API attacks can be costly. Really costly. Obvious financial impacts like legal fines, stolen finances, and incident response budgets can run into the hundreds of millions. However, other hidden costs often compound the issue, especially if you’re not expecting them.
This article will explore the obvious and hidden costs of API breaches, their long-term business impacts, and how you can communicate the importance of API security to business stakeholders and decision-makers.
First, let’s set the context a little bit. There are more APIs than ever and businesses are relying on them like never before. For example, the number of open banking API calls is forecast to grow from 102 billion in 2023 to 580 billion in 2027. Given that expansion, it comes as no surprise that we also experience more API attacks than ever.
Attackers are efficient: as organizations increasingly adopt APIs, attackers will increasingly target them because that’s where data lives. Moreover, because APIs are designed for programmatic interaction and data exchange, they’re not just a target but a preferred target. For most attackers, it’s a waste of resources to build web scrapers or tools to defeat captchas when they can harvest valuable data straight from the APIs powering those web applications.
API attacks aren’t just getting more common, however; they’re getting more severe, too. The Wallarm Q3 2024 ThreatStats Report reveals that Q3 2024 saw many massive API attacks. To name just two, an attack on Deutsche Telekom affected 252 million users, and attackers took over the accounts of 80 million Hotjar and Business Insider readers. These attacks can have enormous consequences beyond the obvious.
Although immediate financial loss is the most obvious impact of an API attack, bad actors rarely steal money directly from organizations. Financial gain for attackers and the related loss for victim organizations are typically only a second or third-order consequence of API attacks. Threat actors steal data and then monetize that data, often by holding businesses to ransom, but also through other methods, like using an unsecured API to purchase tickets to an event and then reselling them at a higher price or selling stolen credentials on the dark web.
Some regulatory costs are relatively obvious. Amidst an increasingly stringent regulatory environment, legal fines for non-compliance can reach eye-watering heights. In the past five years alone, tech giants Meta, Amazon, and TikTok have paid out GDPR fines of hundreds of millions of euros.
In the long term, lawsuits associated with an API attack can strain business finances. In September 2024, biotechnology company 23andMe settled a data breach lawsuit for a staggering $30 million.
However, there are other, less obvious regulatory costs associated with data breaches. Increased regulatory scrutiny or even loss of regulatory status are perhaps the most impactful. For example, suffering a breach in a PCI environment will not only result in fines, but can also increase a business’s PCI level, which, in turn, increases the organization's compliance spending, forcing it to hire more staff to manage compliance and security.
Breaches can also have long-term impacts on business relationships. If a breach involves a partner or multiple partners’ data, the business relationship and trust between organizations are unlikely to recover. Replacing a partner instrumental in generating revenue can be a long, laborious, and costly process.
It’s worth mentioning here that the reputational impacts of data breaches are somewhat overblown. Many in the cybersecurity community assume that breaches can have a long-term impact on customer loyalty, but there’s no compelling evidence to support this claim. Customers are interested in price and reliability—if a breach impacts an organization’s ability to provide a service or drives prices up, customers will care; if not, they won’t.
Working in security, you’ll know how difficult it can be to secure an adequate budget for security tooling. Now that you have read this article, you’ll be all too aware of – if you weren’t already – the disastrous financial consequences of failing to secure that budget. So, how can you measure and communicate the ROI of API security measures to necessary stakeholders?
Well, you’re in luck. APIs are increasingly tied to revenue - and money talks, especially to C-level executives and other decision-makers. The best way to measure the value of API security is to communicate that connection to revenue. Instead of talking about securing APIs, talk about securing transactions. If your core business is electronic document signing, then you’re securing signatures. If your business is e-commerce, then you’re securing purchases. Don’t talk about how many attacks you blocked; talk about how many transactions you secured.
In short, you need to speak your audience’s language. If you’re working with IT or cybersecurity professionals, feel free to use tech-centric language, but remember this approach won’t work with business stakeholders. Tailor your approach to your audience.
If you take one thing away from this article, let it be this: model the threat scenarios and prepare for the most likely. Many of the costs associated with an API breach come as a surprise to organizations and put a significant strain on finances, but they don’t have to. At this point, API security is an absolute business necessity. It can be costly up front, but it’s either pay a fixed cost now or watch financial losses spiral later. Wallarm is the only solution that unifies best-in-class API Security and real-time blocking capabilities to protect your entire API portfolio in multi-cloud, cloud-native, and on-premises environments. With Wallarm, you can worry less about the costs of an API incident. Book a demo today to find out more.