Robotic process automation (RPA) was first used to execute predetermined, rules-based tasks twenty or so years ago. Since then, RPA has functioned as a virtual workforce for businesses, which benefit from its power to collect data, execute processes rapidly and unerringly, and facilitate higher levels of quality — while enhancing customer satisfaction.
We’ve previously addressed at length the opportunity provided by RPA across multiple process areas and industries. The intent of this post is to explore some of the potential risks that can be introduced as a result of deploying this technology, as well as considerations for mitigating these risks so as not to derail value realization. As businesses seek to maximize the benefits of RPA, each enterprise must articulate its own risk appetite and risk tolerance, striking a balance between agility and diligence that does not put achieving value and strategic objectives at risk.
Bots are beneficial, but care must be taken
Businesses have embraced RPA for certain compelling business cases that can be identified and realized quickly, such as the execution of routine tasks faster and without keying errors. These efficiencies give employees time for higher-order responsibilities that benefit the business — like working on innovations to create new opportunities. By operating constantly and consistently, RPA increases productivity and drives down costs. It offers measurable benefits in data collection, regulatory compliance, auditing, customer satisfaction, risk mitigation and quality assurance.
RPA platforms have become very powerful, particularly when paired with other forms of artificial intelligence like machine learning, natural language processing and visual computing. What’s more, fully functioning RPA development tools are now available directly to end users/business users. Various enterprise applications (even office productivity software) enable end users to program bots for routine tasks, realizing the promise of low-code technology democratization.
However, when individuals automate tasks on their own, this activity often takes place beyond the reach of code standards and enterprise-wide architectural oversight. User-programmed bots may end up with inferior security, which could permit non-encrypted movement of data, resulting in data leaks. Poorly designed bots could disclose financial information, marketing plans, upcoming projects and other mission-critical data to unauthorized users. And many recent RPA automations operate in the cloud, which could place sensitive or proprietary data beyond the bounds of the enterprise computing environment.
Examples of RPA security risks
An example of a risk introduced by RPA technology involves the use of attended desktop automation, in which a bot clicks a button, which runs a task and produces results in the same manner as an end-user. The bot uses the credentials of the logged-on user while running the automated process. For example, the user may have permissions to send emails externally or even to access a corporate bank account. Consider what it means when a bot undertakes those actions repeatedly with limited supervision or control. Bots might access high-risk information in the interest of agility, such as human resources and financial data or competitive strategy. They could also activate processes vulnerable to fraud, like accounts payable and payroll, or launch interactions with external parties where contractual obligations and regulations apply.
Hackers are interested
With increased usage and increased value, bots could become potential targets for cyberattacks as well. Consider this:
- Bots that access enterprise systems are encoded with credentials to carry out tasks. That coding makes them susceptible to hackers looking to retrieve user IDs and passwords, breach systems, and steal or misuse sensitive business information.
- Bots can be retrained by malicious actors to disrupt significant business operations related to clients, orders or transactions.
- If a bad actor discovers that critical email inboxes are monitored and processed by bots, this could lead to vulnerabilities being exploited.
It is true that vendor-sourced RPA products have a degree of security and provide features to make the implementation of bots more secure. Leading RPA technologies such as UiPath have ISO 27001 certification, for example. But the security features provided by these products alone do not comprehensively address security risks.
An RPA platform security strategy must be adopted to mitigate the increased vulnerability to financial, legal and regulatory risk that bots may introduce. By revising and expanding existing governance, security and audit mechanisms, leaders can protect the enterprise from the risks related to the RPA opportunity.
Establishing a security framework for RPA platforms
“Framework” implies a strategy for using technology. An RPA framework pertains to any technology that enables development and deployment of bots, including enterprise software. Defining such a framework is the initial step of any automation implementation; it precedes and overarches individual bot production deployment. It’s upstream from security considerations specific to any one automation.
Business leaders will want to invite IT and cybersecurity into RPA decision-making to reduce risk. Ideally, they’ll enlist these experts before automations are deployed to production, if not prior to development. Most enterprises already have architecture review boards and other governance structures to oversee the acquisition, development and operation of systems. These existing governance mechanisms can work hand in hand with RPA/Automation Centers of Excellence to extend established best practices.
A framework for RPA security developed in collaboration with the above-mentioned groups would articulate practices for building and acquiring bots and tracking bots in operation. Objectives include:
- Helping users understand and recognize the automations that the RPA framework governs.
- Securing RPA platforms — and RPA features in enterprise applications.
- Articulating a risk-based approach to bot management, bot access management and bot monitoring.
- Enforcing design principles that mitigate RPA risk, like keeping a human in the loop and segregating duties.
- Ensuring that bots are centrally onboarded, offboarded and managed throughout their lifecycles.
- Securing RPA DevOps processes — segregating bot development from bot deployment and managing permissions assigned to individuals who build and deploy bots.
- Monitoring bots in operation; reviewing bots for alignment to changing policies and adherence to standards and fit for purpose.
- Managing bot identity, access and privileges.
- Maintaining an inventory of bots for periodic audit.
- Monitoring data processed by bots, scanning bots for vulnerabilities and modeling threats to reveal system flaws and gaps.
New responsibilities for the business — and IT
While it’s the business that typically drives RPA acquisition, adoption and use, IT and cybersecurity can advise on bot design decisions and make recommendations to reduce risk – for example:
- Ensuring that each bot is managed via a unique identity and risk profile. For instance, does a bot send email, make payments, or interact with external systems? These characteristics contribute to risk profiling.
- Ensuring credentials are unique per bot (especially for traceability when connecting with external systems) and that an encrypted vault protects sensitive information.
- Using appropriate authentication and authorization methods and controls; controlling bot accesses through a central enterprise access and authorization system.
- Ensuring control checks are built into bot logic.
- Periodic bot recertification, including reviewing functions, ownership and stewardship.
- Monitoring the data processed by each bot.
- Scanning bots periodically for vulnerabilities.
RPA capabilities will continue to advance, creating new opportunities for businesses to speed productivity, reduce errors and drive down costs — as well as other benefits we can’t foresee today. To achieve the significant synergies offered by automation, organizations should make RPA part of the technology strategy, elevating it to the level of other IT and business processes governance. Engaging technology partners to apply proven security practices to RPA is an effective tactic to achieve RPA benefits without incurring unnecessary risks.
Jim McDonald, Associate Director with Protiviti’s Security and Privacy practice, contributed to this content.