APIs – Friend or Foe?

APIs undoubtedly unlock business value. . . But at what cost?

Cybercrime is more prevalent today than ever before with criminals using increasingly sophisticated methods to target companies and individuals. Recently Juniper research predicted that the cost of data breaches will reach $2.1 trillion globally by 2019.  The rapid digitisation we are seeing across business and consumer sectors, and the rise of APIs (Application Programming Interfaces) has been making this even less of a challenge. APIs are important development tools used in computer programming, and refer to sets of routines used to build software and applications. Basically, they provide the building blocks for programmers. But what’s that got to do with cybersecurity, and why are they so vulnerable to attack?

APIs and security
Ever looked up the location of a restaurant on their webpage and been directed to a route from Google Maps (without actually having opened Google Maps)? Well, that’s what APIs do. They let apps interact with each other. Sounds pretty harmless, right? Unfortunately, as society uses more and more consumer devices APIs are forced to break down these applications, which stretches the interfaces thin on the ground. This leads to a lot of scattered data without centralised control. . . In other words, they’re every hacker’s dream. Because APIs are programmable, cyber criminals simply have to re-program the interface. It’s no coincidence that the rising numbers of cyber attacks correlate with the ever-increasing number of consumer devices. Add the Internet of Things, and that’s even more nodes putting a strain on APIs. Last year, the International Revenue Service (IRS) found that 100,000 tax payers had been targeted by cyber criminals. In an attempt to protect APIs, high profile companies like IBM have their own API security products on offer, and there are a plethora of other API security measures that can be put into place. According to an article written for esecurityplanet, the growing popularity of APIs could lead to the death of these security products, but surely increased use means there should be equally increased attention paid to protecting them. Maybe it’s not so much the unavailability of these services, but a continuing ignorance about the importance of data.

The disruptive angle
The most positive disruption that can come from the security risks of using APIs is a change in the way that people see view cybersecurity, which is long overdue. The popularity and simplicity of APIs means that businesses aren’t just going to stop using them. The result will either be continued exposure to cybercrime, or a complete turn-around in the way that businesses have to operate. As the public become more aware of cybercrime, this will change the way that companies (especially those dealing with personal customer information) gain trust from their consumers. It’s not just mentalities that will be affected – there’s already a market for API security products that exceeded $600 million in 2014, but as businesses across the scale start to accept the need to protect their interfaces, startups and well-established firms alike will compete for their attention. Threats to APIs mean threats to apps, which could create a barrier against the rise of chatbots. Bearing in mind that chatbots are hailed by many as the ultimate way to combine apps, if hackers can interrupt the exchange of data from one app to another then using a bot suddenly comes with a side-helping of paranoia.

The business perspective
How will all of this affect businesses? APIs are now largely essential for software set-up, so there are really only two options available. Either companies protect their software, or they leave it vulnerable to cyber criminals. At the moment this choice is mainly in the hands of boardroom members and executives, but as public knowledge about this issues improves, companies will have to answer to their customers when it comes to data security. And it’s not just their stakeholders that will keep them on their toes – there are some pretty sizeable fines in place for organisations that neglect to invest in decent cybersecurity systems. Hopefully, companies will stop looking the other way when it comes to securing interfaces. This isn’t going to go away – information is incredibly valuable. It’s often been said that money makes the world go round, but in fact the real motivator is data. Whilst cybercrime is a huge worry for some, it’s an opportunity for others. Tech firms like Apigee and Axway are vying to capitalise on the new market.

Almost all technology can be described as having a dual identity. On the one hand, it can make life so much easier, but on the other, it can create a lot of problems. The threat posed to APIs is just one side-effect of a world embracing technology, and that in turn has compromised apps and even the chatbots that live inside them. Society as a whole needs to be aware of where their data is, and what security measures are in place to protect it. Take, for instance, Google’s new smart messaging app, Allo. The tech giants failed to meet security requirements, allegedly recording every single conversation that its users have. . . which is creepy, to say the least. Thankfully, a growing awareness of the need to secure digital environments and interfaces has made cybersecurity a boardroom priority. However, if Google was able to refrain (albeit temporarily) from enforcing proper security measures, then it’s worrying to think about how many other apps could be at risk.

Has your business invested in API security systems? If not, why? Share your opinion and experiences.