The IT Nerd

A new report from Imperva Inc., reveals that API and bot attacks are costing businesses up to $186 billion annually as incidents surge. The report, titled “Economic Impact of API and Bot Attacks,” shares analysis of over 161,000 cybersecurity incidents. Conducted in conjunction with a study by the Marsh McLennan Cyber Risk Intelligence Center, the report highlights how large organizations with over $1 billion in revenue are two to three times more likely to experience automated API abuse by bots compared to smaller companies.

The report points to the sheer volume of APIs as a key vulnerability. On average, enterprises managed 613 API endpoints in 2022, exposing them to increasing risks as API ecosystems expand. Imperva Threat Research found that automated threats accounted for 30% of all API attacks in 2023, contributing to losses of up to $17.9 billion annually from API bot abuse.

Nanhi Singh, general manager of application security at Imperva, emphasized the urgency, stating, “It’s imperative that businesses across the world address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden.” Singh warns that without proactive measures, the economic toll from these automated threats will continue to rise as API ecosystems grow and bots evolve.

George McGregor, VP, Approov Mobile Security had this to say:

  “It would have been interesting to see specific analysis of the economic impact of mobile originating bots which are a growing threat to APIs. These are hard to stop using back-end security techniques because of a lack of visibility to contextual information about use of mobile apps and devices. 

  “Blocking mobile bots and botnets effectively requires methods that capture detailed information about the devices and apps which originate requests to APIs. Also, there is limited coverage of applying a Zero Trust approach to API security where every request is validated in real time using contextual information.”

With the amount of money that is lost due to bots, this is a today problem that needs to be addressed in a meaningful way and done so quickly. Because this is a problem that is only going to get worse.

According to a recent report, the growing cloud usage across enterprises is driving an accompanying growth in the potential attack surface for threat actors, with cloud delivered SaaS apps cited as the top target for cyber attacks (31%) followed by cloud storage and cloud management. Further, with over half of organizations using more than 25 SaaS applications-—some of the most popular examples including Microsoft 365, Snowflake, Databricks, Salesforce and Google Workspace— and 47% of corporate data in the cloud being sensitive, securing the cloud is increasingly complex and a significant challenge for security teams.

 Glenn Chisolm, Co-Founder, Obsidian had this to say:

“That SaaS is one of the top targets for cyber attacks is unsurprising. Having handled hundreds of SaaS incidents with our incident response partners, we see SaaS threats become a rising concern for organizations. SaaS breaches have grown 4x in the last year. And while configuration issues may lead to IaaS breaches, identity forms the fulcrum of SaaS breaches—leading to over 80% of the breaches. These include attacks like help desk social engineering, self-service password resets (SSPR), or attacker-in-the-middle (AiTM). SaaS posture issues as well as data security and governance gaps form the other two key drivers of SaaS breaches.”

Concerns over SaaS security have a few of my clients rethinking their SasS strategies and some have even moved back to on premise if possible. Because they believe that they can trust themselves more than a SaaS provider. They may not be wrong on that front.

Thales, world leader in digital security, has launched its Identity Verification Suite, in response to the rising need of remote client onboarding. With privacy and user experience as its heart, the IDV Suite enables a secure and 100%-AI identity verification service. It integrates the latest facial recognition technology, document security features recognition and machine learning engines. The solution addresses the Covid-19 environment with touchless interactions, allowing service providers to reach end users via their mobile handsets or the web.  

Secure identity verification has become a crucial part of online security and digital onboarding, and constitutes a significant opportunity for businesses. In cases such as digital enrolment or KYC (Know Your Customer) regulations, ID verification is critical in order to efficiently detect fraud and therefore build user trust in the digital world. 

The IDV Suite designed by Thales allows a secure and smooth user journey for markets from the travel industry (airlines and airport security, car rental companies, public and private transportation), telecom operators, banks, citizen services (International Driving Permit), and all types of online service providers looking to meet their KYC needs. To ease the deployment of the solution, Thales provides flexible onboarding options including a highly secure connection to Thales IDV server in SaaS (Solution as a service) mode.

The modular solution offers flexibility to deploy a single solution across all channels, whether through mobile applications, websites, or a network of dedicated document scanners, thus aligning with the security expectations of each industry.  From checking the validity of the Machine-Readable Zone (MRZ) of an ID document to more advanced control under white light, infra-red and UV checks, the suite can also securely perform contactless NFC verification using the chip of e-documents. 

Advanced facial biometric technology is also a key feature in the IDV Suite, integrating passive liveness detection to facilitate end-user experience. The customer is asked to take a selfie, and then the solution transparently analyzes the liveness of the selfie and securely matches it against the portrait on the ID document, allowing for quick and efficient identity biometric verification.