Businesses worldwide and across various industries rely on application programming interfaces (APIs) to carry out business-critical operations. They have transformed both the employee and customer experience. From customer-facing mobile apps to intricate B2B data exchanges, APIs are integral to the way businesses function.
However, API security is far too often overlooked and misunderstood. The fast pace of innovation and the rapid expansion of the API economy have presented cybercriminals with a trove of new exploitation opportunities.
Now, the API threat is on the rise – especially for companies in the retail and e-commerce sector. Commerce is firmly in the sights of criminals due to the high reliance on APIs within the industry and the extensive confidential customer information that these businesses interact with. While the retail and e-commerce sector may not be as highly regulated as other sectors like financial services and healthcare, the heavy skew of API attacks towards the industry is evidence that this threat must be taken seriously. Businesses must take control of their API landscape and ensure it is secured against malicious activity.
Why are APIs business critical?
APIs are a crucial component of modern software development and have revolutionized both the employee and customer experience. A key driver behind widespread API adoption has been the proliferation of mobile apps. APIs enable rich interaction on your device with only a fraction of the data needed to be sent back and forth compared to a traditional website.
While the benefits to user experience are evident, there is also a cause for concern. Our reliance on APIs means increased susceptibility to cyberattacks due to a vastly increased attack surface, and APIs are extremely lucrative targets for bad actors. This is because APIs both carry ‘the crown jewels’ of an organization’s data, but also because API implementation has been so rapid that many security teams are on the back foot and find themselves scrambling to increase the sophistication of their API security strategies and practices.
How are cybercriminals taking advantage of the situation?
Cybercriminals are exploiting the unknown and it is proving successful. Organizations are only able to secure the APIs they are aware of. Those who are not properly accounted for and lack the necessary protections are prime targets for bad actors. When left in the dark, blind spots like shadow and rogue APIs can leave businesses vulnerable. Worryingly, many organizations do not have a clear understanding of their API landscape and therefore they are not able to secure the large attack surface created by APIs.
The 2023 SANS survey on API security highlighted a worrying revelation. Less than a third (29%) of respondents indicated that their businesses had API discovery tools. Without oversight of the range of APIs being used, it’s nigh on impossible to provide sufficient protection. In turn, bad actors can exploit these security oversights and place sensitive data at risk.
In addition, cybercriminals are also taking advantage of the growing complexity and evolving nature of APIs. The intricate interactions of APIs can challenge an organization’s ability to keep its API security standards ahead of threat actors. Mature businesses will know that hackers do not give up after one failed attempt, so it’s critical that defenses are being consistently updated and reviewed to ensure that cyber criminals are not gaining the upper hand.
The EMEA region is in focus
The threat posed by API attacks is always growing and Akamai research has found that the EMEA (Europe, Middle East, and Asia) region is bearing the brunt of this. This shift in focus shouldn’t be overlooked, historically, North America has been the most targeted region. However, throughout 2023, no region experienced a higher percentage of web attacks as API attacks than EMEA (47.5%).
Furthermore, the most targeted industry throughout 2023 was the retail and e-commerce industry, in which nearly three-quarters (74.6%) of all web attacks were aimed at APIs. To put this into perspective, the next most targeted vertical in terms of share of web attacks targeting APIs was the high-tech industry, which experienced only half the share of retail and e-commerce at 35.5%.
The first step to tackling API security challenges
So, what can organizations do to protect against this type of threat? Businesses must first gain a comprehensive view of their API landscape. One of the biggest surprises for many enterprises that increase their visibility into API activity is the number of shadow endpoints that were unknowingly operating in their environment.
Typically, the first step on the journey to API security maturity is to discover these shadow APIs systematically and ensure that each is either decommissioned or formally documented and incorporated into the organization’s API security controls. This has an immediate impact on reducing the risk of unexpected API abuse and other threats.
Typically, businesses see a large spike of alerts when deploying API security tools, but then they start to discover the gaps in their processes as, over time, more unmanaged or unauthorized APIs turn up. These spikes can be managed effectively through the intelligent use of triage within the tools to assess the effective risk and direct attention to the critical assets affected. Without this, there will still be unknown backdoors and vulnerabilities littered across the digital environment – much to the delight of bad actors.
Why API security cannot be left as an afterthought
Looking to the future, businesses must incorporate API security into their wider business priorities to improve visibility, strengthen defenses, and map to compliance requirements. This will require investing time and resources as well as developing an ongoing strategy to protect APIs against future threats. Effective API security strategies must be designed with protection against data breaches, compliance with regulatory requirements, preservation of brand reputation, and honoring the trust of customers and partners that interact with your APIs in mind.
APIs are business-critical, they’ve become ingrained in modern digital ecosystems. They enable innovation, streamline business processes, and enhance the user experience. But they are also prime targets for cybercriminals. This blind spot can be exploited by hackers to gain access to sensitive data and greatly damage business reputations.
Vulnerable APIs are being attacked in significant volume, especially in the EMEA region, and businesses must be prepared to defend their services, customers, and employees. Businesses have often extended comprehensive monitoring and mitigation to our websites, they must now elevate their API protections to the same level to prevent a security mismatch that attackers can simply walk through.
