Thales Group - Experts & Thought Leaders

Thales, the cybersecurity pioneer that protects critical applications, APIs, and data, anywhere at scale, releases the “Economic Impact of API and Bot Attacks” report. The analysis of more than 161,000 unique cybersecurity incidents uncovers the rising global costs of vulnerable or insecure APIs and automated abuse by bots, two security threats that are increasingly interconnected and prevalent. The report estimates that API insecurity and bot attacks result in up to $186 billion of losses for businesses around the world. Automated API abuse The report is based on a study conducted by the Marsh McLennan Cyber Risk Intelligence Center which found that larger organisations were statistically more likely to have a higher percentage of security incidents that involved both insecure APIs and bot attacks. Enterprises with revenues of more than $1 billion were 2-3x more likely to experience automated API abuse by bots than small or mid-size businesses. The study suggests that large companies are particularly vulnerable to security risks associated with automated API abuse by bots because of complex and widespread API ecosystems that often contain exposed or insecure APIs. Digital services Data from the Imperva Threat Research team finds that the average enterprise managed 613 API endpoints Enterprises rely heavily on APIs to enable seamless communication between diverse applications and services. Data from the Imperva Threat Research team finds that the average enterprise managed 613 API endpoints in production in 2023.  That number is growing rapidly as businesses face mounting pressure to deliver digital services with greater agility and efficiency. 30% of API attacks Due to this increased reliance and their direct access to sensitive data, APIs have become attractive targets for bot operators. In 2023, automated threats generated by bots accounted for 30% of all API attacks, according to data from Imperva Threat Research. Automated API abuse by bots costs organisations up to $17.9 billion in losses annually. As the number of APIs in production multiplies, cybercriminals will increasingly use automated bots to find and exploit API business logic, circumvent security measures, and exfiltrate sensitive data. Holistic approach “Businesses across the world must address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden,” says Nanhi Singh, General Manager of Application Security at Imperva, a Thales company. “The interconnected nature of these threats necessitates that companies take a holistic approach, integrating comprehensive security strategies for both bot and API attacks.” Report trends Some of the key trends identified in the report include: Increased API adoption and usage are growing the attack surface: The rapid adoption of APIs, the inexperience of many API developers, and lack of collaboration between security and development teams have led insecure APIs to result in up to $87 billion of losses annually, a $12 billion increase from 2021. Bots negatively impact organisations’ bottom line: The widespread availability of attack tools and generative AI models has enhanced bot evasion techniques and enabled even low-skilled attackers to launch sophisticated bot attacks. Up to $116 billion of losses annually can be attributed to automated attacks by bots. API and bot-related security incidents are becoming more frequent: In 2022, API-related security incidents rose by 40%, and bot-related security incidents spiked by 88%. These increases were fueled by a rise in digital transactions, the expanding use of APIs, and geopolitical tensions like the Russia-Ukraine conflict. In the following year 2023, as digital traffic began to stabilise and the pandemic-driven surge in internet activity subsided, the frequency of these incidents moderated. API-related security incidents grew by 9%, while bot-related security incidents jumped by 28%. The overall upward trend in attacks highlights the growing persistence and frequency of these threats. Insecure APIs and bot attacks pose a significant threat to large enterprises: Companies with revenue of at least $100 billion are most likely to suffer security incidents related to insecure APIs or bot attacks. These threats constitute up to 26% of all security incidents experienced by such businesses. Countries around the globe are vulnerable to API and bot attacks: Brazil experienced the highest percentage of events related to insecure APIs or bot attacks, with the threats accounting for up to 32% of all observed security incidents. This was closely followed by France (up to 28%), Japan (up to 28%), and India (up to 26%). While the percentage of events attributed to API and bot-related security incidents was lower in the United States, 66% of all reported events related to vulnerable APIs or automated abuse by bots occurred within the country. Generative AI applications “Reliance on APIs will continue to grow exponentially, driving connections to generative AI applications and large language models,” adds Singh. “At the same time, generative AI will also empower cybercriminals to create sophisticated bots at an accelerated and alarming rate." "As API ecosystems expand and bots become more advanced, organisations should anticipate a significant rise in the economic impact of automated API abuse by bots unless proactive measures are taken.”

Thales, the global technology and security provider announced the SafeNet IDPrime FIDO Bio Smart Card, a security key that enables strong multi-factor authentication (MFA) for the enterprise. This new contactless smart card allows users to quickly and securely access enterprise devices, applications, and cloud services using a fingerprint instead of a password. Stealing credential challenges According to the 2023 Verizon Data Breach Investigations Report, the three primary ways in which attackers access an organisation are stolen credentials, phishing, and exploitation of vulnerabilities. 49% of all breaches involved stolen credentials. With these threats top of mind for organisations moving to the cloud, many are grappling with low user adoption of MFA, which is often cited as cumbersome. SafeNet IDPrime FIDO Bio Smart Card The smart cards also support contactless capabilities, which allows users to simply tap the card The SafeNet IDPrime FIDO Bio Smart Card facilitates end-user adoption of passwordless MFA, allowing users to easily enroll and authenticate using biometrics. Instead of using a password, users can access with a fingerprint, using the on-card sensor. The smart cards also support contactless capabilities, which allow users to simply tap the card on any device supporting NFC. For enterprise users, this smart card provides multiple benefits including better speed, security, and convenience than traditional passwords. Data privacy Using these security keys, users can be assured of strong protection against account takeover and phishing on enterprise devices. User biometrics are securely stored in the card’s chip and never leave the smart card itself, ensuring a strong level of data privacy. This solution can be used for all digital resources supporting the FIDO2 standard, including Windows, Mac, Linux, and more. FIDO security keys Thales is a pioneer in biometrics, proving success with contactless biometric payment cards in highly regulated sectors. The addition of the SafeNet IDPrime FIDO Bio Smart Card further enriches its existing portfolio of FIDO security keys providing enterprise customers with the same secure biometric capabilities. MFA adoption as a barrier The human factor continues to be a challenging pain point in the modern enterprise, with shifts to remote work" Danny de Vreeze, Vice President, Identity and Access Management Products at Thales, “The human factor continues to be a challenging pain point in the modern enterprise, with shifts to remote work and the cloud expanding many organisations’ attack surfaces." "MFA adoption has been a common barrier to ensuring security, as many users find it cumbersome and choose to bypass it." Physical form factor "The SafeNet IDPrime FIDO Bio Smart Card helps to solve this challenge, introducing a physical form factor to strengthen security, while also providing a user experience that is both quick and seamless." "Adding to a strong portfolio of FIDO-supported security keys and solutions, this product is on the cutting edge of phishing-resistant authentication.”

Following the announcement of Microsoft Copilot recently, Thales wanted to share this comment from Chris Harris, EMEA Technical Director. Chris discusses the potential security pitfalls of this technology and highlights what businesses will need to consider before it’s adopted within an organisation. Productivity gamechanger Chris Harris said, “Navigating workplace productivity tools can be very, well…unproductive. No doubt then that many workers and businesses will be excited by this latest development from Microsoft." "Less time typing meeting notes, the first cut of a PowerPoint presentation completed in seconds, emails automatically drafted… Microsoft is right in dubbing Copilot a ‘productivity game changer’." ChatGPT style technology Copilot puts ChatGPT-style technology directly into the daily lives of workers" He continues, “However, while businesses may already be calculating how much time they’ll save in admin, they’d do well not to get too excited." "This development puts ChatGPT style technology directly into the daily lives of workers, into the tools we all use universally to connect with colleagues and clients and we cannot overlook the potential risks to data privacy." Copilot Copilot will draft presentations, spreadsheets, and emails based on data that already exists within that company’s server. So, in theory, if an employee wanted to send a campaign report to a customer, they can instruct Copilot to do so, and the technology will pull the relevant data it sees on the system.  Pitfalls  Would Copilot be smart enough to restrict the data that it pulls? Sounds simple enough, but this is filled with potential security pitfalls. What if that employee in question shouldn’t have access to such information? Would Copilot be smart enough to restrict the data that it pulls? Robust access management protocols Chris Harris adds, “There’s also the risk of the technology pulling data that it shouldn’t. For example, if it misunderstands the instruction and pulls data from another client’s project." "The technology is not infallible, and throws human error into the mix and companies could very easily wind up with a data privacy nightmare. Companies implementing Copilot must be vigilant to ensure sensitive data stays protected, and that robust access management protocols are respected from the get-go.”

The global biometrics market has been recently developing rapidly, and this trend will continue shortly. If in 2018 its volume was estimated at $23.4 billion, according to the forecast of the analytical company BCC Research, the market size may increase to $71.6 billion with an average annual growth rate of 23.2 % by 2024. Fingerprint scanning, facial recognition, iris, vein, and voice technologies are expected to be implemented at the fastest pace. The analysis is based on the revenue indicators of key players depending on segments, including hardware, software, and integration. Biometric electronic documents Another analytical Agency, Acuity Research, estimates that the number of biometric electronic IDs will increase by about 3.5 billion electronic documents in the world. Moreover, more than half of the UN member States issue biometric passports. Government and private contracts of Canada, the United States, Belarus, Ukraine, Moldova, Lithuania, Hungary, Bangladesh, Senegal, and other countries are examples of implementation of programs for the transition to biometric electronic documents. Government organisations in various countries believe that biometrics is one of the most effective ways to identify refugees and those who cross the border. Now there are a lot of projects which are based on biometric technology. Biometric identification system Perhaps one of the most ambitious is the Aadhaar project being implemented in India Perhaps one of the most ambitious is the Aadhaar project being implemented in India. It is a biometric identification system that contains the data of more than a billion people. The database contains about 10 billion fingerprint templates, two billion iris templates, and a billion photos. There is another ambitious project at the Nairobi Jomo Kenyatta International Airport, where RecFaces company has implemented a passenger facial identification ready-made solution, that helps the security guards to receive notifications about airport visitors in just a few seconds and increase the efficiency of security services at least by 30%. The introduction of biometric identification of passengers aimed at increasing the level of airport security, as well as quickly obtaining information about the detection of wanted persons, stored in the long-term archive. Automated control gates As another example, face match is used at border checks to compare the portrait on a digitised biometric passport with the holder's face. In 2017, Thales company was responsible for supplying the new automated control gates for the system of Automated Fast Track Crossing at External Borders at Roissy Charles de Gaulle airport in Paris. This solution has been devised to facilitate evolution from fingerprint recognition to facial recognition This solution has been devised to facilitate evolution from fingerprint recognition to facial recognition during. Governmental systems, SmartCity, airports projects using identification technologies day by day become our reality and influence the growth of the biometrics market globally. Countries are studying the experience of each other and adopting it. Paperless payment technologies The global market of biometrics will shift all industries, starting from the transportation facilities especially airports, where a transition from traditional VMS and ACS to paperless biometric self-Boarding systems will be carried out. Sports facilities will see the development of paperless payment technologies at cash desks, and the banking sector — the payment systems with remote customer identification. HoReCa will transfer from staff time tracking systems to biometric payment systems, biometric check—in systems and the use of biometric identifiers. To sum up there are two most significant drivers of this growth are surveillance in the public sector and numerous other applications in diverse market segments.