How RPA Can Create Gaps in Your IT Security – Automation Today: Publication & Newsletter

RPA implementations exploded in 2018–sales of the technology, which enables companies to automate labor intensive back-office tasks to make business processes more efficient and organizations more productive, grew 63 percent last year, according to Gartner, approaching $1 billion globally. Companies around the world are rushing to implement RPA initiatives they hope will enable them to reduce costs and free up human capital to direct toward more creative, strategic work.

But, while the benefits promised by RPA technology providers are beginning to be realized, network security professionals are concerned that companies, blinded by potential cost savings and productivity gains, are not considering network security as they should.

In certain ways, RPA actually should reduce a company’s overall risk profile. Taking some tasks out of the hands of humans means fewer employees who need–and often fail to adhere to–training on security practices like password management, applications of privacy settings and simple inattention. The risk inherent in human error is also mitigated as more bots are implemented. By eliminating manual work, automation minimizes security risks at a macro level.

When a technology is being adopted as rapidly as RPA, however, it often presents attack surfaces for bad actors that didn’t exist for organizations only a short time before. So, for companies that might not be considering all the implications of an RPA initiative, what are the greatest risks to a company’s security posture?

Consider Access Control

At some point, humans will have to interact with bots. In order for RPA to be effective, humans have to manage, schedule, review and maintain the processes being automated by bots. So, both humans and bots will be users in these processes. Both need secure access to the system, so effective password management is crucial. For people, password reset is a standard procedure. For RPA robots, however, companies may not consider this.

To applications, a bot is just another user that needs a username and password to have access to whatever system it requires. It is vital that IT knows where those credentials are stored both when they are and are not in use by the bot and how they are protected. Credentials that are stored in the robot computer’s memory in clear text could invite an attack by a third party that could gain access to other corporate systems or to sensitive information involved in the automated process itself.

Carelessness with Data

In a changing regulatory environment in which organizations are increasingly liable when data is compromised, organizations have imposed many restrictions on the way people and systems collect, store and transmit data. RPA is new enough and companies are so eager to implement that many enterprises simply forget to apply the same rigor to bots.

Regulation around data protection at the global, national and state levels has changed how and–importantly–where data can be transmitted. Under the E.U.’s General Data Protection Regulation (GDPR), data cannot leave the region. That restriction is not baked in to most RPA software, so organizations must remember to account for it. Often they do not.

Data storage is another area that has been widely addressed by enterprises, but often is neglected once a process has been automated. Once a task has been completed in an RPA environment it is vital that any sensitive data is removed from the process.

Unauthorized Access Through Peripherals

RPA robots use the same steps in a process that humans do. When they run on workstations, they use the same keyboard and mouse inputs that a person does. An internal attack by someone with physical access to those peripherals could change data or change the bot’s processing.

Disabling the physical keyboard and mouse while a bot is running is a feature of some RPA solutions and should be leveraged where possible.

Recommendations

This content has been restricted to logged in users only. Please login to view this content.

To read the final part of this full length feature article, PLEASE fill in the form below, it’s FREE and then the article will automatically display.

PLUS: Additional Benefits Include:

Unlimited access to the entire RPA Today site
Receive our RPA Today Newsletter

Please take a moment and register.

First Name

Last Name

E-mail Address

Company

Job Title

Hide Terms

As a registered subscriber to Automation Today, you agree to these Terms and Conditions (the “Agreement”). If you are completing registration on behalf of another individual, you warrant that that person has accepted this Agreement.

Intellectual Property.

All intellectual property rights in and to the publication & its content, are owned by us. You may not use, reproduce or allow anyone to use or reproduce any material without our prior written permission.

Disclaimer of Warranties, Limitation of Liability.

We give no warranties with regard to any aspect of the materials related thereto or offered in the publication. Content is presented on an “as-is” basis. We do not accept any responsibility or liability for reliance by you or any person on any aspect of the publication or any information provided.

Except as required by law, we shall not be liable for any direct, indirect, special, incidental, or consequential costs, damages or losses arising directly or indirectly from the publication or other aspect related thereto or in connection with this Agreement.

Our maximum aggregate liability for any claim in any way connected with, or arising from, the publication or this Agreement, whether in contract, tort, or otherwise (including any negligent act or omission), shall be limited to the amount paid by you to us under this Agreement.

Miscellaneous.

Our failure to exercise any right shall not be deemed a waiver of any further rights. We shall not be liable for any failure to perform our obligations where such failure results from any cause beyond our reasonable control. If any provision of this Agreement is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary for this Agreement to otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sub-licensable by you except with our prior written consent. This Agreement shall be governed by the internal laws of the State of Massachusetts and the parties shall submit to the exclusive jurisdiction of the federal and State courts located in the State of Massachusetts.

Both parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all modifications must be in a writing signed by both parties, except as otherwise provided herein.

No agency, partnership, joint venture, or employment is created as a result of this Agreement and you acknowledge that you do not have any authority of any kind to bind us in any respect whatsoever.

Show Privacy Policy and Terms and Conditions

Checkbox agreement description

Only fill in if you are not human

Already a Member?
Please use the login form in the right column to view content.

Forget your password?
Send us an email (info@RPA-Today.com) and we’ll respond ASAP.