Robotic process automation (RPA) is being embraced by an increasing number of companies as a means to increase efficiency at a time when the skills shortage is huge. But many firms are failing to consider the security risks: For example, it’s important to ensure sensitive data is not misused as a number of privileges are attributed to software robots.
So, how can firms use RPA effectively without impacting security? First, it’s important to understand the risks. A robot working by itself can do anything a human can do, including accessing databases and manipulating services.
This, of course, can streamline processes. But there is a dark side to RPA: “A malicious robot can execute tasks that harm an organisation,” says Itay Reiner, head of product management, process automation solutions, NICE.
Part of the problem is that bots by nature need to access business data. In many cases, this information will be sensitive and must be protected under the rules of the EU General Update to Data Protection Regulation (GDPR). “This data can be breached because a robot has access to it and can therefore manipulate it,” Reiner says.
Adding to this, the bots will be using an organisation’s credentials to log in, so they will need access to passwords.
There can be physical security risks too. As factories and manufacturing lines are turned into enormous computer systems, it is no longer inconceivable that a security or systems failure could have significant real-world consequences, says Coalition CEO Joshua Motta. “If not properly secured, unauthorised access to an RPA system could result in property damage, or even bodily harm.”
Scaling RPA: before automating processes, improve them
Development processes
Many of the security risks in RPA emerge due to issues within the development process, says Devin Gharibian-Saki, chief solutions officer at Redwood Software, He explains: “If you don’t have proper development processes, there is the risk that RPA isn’t built in a secure way.”
And while enterprise apps are built with huge overheads including development and testing, not all RPA implementations are done in this way in this way. This can make them less secure, says Gharibian-Saki.
It can cost more in resources but securing RPA doesn’t need to be complicated. In fact, if used in the right way, RPA can actually be more secure because it reduces the amount of human error, says Nathan Sandel, technical engineer at Integratz.
When introducing the technology, he emphasises the importance of training. He advises: “When a company is looking to implement RPA, we give them a three-day training course – making sure data is organised and contained and compartmentalised.”
In addition, he says firms can gain visibility using tools such as an audit log. “The main RPA providers have audit logs to show who did what and when, so you can see who was using the software,” he explains.
To help regain control, Reiner advises treating the robot like another employee. “There must be governance and change management to control this workforce. For example, what can the robot access and not access? Control any changes; have a complete audit trail of everything the robot has executed to the smallest detail.”
Taking this into account, securing RPA calls for a holistic approach including governance, says Hadi Hosn, global consulting solutions lead at Secureworks. “Have visibility over who within the business should be authorised to create the automation processes and who should be overseeing that programme.”
Then examine data protection, identifying which information falls under GPDR and where it resides. “Doing this as part of your planning will help define the rules as to what you should do with your automation platform,” says Hosn.
Ten best practice tips for RPA: views from UiPath, Blue Prism and Kofax
Data flow
In order to implement RPA securely, firms need to make sure the data flow is understood. “It should be mapped from day one,” says Sathya Srinvasan, principle solutions architect at Appian. Meanwhile, he says day-to-day users of desktop automation need to be trained on data policies and fully refreshed every six months.
At the same time, data should be encrypted. And of course, identity and access management are important, Hosn says. “Make sure no one could take over that access and use it,” he warns.
In addition, Hosn advises a focus on the security of third-party suppliers. “When it comes to the platform, you need the ability to assess and validate it from a design perspective. You also need to regularly test data handled by those platforms. If it’s an in-house RPA platform, you need to introduce DevSecOps and ensure the right involvement from the team, making sure penetration testing is part of it.”
And overall, Hosn emphasises the importance of security by design. “As you are developing these platforms and making sure your automation programme starts in the right way, ensure the developers have thought about and are integrating security into their process.”
Indeed, whether it’s an in-house or external platform, security should be imbedded in RPA from the start. If RPA isn’t built in this way, introducing security can sometimes be a painful exercise, because it is up to senior IT to persuade others of its business value when overheads will increase. Gharibian-Saki asks: “You can get value by automating but if you need more IT people, how are you going to manage that?”
Of course, security best practice is much easier for firms that haven’t started to use RPA technology yet. Reiner recommends companies new to RPA to start small and scale up. He also advises firms to perform a risk assessment: “Understand what can go wrong and how you manage this.”
Securing RPA requires protecting the data itself as well as who has access to it. Therefore, RPA security is much like protecting any other tools used in the business. Reiner says: “Like any enterprise software, it’s important to have security in mind: first and foremost, ensure you comply with security standards. Make sure that every access is authenticated and encrypt and secure data in transit and at rest. Any standards you use elsewhere in the organisation need to be applied to RPA as well.”