Managing security risks in RPA

RPA is making businesses more efficient, but it also brings security risks. How can these be managed? Managing security risks in RPA image

Robotic process automation (RPA) is being embraced by an increasing number of companies as a means to increase efficiency at a time when the skills shortage is huge. But many firms are failing to consider the security risks: For example, it’s important to ensure sensitive data is not misused as a number of privileges are attributed to software robots.

So, how can firms use RPA effectively without impacting security? First, it’s important to understand the risks. A robot working by itself can do anything a human can do, including accessing databases and manipulating services.

This, of course, can streamline processes. But there is a dark side to RPA: “A malicious robot can execute tasks that harm an organisation,” says Itay Reiner, head of product management, process automation solutions, NICE.

Part of the problem is that bots by nature need to access business data. In many cases, this information will be sensitive and must be protected under the rules of the EU General Update to Data Protection Regulation (GDPR). “This data can be breached because a robot has access to it and can therefore manipulate it,” Reiner says.

Adding to this, the bots will be using an organisation’s credentials to log in, so they will need access to passwords.

There can be physical security risks too. As factories and manufacturing lines are turned into enormous computer systems, it is no longer inconceivable that a security or systems failure could have significant real-world consequences, says Coalition CEO Joshua Motta. “If not properly secured, unauthorised access to an RPA system could result in property damage, or even bodily harm.”

Scaling RPA: before automating processes, improve them

Most enterprises aren’t scaling RPA across their entire organisation, in part, because they don’t understand their processes to begin with

Development processes

Many of the security risks in RPA emerge due to issues within the development process, says Devin Gharibian-Saki, chief solutions officer at Redwood Software, He explains: “If you don’t have proper development processes, there is the risk that RPA isn’t built in a secure way.”

And while enterprise apps are built with huge overheads including development and testing, not all RPA implementations are done in this way in this way. This can make them less secure, says Gharibian-Saki.

It can cost more in resources but securing RPA doesn’t need to be complicated. In fact, if used in the right way, RPA can actually be more secure because it reduces the amount of human error, says Nathan Sandel, technical engineer at Integratz.

When introducing the technology, he emphasises the importance of training. He advises: “When a company is looking to implement RPA, we give them a three-day training course – making sure data is organised and contained and compartmentalised.”

In addition, he says firms can gain visibility using tools such as an audit log. “The main RPA providers have audit logs to show who did what and when, so you can see who was using the software,” he explains.

To help regain control, Reiner advises treating the robot like another employee. “There must be governance and change management to control this workforce. For example, what can the robot access and not access? Control any changes; have a complete audit trail of everything the robot has executed to the smallest detail.”

Taking this into account, securing RPA calls for a holistic approach including governance, says Hadi Hosn, global consulting solutions lead at Secureworks. “Have visibility over who within the business should be authorised to create the automation processes and who should be overseeing that programme.”

Then examine data protection, identifying which information falls under GPDR and where it resides. “Doing this as part of your planning will help define the rules as to what you should do with your automation platform,” says Hosn.

Ten best practice tips for RPA: views from UiPath, Blue Prism and Kofax

You are the CTO or CIO of a company, or you are responsible for digital transformation, a Chief Digital Officer perhaps, and you want to introduce robotic process automation. Here are ten best practice tips for RPA, drawn from interviews we conducted with leading players.

Data flow

In order to implement RPA securely, firms need to make sure the data flow is understood. “It should be mapped from day one,” says Sathya Srinvasan, principle solutions architect at Appian. Meanwhile, he says day-to-day users of desktop automation need to be trained on data policies and fully refreshed every six months.

At the same time, data should be encrypted. And of course, identity and access management are important, Hosn says. “Make sure no one could take over that access and use it,” he warns.

In addition, Hosn advises a focus on the security of third-party suppliers. “When it comes to the platform, you need the ability to assess and validate it from a design perspective. You also need to regularly test data handled by those platforms. If it’s an in-house RPA platform, you need to introduce DevSecOps and ensure the right involvement from the team, making sure penetration testing is part of it.”

And overall, Hosn emphasises the importance of security by design. “As you are developing these platforms and making sure your automation programme starts in the right way, ensure the developers have thought about and are integrating security into their process.”

Indeed, whether it’s an in-house or external platform, security should be imbedded in RPA from the start. If RPA isn’t built in this way, introducing security can sometimes be a painful exercise, because it is up to senior IT to persuade others of its business value when overheads will increase. Gharibian-Saki asks: “You can get value by automating but if you need more IT people, how are you going to manage that?”

Of course, security best practice is much easier for firms that haven’t started to use RPA technology yet. Reiner recommends companies new to RPA to start small and scale up. He also advises firms to perform a risk assessment: “Understand what can go wrong and how you manage this.”

Securing RPA requires protecting the data itself as well as who has access to it. Therefore, RPA security is much like protecting any other tools used in the business. Reiner says: “Like any enterprise software, it’s important to have security in mind: first and foremost, ensure you comply with security standards. Make sure that every access is authenticated and encrypt and secure data in transit and at rest. Any standards you use elsewhere in the organisation need to be applied to RPA as well.”

Latest news

divider
Events
Data Leadership Summit: 12 months on – how GDPR influenced business

Data Leadership Summit: 12 months on – how GDPR influenced business

23 May 2019 / Reflecting on the past 12 months in a panel discussion this morning, Neil Currie, head [...]

divider
Digital Transformation
Digital transformation remains impossible without solving the WAN problem

Digital transformation remains impossible without solving the WAN problem

23 May 2019 / For the last few years, digital transformation has become a major rallying cry for organisations [...]

divider
Case Studies
Fitbit: from start-up to global health phenomenon

Fitbit: from start-up to global health phenomenon

22 May 2019 / Fitbit was founded 12 years ago by Eric Friedman, the current CTO and James Park, [...]

divider
Business Skills
AI and machine learning driving skills revolution in business intelligence

AI and machine learning driving skills revolution in business intelligence

22 May 2019 / An explosion in the growth of emerging technologies such as AI and machine learning is [...]

divider
Data Analytics & Data Science
Making an organisation data literate: Jason Teoh from Openreach, part of BT, talks to Information Age

Making an organisation data literate: Jason Teoh from Openreach, part of BT, talks to Information Age

22 May 2019 / We run the “UK’s digital network business” says Jason Teoh, when he spoke to Information [...]

divider
Data Analytics & Data Science
New report highlights issues around productivity in data science and analytics

New report highlights issues around productivity in data science and analytics

22 May 2019 / Tens of millions of data workers face productivity woes as complexity grows in data science [...]

divider
EMEA
Technology could help UK add 140 billion to GDP

Technology could help UK add 140 billion to GDP

22 May 2019 / Technology in the UK could help boost productivity. The Cisco Productivity Index has found that [...]

divider
DevOps
DevOps and SecOps: how to close the gap between them?

DevOps and SecOps: how to close the gap between them?

22 May 2019 / The International Organisation for Standardisation has published an Open Systems Interconnection reference model for the [...]

divider
The City & Wall Street
Torii secures $3.5m from seed round to bolster SaaS management

Torii secures $3.5m from seed round to bolster SaaS management

21 May 2019 / Torii enables organisations to stay on top of their SaaS use by improving visibility and [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest