It’s no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization’s reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica scandal to the Equifax data breach, there have been some pretty high-profile leaks resulting in massive consequences for the world’s biggest brands.
Breaches can also have a huge impact on individuals as well – ultimately leading to the loss of personal information, such as passwords or credit card details, which could be used by criminals for malicious purposes. Most notably victims are left vulnerable to identity theft or financial fraud.
When you think about the sheer volume of these leaks, one would imagine that the world would stop and focus on the attack vector(s) being exploited. The unfortunate reality is the world didn’t stop. To make things more interesting, the most prominent attack vector is likely not what you or anyone thinks. Believe it or not, application programming interfaces (APIs) are a leading culprit of exposure and compromise.
That’s right, hackers are increasingly exploiting APIs to gain access to and exfiltrate sensitive data. In 2022 alone, 76% of cybersecurity professionals admitted to experiencing an API security related incident. If that wasn’t attention-grabbing enough, US businesses incurred upwards of $23 billion in losses from API-related breaches during the same time period. And unfortunately, many organizations are just starting to take notice.
With that said, in this article, we’ll explore the potential consequences of data leaks, the role and impact APIs have, as well as how organizations can protect themselves from these risks.
Protecting data traversing your APIs
If you work in IT, it’s obvious how essential security controls are to prevent sensitive data from being exposed or leaked. As such, organizations must take extra steps to protect their data from unauthorized access. Companies should invest in the latest security measures and ensure that all employees are aware of the importance of protecting sensitive information. If you haven’t gotten the picture by now, this exercise should definitely include investing in API security.
Surprisingly to many technology professionals, API traffic now represents over 80% of the current internet traffic, with API calls growing twice as fast as HTML traffic. When you unpack this statistic, it becomes rapidly clear that APIs interact with all types of data – including sensitive data like credit card information, health records, social security numbers, etc. However, not as much attention is paid to securing APIs like that of network, perimeter, and application security. To be honest, many organizations struggle with even knowing how many APIs they actually have.
Pretty alarming, right? As the old saying goes, you can’t protect what you can’t see. And without an accurate API inventory and insight into sensitive data traffic, you cannot adequately address potential vulnerabilities and data leakage.
API gateways and web application firewalls (WAFs) only provide limited visibility into your API estate, as they only reveal API traffic that’s routed through them. Also keep in mind that API inventory is more than just a number. You need to know how many APIs you have, including shadow and zombie APIs, as well as the types of data they engage with. Which is the other downside about WAFs and gateways – they simply don’t provide visibility into the types of sensitive data that traverse your APIs. Without it, there can be dire consequences if sensitive data is ever exposed.