• November 17, 2019
How RPA Can Create Gaps in Your IT Security

RPA implementations exploded in 2018–sales of the technology, which enables companies to automate labor intensive back-office tasks to make business processes more efficient and organizations more productive, grew 63 percent last year, according to Gartner, approaching $1 billion globally. Companies around the world are rushing to implement RPA initiatives they hope will enable them to reduce costs and free up human capital to direct toward more creative, strategic work.

But, while the benefits promised by RPA technology providers are beginning to be realized, network security professionals are concerned that companies, blinded by potential cost savings and productivity gains, are not considering network security as they should.

In certain ways, RPA actually should reduce a company’s overall risk profile. Taking some tasks out of the hands of humans means fewer employees who need–and often fail to adhere to–training on security practices like password management, applications of privacy settings and simple inattention. The risk inherent in human error is also mitigated as more bots are implemented. By eliminating manual work, automation minimizes security risks at a macro level.

When a technology is being adopted as rapidly as RPA, however, it often presents attack surfaces for bad actors that didn’t exist for organizations only a short time before. So, for companies that might not be considering all the implications of an RPA initiative, what are the greatest risks to a company’s security posture?

Consider Access Control

At some point, humans will have to interact with bots. In order for RPA to be effective, humans have to manage, schedule, review and maintain the processes being automated by bots. So, both humans and bots will be users in these processes. Both need secure access to the system, so effective password management is crucial. For people, password reset is a standard procedure. For RPA robots, however, companies may not consider this.

To applications, a bot is just another user that needs a username and password to have access to whatever system it requires. It is vital that IT knows where those credentials are stored both when they are and are not in use by the bot and how they are protected. Credentials that are stored in the robot computer’s memory in clear text could invite an attack by a third party that could gain access to other corporate systems or to sensitive information involved in the automated process itself.

Carelessness with Data

In a changing regulatory environment in which organizations are increasingly liable when data is compromised, organizations have imposed many restrictions on the way people and systems collect, store and transmit data. RPA is new enough and companies are so eager to implement that many enterprises simply forget to apply the same rigor to bots.

Regulation around data protection at the global, national and state levels has changed how and–importantly–where data can be transmitted. Under the E.U.’s General Data Protection Regulation (GDPR), data cannot leave the region. That restriction is not baked in to most RPA software, so organizations must remember to account for it. Often they do not.

Data storage is another area that has been widely addressed by enterprises, but often is neglected once a process has been automated. Once a task has been completed in an RPA environment it is vital that any sensitive data is removed from the process.

Unauthorized Access Through Peripherals

RPA robots use the same steps in a process that humans do. When they run on workstations, they use the same keyboard and mouse inputs that a person does. An internal attack by someone with physical access to those peripherals could change data or change the bot’s processing.

Disabling the physical keyboard and mouse while a bot is running is a feature of some RPA solutions and should be leveraged where possible.

Recommendations


To read the final part of this full length feature article, PLEASE fill in the form below, it’s FREE and then the article will automatically display.

PLUS: Additional Benefits Include:

  • Unlimited access to the entire RPA Today site
  • Receive our RPA Today Newsletter

Please take a moment and register.

Show Privacy Policy and Terms and Conditions

Already a Member?
Please use the login form in the right column to view content.

Forget your password?
Send us an email (info@RPA-Today.com) and we’ll respond ASAP.