The Major Cybersecurity Threat Too Many Companies Still Overlook

Welcome to my LinkedIn newsletter! In each issue of Entrepreneurship and Leadership, I'll be sharing my thoughts on scaling, leading and funding high-growth startups and what the future of innovation looks like. Subscribe here to stay updated.

When Chinese government-backed hackers accessed the Microsoft Exchange server last year, they didn’t break through tough firewalls to access the network. They came right in through an open door.

Application programming interfaces, or APIs, are bits of code that allow different software applications to interface and “talk” with each other. Increasingly, hackers exploit vulnerabilities in these open portals to access sensitive data and wreak havoc.

APIs help companies deliver seamless customer experiences, but here’s the problem: Their use proliferates so quickly that most companies don’t even know which and how many APIs they are using – let alone how to protect them from attack. This is known as API sprawl. 

It’s the No. 1 cybersecurity issue you’ve probably never heard of. And it’s only getting worse.

As someone who works in software delivery and cybersecurity, I know how hard it is to protect these essential interfaces from malicious activity. Here’s why API security matters and what every company should do this year to protect their customers’ valuable data and trust.

Who should care about API security? Everyone.

Cybersecurity in the 20th Century was all about erecting firewalls to prevent unauthorized users from accessing computers or networks. But today, most software users demand interconnectivity. That’s where APIs come in — a 21st-century technology that demands a 21st-century approach to security. 

If a protected network is like a walled compound, APIs are the doors and windows that allow for the free flow of traffic. They enable the countless convenient integrations we use daily, from the weather widget on the home screen of your computer to the mapping website that shows the nearest dentist to the PayPal checkout button on an e-commerce website. Every time you use your social media or Google username and password to log in to a third-party website, you are using an API.

Security breaches, like T-Mobile’s recent disclosure of a breach that affected approximately 37 million customers, are regular reminders of potential API vulnerabilities. 

But API security is especially paramount when sensitive data is transferred – as in banking, telecommunications, healthcare or some government services. This year alone, hackers gained access to the sensitive health information of more than 41 million people in 479 confirmed cybersecurity breaches at U.S. hospitals, doctors' offices, and other healthcare providers. 

Between the loss of business and the cost of detection and response, the average security breach costs companies around $9.44 million. That’s why all businesses must get a handle on API security this year.

Here are three essential steps to lock down your APIs in 2023. 

Step 1: Count your windows and doors with an API inventory

The windows and doors afforded by APIs allow a vital exchange of digital information with the outside world. The problem is APIs are so ubiquitous that many companies have lost track and don’t know how many shadow or orphaned APIs are languishing in old code. You can’t protect what you can’t see.

To further complicate matters, a company’s API landscape includes its API services and all the APIs that customers and end users have connected to them. So the first step in API security is to discover and catalog all the APIs in your applications. This can be a complex task, as APIs are constantly added and updated. My company recently signed a multimillion-dollar deal with a major U.S. bank just to inventory their APIs.

But a comprehensive and continuously updated catalog is only the start in identifying malicious activity or vulnerabilities that could compromise user data. 

Step 2: Implement common-sense policies to minimize risk 

When it comes to home security, we embrace a host of best practices to stay safe: locking the door when we’re away and not leaving valuables by open windows. A similar common-sense protocol is critical for API security.

This starts with adopting API governance policies that ensure APIs are documented and meet specific security standards.

Since it won’t work to build firewalls around these open portals, governance policies are necessarily nuanced. They need to ensure APIs are reliable, scalable, and reusable across the entire API landscape. Most importantly, APIs should never expose more data than what is necessary to service the user. 

Failing to do so can result in disaster – such as when hackers took advantage of a broken API to allow anyone to view and modify the account details of any of the U.S. Postal Service system’s 60 million online customers.

Step 3: Use smart surveillance tools to spot API threats

Technology like smart cameras and AI have revolutionized security and surveillance in our everyday lives. Even basic systems automatically flag suspicious activities, recognizing patterns and bad actors. When it comes to API security, this kind of intelligent surveillance is equally essential. 

With APIs accounting for over half the internet traffic in many countries, it’s impossible for anyone, or even a team, to spot threats. But with AI and machine learning, it’s possible to monitor and identify issues in real time. The latest automated tools analyze spikes and other anomalies and alert human security teams when something is off. This enables even small companies to safely offer concierge customer experiences without having to employ an army of cyber security experts.

API security has largely flown under the radar, even as malicious actors have increasingly been helping themselves to private and sensitive data.

Moving forward, only companies that prioritize API security will earn the trust of users and consumers while saving themselves the cost and headaches of a massive data breach.

API security is not a one-and-done proposition but rather an ongoing process that requires time and resources. Perhaps that’s why hackers have had such a heyday exploiting pervasive vulnerabilities. It’s time for that heyday to end.

Thank you for reading! I'd love to know your thoughts in the comments below. For more insights from my experience as a serial entrepreneur and how we can harness the power of software to change the world, be sure to subscribe to Entrepreneurship and Leadership.