Despite increased vigilance, a survey of 631 cybersecurity professionals in the U.S. and United Kingdom found more than three-quarters (78%) suffered an API security incident in the last 12 months.

The survey was conducted by Opinion Matters on behalf of Noname Security, a provider of a platform for securing application programming interfaces (APIs). The survey found that 81% of respondents said API security is more of a priority now than it was 12 months ago. Nearly three-quarters (72%) of cybersecurity professionals have a full inventory of the APIs they have been deployed.

More than half (53%) now view API security as a necessary requirement for their business, with just under half (47%) viewing it as a business enabler. Just over half (55%) also tested their APIs in real-time or tested their APIs daily, the survey found.

However, only 40% have visibility into the sensitive data that APIs may be exposing, the survey finds.

Noname Security CISO Karl Mattson said that lack of visibility is critical because cybercriminals have become more adept at manipulating API business logic to successfully exfiltrate data.

The survey identified the primary reasons organizations are paying more attention to API security—loss of customer goodwill and churned accounts (51%) followed by fees to fix issues and loss of productivity, tied at 48% each. More than half (53%) of respondents said their developers spent between 26% and 50% of their time on refactoring and remediating issues.

Not surprisingly, financial services and retail are the industry sectors seeing the most cyberattacks launched against APIs, but now every vertical industry is experiencing similar increased activity, said Mattson.

Despite some clear progress, there is still a disconnect between the developers that create APIs and the cybersecurity teams that are at least nominally responsible for securing them. Most developers don’t have a lot of cybersecurity expertise so the odds there will be easily exploitable vulnerabilities in APIs are fairly high. Unfortunately, far too many developers don’t alert cybersecurity teams when APIs have been added to production environments, so the number of externally-facing APIs is usually a lot higher than cybersecurity teams believe. In addition to those rogue APIs, there are also a fair number of so-called zombie APIs that are no longer being maintained but can still be exploited by cybercriminals to exfiltrate data.

More challenging still, many organizations are counting on existing application security tools to secure APIs rather than dedicated API platforms, noted Mattson. In addition to being created by separate developer teams, APIs have unique cybersecurity requirements that are not addressed by, for example, a web application firewall (WAF), said Mattson. As such, API security is a unique discipline that requires specific tools and expertise to achieve and maintain, he added.

Regardless of how APIs are secured, the number of APIs organizations are deploying will exponentially increase as more cloud-native applications based on microservices—each with their own APIs—are deployed. The challenge and the opportunity is to get ahead of that growth versus trying to secure an expanded attack surface after cybercriminals have already wreaked havoc.