A recent report from Raidiam has revealed a significant API security crisis, with 84% of enterprises operating outside regulated frameworks lacking adequate protections for sensitive data.
This alarming statistic highlights a critical vulnerability, particularly for organisations in sectors such as fintech, SaaS, and payments.
The report, titled "Helping Enterprises Recognize and Address Critical Risk," is based on a security profiling exercise involving 68 organisations. It found that while 85% of these firms handle sensitive or high-value personal and financial data, the majority rely on outdated security mechanisms, such as static API keys and basic OAuth secrets, without additional safeguards.
Emphasised the severity of the issue, David Oppenheim, head of Enterprise Strategy at Raidiam stated: “The gap between the sensitivity of data and the strength of controls is a board-level risk – not just a technical issue.”
Key findings from the report include the concerning fact that 84% of organisations were placed in the "Act Urgently" category, exposing sensitive APIs with inadequate security measures.
Alarmingly, only one organisation met the benchmark for modern, cryptographic API protection. Furthermore, 57 out of 68 organisations still depend on bare API keys or basic OAuth credentials, despite their known vulnerabilities. Less than half of the surveyed entities conduct regular API-specific penetration testing or runtime anomaly monitoring, which leaves them blind to potential attacks.
The report also notes that real-world breaches, such as the Dell partner API hack in 2023, illustrate how weak API protections are being exploited.
The report introduces a Security vs Sensitivity Matrix, which clearly shows a misalignment between the level of API protection and the sensitivity of the data exposed.
“In regulated environments like Open Banking, stronger controls like mutual TLS and certificate-bound tokens are standard,” Oppenheim pointed out. “Outside those frameworks, there’s a gaping hole.”
Concerns over API risks are growing, as seen in an open letter from JPMorgan Chase’s CISO, who highlighted the need for prioritising security over speed in development roadmaps. According to Gartner, API breaches can leak up to ten times more data than traditional attacks, making this a pressing concern for enterprises.
To address these vulnerabilities, the report outlines a four-step roadmap for improvement:
- Elevate API security to a board-level priority.
- Modernise controls using cryptographic techniques like mTLS.
- Invest in developer awareness and security testing.
- Engage trusted partners to adopt proven standards.
With the threat landscape evolving, organisations must take immediate action to secure their APIs and protect sensitive data from emerging vulnerabilities.