Security researchers have suggested that over a quarter of all cyber-attacks (28%) in the UK have hit the financial services and insurance (FSI) industry in the last 12 months.
The data comes from the Imperva cybersecurity team via email, who also said that application programming interface (API) attacks, bad bots and DDoS attacks were the industry’s three most significant security challenges over the last year.
“The scale of the shadow API problem should be a concern for every business,” commented Andy Zollo, regional vice president for EMEA at Imperva.
According to the executive, the idea that a third of all that traffic goes unmonitored indicates that organizations urgently need to revise their API protection strategies.
“APIs connect directly to the data layer, so businesses have to see API security as an extension of their data security strategy,” Zollo added. “Every organization needs full visibility over every API in their environment, what data is flowing through each one, and who’s accessing it.”
The claims come almost four years after Open Banking started requiring banks and other FSI businesses to enable third-party providers to access customers’ banking data via APIs.
According to Imperva, this has not only dramatically increased the amount of sensitive financial data these entities exchange but also significantly increased the number of APIs in use in the FSI industry.
“The scale of unmonitored API traffic is substantially higher than in other industries, suggesting that FSI companies’ implementation of Open Banking standards may have inadvertently created a serious, industry-wide security threat,” reads the report.
As for figures concerning “bad bots,” Imperva explained that these automated, malicious software applications were responsible for more than a quarter (27%) of all traffic to financial businesses last year.
Account takeover (ATO) attempts also heavily targeted the FSI industry, with roughly 40% of all ATOs hitting financial websites.
More information about threats connected with API use can be found in this article by security writer PJ Bradley.