Rampant API Growth Causing Cybersecurity Risks for Businesses

Rhea-AI Summary

Fastly survey reveals lack of advanced API security measures among decision-makers, despite high awareness of cyber-attack risks. Financial services sector lags in addressing reputationally-damaging breaches. Single provider security solutions and AI touted as potential solutions.

Cybersecurity Expert

The survey results indicating a widespread recognition of the cybersecurity risks associated with APIs, yet a notable lack of investment in advanced security measures, underscores a significant disconnect within organizational priorities. It is evident that while decision-makers are aware of the potential threats, the allocation of resources does not align with the perceived risk. This could be due to a variety of factors, including budget constraints and a shortage of specialized knowledge in the field of cybersecurity.

The acknowledgment that 95% of respondents have experienced API security problems within the last year is a concerning statistic. This high incidence rate highlights the critical need for organizations to reassess their cybersecurity strategies and invest in robust API security to safeguard against account takeover attacks which could lead to operational disruptions and severe reputational damage. The delay in the rollout or integration of new applications due to security concerns further emphasizes the operational impact of inadequate API security measures.

Financial Analyst

From a financial perspective, the survey results may raise red flags for investors in companies within the cybersecurity sector, as well as those in industries heavily reliant on APIs. The reported lack of action on API security could indicate a potential risk for future financial losses due to cyberattacks. This is particularly pertinent for the financial services sector, which the survey suggests is lagging in urgency to address these risks.

Investors might consider the long-term implications of cybersecurity on a company's financial health. Companies that proactively address API security concerns could mitigate the risk of costly breaches and the associated fallout, which can include regulatory fines, legal fees and loss of customer trust. Conversely, companies that fail to invest in adequate security measures may face significant financial and reputational repercussions, which could negatively impact their stock performance.

Risk Management Consultant

From a risk management standpoint, the survey's insights point to a troubling trend where the recognition of risk does not translate into proactive measures to mitigate it. The reasons cited, such as 'insufficient budget' and a 'lack of expertise', suggest that organizations may be underestimating the potential cost of API-related cyber incidents. A comprehensive risk assessment should factor in not only the probability of cyberattacks but also the potential severity of their impact.

Organizations should consider the integration of single provider security solutions and AI as a means to streamline and enhance their cybersecurity posture. The adoption of such technologies could provide a more efficient and cost-effective approach to API security, potentially overcoming the budget and expertise hurdles that currently impede action.

• Fastly survey reveals that 9 out of 10 decision-makers know that APIs are a trojan horse for cyber-attacks - but most don’t invest in advanced security
• UK is marginally ahead of the pack - but financial services sector shows a lack of urgency over the risk of reputationally-damaging cyber breaches
• Single provider security solutions and AI could provide answers

LONDON--(BUSINESS WIRE)-- A recent survey of 235 IT and cybersecurity decision-makers commissioned by Fastly, Inc. (NYSE: FSLY), one of the world’s fastest edge cloud platforms, has found that - despite the critical role of APIs - the vast majority of commercial decision-makers are ignoring the burgeoning security risk for businesses. Application Programming Interfaces (APIs) have long been recognised as a bedrock of the digital economy and recent figures suggest that the majority of all internet traffic is now directed via APIs.

Lack of advanced API security endemic

The ubiquity of APIs means they have become one of cybercriminals’ favourite gateways for account takeover attacks. In a recent survey by Fastly, 84% of respondents admitted to not having advanced API security in place.

The lack of action on API breaches comes despite the vast majority of decision-makers knowing there is a problem. 95% of respondents surveyed by Fastly said they had experienced API security problems in the last twelve months. Over three quarters (79%) had delayed the rollout or integration of a new application due to API security concerns. In addition, 79% claim to place a ‘high or very high’ level of importance on API security. Asked why none of this has translated into action, ‘insufficient budget’ and a ‘lack of expertise’ were the most commonly stated reasons.

Risk of operational and reputational damage

Jay Coley, Senior Security Architect at Fastly, said: “The results of our survey show that decision-makers know that increased reliance on APIs creates a risk of serious cyberattacks. But so far they are not doing enough about it. This is surprising given that the operational and reputational cost of a breach far outweighs the price of deploying a consolidated web application and API security solution from a single provider.”

Key areas of concern

Asked which attributes of an API security platform would be the most important to their company, respondents said number one would be identifying which APIs expose personal or sensitive data (43%). Other top concerns included identifying all APIs, including those that are undocumented (40%) and logging and monitoring (28%). However, companies are increasingly struggling to identify API attacks because of the sheer volume of notifications that they receive using legacy security solutions.

In Fastly’s experience, credential stuffing, business logic abuse, and DDoS attacks are just a few of the malicious automated bot attacks that are being deployed to take over accounts and perpetrate identity theft and fraud. Readily available scripts and tools make orchestrating API attacks easier than ever, and legacy bot defence techniques struggle to detect these potentially devastating incursions.

AI security solutions untapped – but coming

One solution to the complexity of the API landscape could be a new generation of AI-powered cybersecurity systems, but Fastly found there is currently little enthusiasm for this. Only 14% of companies surveyed regarded the use of AI technologies in API security as a priority. That said, 58% anticipate that generative AI will have a ‘large or very large’ impact on API security over a window of approximately 2-3 years.

Sector-based and regional variations

One concerning aspect of Fastly’s survey is that heavily-regulated sectors dealing with sensitive data are some of the worst culprits when it comes to API inaction. Only 80% of respondents in financial services placed a high or very high level of importance on API security. This compares with 89% in wholesale, retail and e-commerce.

In terms of regional variations, the importance of API security was rated highly in the UK (86%) compared to a cross-border average of 79%. Zombie APIs and data scraping were cited by UK firms as priorities. Despite this, there was still a tendency in the UK not to translate thoughts into actions. “79% of UK participants said their API security was not advanced,” notes Coley, “compared with 84% across the board. This represents a huge target for increasingly sophisticated cyber criminals to aim at.”

One intriguing insight is the gulf in attitudes within company hierarchies. 91% of C-suite and compliance experts place ‘a high or very high’ level of importance on API security but only 74% of in-house security specialists feel the same way. The implication, perhaps, is that the security cohort is underestimating the scale of the threat – either that or they are exposed to a wider pool of threats on a day to day basis.

To read the full report and understand how businesses can help establish a secure digital environment, visit https://learn.fastly.com/api-security-study-24.html.

About the research

This research surveyed 235 key IT and cybersecurity decision-makers in large organisations spanning multiple industries across the UK, France, Spain, the Nordics and DACH region.

About Fastly

Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver some of the best online experiences possible through edge compute, delivery, security, and observability offerings improving site performance, enhancing security, and empowering innovation at global scale. Compared to legacy providers, Fastly’s powerful and modern network architecture is one of the fastest on the planet, empowering developers to deliver secure websites and apps with rapid time-to-market and industry-leading cost savings. Organisations around the world trust Fastly to help them upgrade the internet experience, including Reddit, Wendy’s, Stripe, Neiman Marcus, Universal Music Group, SeatGeek, and Advance Publications. Learn more about Fastly at https://www.fastly.com, and follow us @fastly.

Source: Fastly, Inc.

View source version on businesswire.com: https://www.businesswire.com/news/home/20240320654923/en/

Media Contact:

Alex Klepel

press@fastly.com

Investor Contact:

Vernon Essi, Jr.

ir@fastly.com

Source: Fastly, Inc.

FAQ

What did the Fastly survey of 235 IT and cybersecurity decision-makers reveal?

The survey found that 84% of respondents do not have advanced API security measures in place despite being aware of the risks.

How many decision-makers surveyed by Fastly had experienced API security problems in the last twelve months?

95% of respondents surveyed by Fastly had experienced API security problems in the last twelve months.

What were the commonly stated reasons for the lack of action on API breaches according to the survey?

'Insufficient budget' and 'lack of expertise' were the most commonly stated reasons for the lack of action on API breaches.

Who is the Senior Security Architect at Fastly mentioned in the PR?

Jay Coley is the Senior Security Architect at Fastly mentioned in the PR.

What potential solutions are suggested in the PR for addressing API security issues?

Single provider security solutions and AI are suggested as potential solutions for addressing API security issues.