institutions sensitive information such as personal data or patient secrets are exposed through APIs, violating local regulations. In this context, the study carried out on these 3 world powers is very relevant for organizations in this region to be put on alert," said Patricio Villacura, Enterprise Security Specialist for Akamai.
Even though incursions have increased, fewer respondents have a full inventory of their APIs and know which ones transfer sensitive data. This figure, already low in 2023, has gone from 40% to just 27% in 2024. This is stated in the May 2024 Gartner Market Guide for API Protection report: "Based on current data, it is estimated that every time an API is attacked, an average of 10 times more sensitive data is leaked than with any other type of breach."
In view of these trends, API security is expected to soon become one of the top issues for businesses. The API Security Impact Study surveyed security leaders from the following industries: financial services, retail and e-commerce, healthcare, public sector, manufacturing, energy and utilities, automotive, and insurance. Despite the energy and utilities sector recording the highest number of API incidents (91%), their representatives considered protecting them to be their last priority on a list of 13 options. Conversely, 21.3% of retail and e-commerce managers, who registered the fewest attacks (68%), indicated that API security was one of their top priorities. This is the highest figure among all sectors.
The survey includes the following data:
- On average, these incidents cost $591,404 USD in the US to resolve. In sectors such as financial services, this figure rose to USD 832,801.
- In general, all managers in all regions believe that API security incidents particularly affect security personnel. Respondents noted that API security creates slightly more stress or concern for their teams than corrective action costs and non-compliance fines.
- Chief security officers indicated that their two priorities for the next 12 months are generative AI-based threats (25.5%) and securing their APIs (24.8%).
- In 2023, 18% of respondents in the US and UK said they had conducted real-time API testing. This figure has fallen to 13% in 2024. Many of the types of API incidents they named can be solved with real-time testing.
- The main causes of these incidents were the vulnerabilities identified in the top 10 API security risks according to OWASP, in addition to, as the respondents themselves admit, the lack of effectiveness of conventional API tools in detecting attacks.
"Our research shows that API security has not yet become a key element of end-to-end security strategies," said Rupesh Chokshi, senior vice president and general manager, Application Security, Akamai. "Enterprises often treat API threats as an emerging problem, even though attacks, their financial impact, and the burden on security teams continue to increase. We believe that the API Security Impact Study will help companies better evaluate their measures to protect them and strengthen their weaknesses."
This study not only provides insight into the survey results, but also provides recommendations for security teams to improve their API security strategies. These include taking a full inventory of APIs and regularly testing to ensure they are properly configured, as well as detecting runtime to identify anomalous activity.
