Robotic Process Automation (RPA): What you need to know about security

There are countless success factors to consider when implementing Robotic Process Automation (RPA). Conversely, if you want to minimize problems with your RPA program over time, there are a few important lessons to learn early on.

One of these should sound familiar to any IT professional: you can’t ignore security.

Just because you’re automating a process doesn’t mean you’ve secured it. In addition, RPA bots – the software that performs various computerized tasks that would otherwise require human effort – carry the same risks as a person using their laptop. Mistakes happen.

In fact, this is the basic reminder here: RPA is just a different kind of software, after all, so of course the potential for security vulnerabilities exists if you’re not careful.

“Like any software, RPA bots can present security risks as a target for attack if the correct procedures and settings are not taken into account,” says Gautam Roy, Head of Product Security at Automation Anywhere.

[ Need straightforward definitions of RPA? Read: How to explain Robotic Process Automation (RPA) in plain English ]

Where do RPA security risks start?

This speaks for one of the overarching things to understand about RPA security: Many of the risks arise from a lack of care or control. A completely ad hoc approach to introducing bots into an organizational process or system is more likely to cause problems than a strategic program. And a general lack of safety hygiene in an organization is not saved by RPA.

A general lack of safety hygiene in an organization is not saved by RPA

This is all good news for teams who are already serious about security, and further boost for those who don’t. Is password hygiene or access management in your company already a mess? This is still a problem when, for example, you are automating certain tasks with RPA.

“Like humans, RPA bots use privileged access to perform their tasks, including connecting to ERP, CRM, or other platforms – and transfer data from one process to the next across systems,” says Roy.

While we tend to attribute many security risks to the human element – this is why phishing scams are so effective, for example – it is important to realize that putting a task on a software bot does not magically prevent human error . Someone has yet to implement and manage this bot.

What are the top RPA risks?

Most RPA security problems can be viewed through one of two overlapping lenses: compliance risk and operational risk, according to Chris Huff, chief strategy officer at Kofax.

“Compliance risks are typically associated with poor RPA governance caused by implementation methods that bypassing best practices for the software development lifecycle related to network security, data protection, and enterprise architecture,” says Huff. “Operational risks include willingness to regulate, put in place guard rails and daily controls that support scalability and business continuity.”

One of the main reasons for RPA is that modern tools offer so-called low-code or no-code paths to implementation. While you can write your own RPA bots from scratch, there are plenty of commercial and open source tools that can get you started with minimal development. Many of these tools have invested in drag-and-drop interfaces or turnkey options to target non-technical users like finance or HR professionals. As a result, it is very possible for a team or department in your company to start a bot without the help of IT – or without letting IT know they are doing it.

[ Related read: Robotic Process Automation (RPA): 6 open source tools ]

That may sound good in companies where the IT teams are already working to their maximum capacity. Cut the CIO at your own risk, however: Failure to collaborate at all on your RPA project can create long-term problems, including unnecessary or invisible security risks. You can eat your cake too, provided you work in a collaborative manner.

Some RPA security risks persist because the person or team implementing RPA has no idea that these risks exist.

“The main source of compliance and operational risk is that organizations take a fragmented approach to starting automation programs,” says Huff. “IT and business leaders need to work together to effectively select the right RPA solution and to design and operate a digital management office (also known as a center of excellence) that supports a model that enables IT to network, data and Address regulatory issues while the company focuses on determining where to apply RPA, contributing to the design and development through citizen developer skills, and maintaining day-to-day operations to keep the RPA bots deployed. “

Think of it as another chapter in shadow IT history: some RPA security risks persist because the person or team implementing RPA has no idea that those risks exist. A cross-functional partnership can alleviate this problem while still allowing teams, as Huff notes, to take advantage of low-code or no-code tools.

Prioritizing security when choosing the RPA tool

With regard to tools, safety must be part of the assessment and selection criteria. This is one of the most important ways IT can help without detracting from the promise of the citizen developer approach mentioned above that Huff mentions.

“When evaluating RPA solutions, it is important to choose a solution that is committed to ensuring that its solution is secure and reliable,” says Roy. “During this verification process, it is important to look for vendors that offer critical security features such as multi-factor authentication, tight access control, encryption, and application security.

Also, keep in mind that RPA on its own isn’t particularly intelligent or adaptable. Some security and reliability issues are introduced due to changes elsewhere.

“Most environments are complex and involve changes on a daily basis, including application fixes, security updates, process changes, and so on,” says Huff.

RPA security” is also about ensuring that your existing programs and processes properly honor RPA bots

Adjacent or complementary technologies such as process orchestration and process mining can be helpful. This is also another reason why a cross-functional partnership (embodied by the approach of the Digital Management Office or the Center of Excellence) is important.

Tom Thaler, Head of Product Management for ARIS at Software AG, shares this scenario: Imagine a company has deployed several RPA bots to carry out repetitive tasks with its ERP system.

“Let’s assume that the ERP system needs to be updated for security reasons or to ensure compliance with new regulations,” says Thaler. “The effects of the update, especially at the interface level, are often unpredictable because IT does not know which robots may be affected – the robots no longer work. It creates a very stressful situation where repairs are needed and critical processes cannot be performed in the desired way. “

With this in mind, “RPA security” is also about ensuring that your existing programs and processes properly account for RPA bots. For example, if we change X, we need to update Y too. Otherwise, you’re going to break things, to put it bluntly.

Make your RPA strategy the core of security

This can be a disadvantage of automation in general: it sounds like it automatically solves all of your problems. Remember, like with other technologies, this does not completely outsource your risks, even if you include security as part of your RPA vendor evaluation criteria.

According to Roy, extending and applying other enterprise software security best practices to RPA is a good place to start. Security is just as much a question of organizational culture as it is of technology – or at least it should be. Again, this is good news for security-minded teams when it comes to rolling out RPA. If you care about security, you are more likely to take smart risk management steps – and these inherently help with RPA security. If you ignore security or treat it as an annoyance or an afterthought, you are likely to be more vulnerable to an incident or attack – and this also increases the unnecessary risk to your RPA program.

“As with other security best practices, those driving the automation effort need to instill a top-to-bottom culture of privacy and risk mitigation in their automation teams,” says Roy.

April 10, 2021