RPA implementations exploded in 2018–sales of the technology, which enables companies to automate labor intensive back-office tasks to make business processes more efficient and organizations more productive, grew 63 percent last year, according to Gartner, approaching $1 billion globally. Companies around the world are rushing to implement RPA initiatives they hope will enable them to reduce costs and free up human capital to direct toward more creative, strategic work.
But, while the benefits promised by RPA technology providers are beginning to be realized, network security professionals are concerned that companies, blinded by potential cost savings and productivity gains, are not considering network security as they should.
In certain ways, RPA actually should reduce a company’s overall risk profile. Taking some tasks out of the hands of humans means fewer employees who need–and often fail to adhere to–training on security practices like password management, applications of privacy settings and simple inattention. The risk inherent in human error is also mitigated as more bots are implemented. By eliminating manual work, automation minimizes security risks at a macro level.
When a technology is being adopted as rapidly as RPA, however, it often presents attack surfaces for bad actors that didn’t exist for organizations only a short time before. So, for companies that might not be considering all the implications of an RPA initiative, what are the greatest risks to a company’s security posture?
Consider Access Control
At some point, humans will have to interact with bots. In order for RPA to be effective, humans have to manage, schedule, review and maintain the processes being automated by bots. So, both humans and bots will be users in these processes. Both need secure access to the system, so effective password management is crucial. For people, password reset is a standard procedure. For RPA robots, however, companies may not consider this.
To applications, a bot is just another user that needs a username and password to have access to whatever system it requires. It is vital that IT knows where those credentials are stored both when they are and are not in use by the bot and how they are protected. Credentials that are stored in the robot computer’s memory in clear text could invite an attack by a third party that could gain access to other corporate systems or to sensitive information involved in the automated process itself.
Carelessness with Data
In a changing regulatory environment in which organizations are increasingly liable when data is compromised, organizations have imposed many restrictions on the way people and systems collect, store and transmit data. RPA is new enough and companies are so eager to implement that many enterprises simply forget to apply the same rigor to bots.
Regulation around data protection at the global, national and state levels has changed how and–importantly–where data can be transmitted. Under the E.U.’s General Data Protection Regulation (GDPR), data cannot leave the region. That restriction is not baked in to most RPA software, so organizations must remember to account for it. Often they do not.
Data storage is another area that has been widely addressed by enterprises, but often is neglected once a process has been automated. Once a task has been completed in an RPA environment it is vital that any sensitive data is removed from the process.
Unauthorized Access Through Peripherals
RPA robots use the same steps in a process that humans do. When they run on workstations, they use the same keyboard and mouse inputs that a person does. An internal attack by someone with physical access to those peripherals could change data or change the bot’s processing.
Disabling the physical keyboard and mouse while a bot is running is a feature of some RPA solutions and should be leveraged where possible.
Recommendations
[um_loggedin]The most important step an organization can take to secure the processes being automated by RPA and protect the data being processed is to tightly control access to the live RPA environment. Every user–bot or human–must have proper login credentials so only specific individuals can access sensitive data in the system. Comprehensive tracking and logging of the processes automated by RPA is crucial.
Make sure security is baked into development. While enterprise apps are built with huge overheads including development and testing, not all RPA implementations are done in this way in this way.
Examine data protection. Identify information in each process that falls under GDPR or other data security regulations and pinpoint where it resides. Securing RPA requires protecting the data itself as well as who has access to it.
Use encryption. High-level encryption protocols protect the management details of the credential vault.[/um_loggedin][um_loggedout]
[/um_loggedout]
