Thales reports API & bot attacks cost Australian firms $2B

Thales has released figures from its "Economic Impact of API and Bot Attacks" report, revealing that vulnerable APIs and bot attacks are costing Australian businesses up to USD $2 billion annually.

The report indicates that API insecurity and automated abuse by bots account for approximately one in four of the nation's cybersecurity incidents.

The data, analysed by the Marsh McLennan Cyber Risk Intelligence Centre, shows that in the Asia Pacific and Japan (APJ) region, 17.7% of global API and bot-related security incidents were recorded in 2023, resulting in business losses exceeding USD $16.6 billion. The APJ region also saw the highest rate of API-related attacks at 14%, and bot-related attacks made up 24% of the total, the second highest globally after Africa.

Reinhart Hansen, Director of Technology for APJ at Imperva, a Thales company, highlighted the issue of awareness and understanding within businesses regarding bot traffic. He stated, "Many businesses across APJ are unaware that undesirable bot traffic is impacting their bottom line by targeting their applications, APIs, and infrastructure. Business leaders can't manage this risk if they're unaware of it or don't fully understand it."

He added, "The same can also be said about lack of visibility across an organisation's API endpoint assets and the data they exchange, internally, publicly, and directly with third parties. Without an accurate and continuously updated API endpoint inventory and security assessment, organisations remain open to significant security risks, such as large-scale data loss and exfiltration."

Globally, the report found that larger organisations are statistically more likely to experience security incidents involving both insecure APIs and bot attacks. Enterprises with revenues of more than USD $1 billion were two to three times more likely to face automated API abuse by bots compared to smaller businesses. The study suggests these large companies are particularly susceptible due to their complex and widespread API ecosystems.

Data from the Imperva Threat Research team showed that the average enterprise managed 613 API endpoints in production last year, with numbers continuing to grow. This increased reliance on APIs, combined with their direct access to sensitive data, makes them attractive targets for bot operators. In 2023, automated threats accounted for 30% of all global API attacks.

The report also found that the global bot-related security incident count rose significantly, with an 88% increase in 2022 and a 28% rise in 2023. Insecure APIs have resulted in up to USD $87 billion in losses annually, demonstrating a USD $12 billion increase from 2021. These trends indicate that security incidents involving APIs and bots are becoming more frequent and sophisticated.

Among the countries most affected by these security threats, Brazil experienced the highest percentage of events related to insecure APIs or bot attacks, accounting for up to 32% of all observed security incidents. This was closely followed by France and Japan at 28%, and India at 26%. While the percentage in the United States was lower, 66% of all reported events related to vulnerable APIs or automated bot abuse occurred within the country.

Hansen concluded by noting, "API ecosystems will continue to grow exponentially, driving connections to generative AI applications and large language models. In parallel, cybercriminals will leverage emerging technologies to create sophisticated bots at an accelerated pace. Business leaders should take proactive measures to assess and interpret the potential risk to their bottom line and adopt a holistic solution that covers the entire application landscape, without impacting end-user experience."