by Jeremy Ventura, Field CISO, Myriad360
When people think about cybersecurity, they usually imagine ransomware attacks, phishing scams, or data breaches caused by stolen credentials. But the reality is that some of the biggest risks to organizations today are hidden in plain sight. APIs—the connective tissue of modern business—are everywhere, yet few companies prioritize securing them. And that’s a problem because the threats are growing faster than most organizations can respond.
At a recent conference, I heard a story about a healthcare company that was hit hard when an API their marketing department set up failed. Nobody knew who owned it—marketing, IT, or security. The fallout disrupted critical operations, and the lesson was painfully clear: APIs might seem like background technology, but when they fail, the whole organization feels it.
How APIs Became Essential to Business
APIs are no longer just technical tools for developers; they’ve become the backbone of how businesses operate. Every time your banking app updates your account balance or you book a ride through a ridesharing app, APIs are doing the heavy lifting behind the scenes.
Their role is only growing. Businesses are evolving into platform ecosystems, and APIs are the glue holding them together. As companies adopt cloud and AI systems, API usage skyrockets. Among Salt Security customers, the volume of monthly API calls grew by 51% in just one year. The downside? Malicious API traffic increased by 211% over the same period. Attackers know how valuable APIs are, and they’re taking advantage of the security gaps most organizations ignore.
The Devastation of API Hacks
When APIs are hacked, the damage ripples across an entire organization. Attackers aren’t targeting small-time operations—they’re going after major players. Peloton, Facebook, Walgreens, and T-Mobile have all suffered significant breaches through API vulnerabilities. For example, T-Mobile’s breach in early 2023 exposed data from 37 million accounts, including billing addresses, dates of birth, and other sensitive information.
These aren’t isolated incidents. At a conference, I asked 300 people in the room if they understood API security, and nearly everyone raised their hand. Then I asked how many had robust API protections in place. Only a handful of hands stayed up. This disconnect is a recurring theme. Companies know APIs are critical to their operations, but they fail to secure them because the responsibility is unclear. When these vulnerabilities are exploited, the result is disrupted services, lost revenue, and damaged reputations.
Why APIs Are So Vulnerable
The biggest issue with APIs is ownership. Security, development, and IT often play a game of hot potato, leaving gaps in oversight. At that same conference, I asked a simple question: who’s responsible for fixing a broken API? Heads nodded as I laid out the problem. Marketing might have bought the tool, but IT deployed it, and security is just expected to monitor it. That lack of clarity is why APIs so often go unsecured.
Rapid deployment is another issue. APIs are rushed into production to meet deadlines, leaving security as an afterthought. Developers focus on functionality, not risk. And with tools like AI copilots generating code, the risks grow larger. People copy and paste solutions without vetting them, trusting these tools to prioritize security when they don’t.
Organizations also hesitate to invest in API security because breaches feel like someone else’s problem—until they happen. If an API hasn’t been exploited yet, the mindset often is, “Why fix it?” But as attackers increasingly target APIs, this complacency will only lead to more disasters.
The Path Forward
The way forward starts with ownership. Every API needs a clear owner responsible for its security. Whether that’s the development team, IT, or security, someone has to monitor it, patch it, and ensure it’s not introducing vulnerabilities.
Security also has to shift from being reactive to proactive. Testing APIs regularly, embedding secure coding practices into development workflows, and addressing vulnerabilities before deployment are critical steps. Security teams need to evolve from being perceived as “the department of no” to true partners in safe innovation.
Finally, API security must become part of a broader organizational strategy. As companies adopt AI, cloud, and other technologies, APIs will continue to grow in importance. They’re not going away. The real question is whether we’ll secure them before they become the next big attack vector.
APIs might be invisible to most people, but they’re the lifeblood of modern business. If we don’t take their security seriously, we’re setting ourselves up for failure. It’s time to change that mindset.