APIs are at the heart of today’s digital services, with organizations developing, deploying and modifying them faster than ever before. Businesses rely on APIs as the foundation for their transformative applications and online services; APIs enable them to share critical data with customers, partners, and employees. In fact, more than 80% of Internet traffic today runs on APIs across both external and internal channels.
However, the unprecedented growth of APIs poses new security challenges by expanding the attack surface available to hackers. Leading analyst firm Gartner has even created a security reference architecture that includes API protection as its own pillar.
Although the API ecosystem is booming globally, some industries are more at risk than others. Financial services organizations, insurance companies and retail brands rise to the top of the list of those at highest risk.
APIs play an increasingly critical role in fueling digital transformation and innovation in financial services. Consider open banking. Open banking is rapidly becoming the backbone of online financial services. According to Simon Torrance and Bain Capital, finance markets enabled by open banking will reach a $3.6 trillion market share by 2030.
Open banking runs on APIs. APIs enable the sharing of financial data to support transactions ranging from accessing account information to account transfers to online payments and much more.
This increasing usage of APIs in financial services has created new and significant security risks. API attacks threaten key digital initiatives that have become business-critical in the past few years. Since the beginning of the Covid pandemic, remote and online financial services have become essential for any financial institution that wants to remain competitive.
While today’s consumers expect digital financial services at their fingertips, they are not willing to compromise the security of their data for those services. Without the ability to protect their customer data, financial organizations will lose competitive advantage and fall behind on their business innovation initiatives.
Once a company loses consumer trust, it’s hard to go back, and the stakes are even higher for financial services companies. A successful API attack that compromises customers’ user account information and transaction data can have catastrophic financial and reputational effects.
The growing risk the financial services industry faces becomes even more apparent if you consider that traditional security solutions such as bot mitigation, WAFs and API gateways don’t offer adequate protection against today’s API attacks.
In fact, attacker activity looks like normal API traffic to traditional tools and their architectural limits mean they can only inspect one transaction at a time, and beyond rate-limiting. They also depend on signatures to detect known attack patterns and a unique API vulnerability can easily slip through the cracks.
Other basic controls, such as authentication, authorization and encryption, which are all widely used in open banking, also fall short of meeting API security challenges.
Financial service organizations need deeper insights and a depth of context about their growing API ecosystems in order to fully protect them. They must understand normal API behaviors to quickly spot anomalies across millions of API calls. Without this type of context, financial services institutions place themselves at risk for API security breaches that can cause major financial and reputation damage as well as compliance and regulatory penalties.
As part of the financial services ecosystem, the insurance industry also relies heavily on APIs to supply its services and propel business innovation. The days of calling your insurance broker on the phone to set up a policy have long passed, and consumers now expect to buy, set up, renew and claim on their insurance exclusively online.
To provide these services digitally, insurance companies need to process and share sensitive customer data with several third parties while ensuring their customers can access, change and submit their information instantly through their mobile applications and websites. This new landscape has placed APIs at the heart of insurance and poses new security challenges that cannot be addressed by traditional security solutions.
Covid has accelerated reliance on APIs in the insurance sector and propelled a shift towards automation. An increasing number of insurance providers globally use AI-based automation technology to provide their services, process customer claims and even aid in the underwriting process. According to McKinsey & Company, AI will effectively reshape the insurance industry by 2030.
To support the push for technological innovation in insurance, APIs are being developed and deployed faster than ever, giving hackers a broader attack surface to take over user account information, complete fraudulent transactions or insurance claims and cause overall service disruption.
In addition, insurers face the same compliance and regulatory obligations as other financial services organizations. An API attack can generate hefty fines, on top of the reputational damage that can cost them the trust of their customer base.
Different types of insurance require different types of customer data. This can include sensitive personally identifiable information (PII), such as medical history, driving records or address history. Some countries also mandate insurance products, such as car, home or professional liability insurance. APIs deliver the connectivity to share this entire range of customer data, further broadening the scope for potential API attacks.
Insurance has entered a crucial stage in its digital innovation journey, and APIs play a huge part in supporting new insurance services. Dedicated, AI-based, API security allows insurers to stay competitive in a changing landscape while safeguarding customer loyalty, efficiency and compliance.
Of all the industries that have gone through major disruptions in the past few years, retail has by far experienced the most. With Covid closing brick-and-mortar stores for months on end, digitalized services became the only way to survive for many retail brands.
To sell their products online and meet new customer expectations for fast, reliable and fully digital shopping, retailers rely on hundreds of APIs. From browsing a product catalog to submitting an order or making a payment, every step consumers take when buying online depends on APIs to share data across the different stages of a shopper’s journey.
According to Juniper Research, E-commerce transactions will exceed $7.5 trillion globally by 2026. This continued growth in online shopping inevitably results in increased use of APIs, which expands the attack surface available to hackers and the level of exposure of sensitive customer data. It also means that APIs are being changed more frequently than ever before, leading to a greater risk of vulnerabilities being created in development as well as challenges in visibility.
According to the latest State of API report released by Salt Labs, 83% of organizations lack confidence that their API inventory is complete. You can’t protect what you can’t see.
Although many retail companies have several security solutions in place, we’ve seen that traditional tools are unable to detect or prevent today’s API attacks. Simply put, retailers who want to retain or expand their customer base in today’s digitalized world need to develop an API security strategy that is supported by AI-based technology and can cover the full API lifecycle.
In the past 12 months, 95% of organizations experienced an API security incident with API attack traffic growing 681% in the same period - more than twice as fast as overall API traffic.
In the financial services, insurance and retail industries, APIs have become an essential part of business innovation. Simultaneously, they have become the top target for attacks, making API protection a must-have for companies that want to innovate, grow and meet their customers’ expectations.
Organizations in each of these industries need to secure their customers’ data, safeguard their revenue and protect their reputation while operating in highly competitive markets. To do this, they need a dedicated API security solution.
Any API security solution should provide full visibility into all APIs for a complete and accurate inventory. In addition, because APIs are not straight code, protecting APIs requires rich context into API behavior during runtime. Organizations need the ability to baseline APIs as they are being exercised to then be able to pinpoint anomalies. Only cloud-scale big data, combined with machine learning (ML) and AI, has the ability to provide the depth of context over time – across millions of API calls – required for API security.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.