How to reduce your RPA Security Risk

July 6, 2022
RPA is inherently insecure and can put an organization’s sensitive data at risk

Robot process automation (RPA) — having software robots perform repetitive tasks — has expanded dramatically in recent years to meet the needs of the modern remote and hybrid workforce. In fact, the RPA market is expected to grow from $1.23 billion in 2020 to $13.39 billion in 2030.

By automating repetitive and tedious processes, RPA is transforming many legacy processes making it easier for workers to perform recurring tasks. From call scheduling to task creation, RPAs are becoming an embedded part of the new era of work. Unfortunately, however, RPA is inherently insecure and can put the sensitive data that it touches at risk.

What is RPA?

RPA enables users to create software robots (bots) that can learn and then execute basic and repetitive (but precise) tasks, such as filling in forms, copying and pasting data, updating banking information, or making calculations. As a result, RPA can save organizations time and money.

RPA is especially popular in financial institutions, as well as in the industrial sector, which still uses old applications that do not support APIs for automation.

What are the Security Issues With RPA?

There are two main security issues with RPA. First, RPA tools are so easy to implement that a user can deploy them, without involving the IT team. As a result, RPA is often part of the “shadow IT” problem. Since the IT team is not aware of the technology, they cannot monitor it, secure it properly or keep it updated.

But the larger issue is that RPA, even when deployed through proper IT processes, is still insecure for the following reasons:

  • Activity cannot be properly monitored — Although RPA bots are supposed to use their own access codes, they end up using human privileged accounts since creating specific privileged accounts for each bot is time-consuming. However, separating the bot’s actions from those of the human using the same credentials is too complicated to enable effective activity monitoring.
  • MFA is impossible to implement — A bot doesn’t have a mobile phone to receive a confirmation request, let alone fingerprint or other biometrics. This eliminates the security of using multifactor authentication (MFA) account verification.
  • Encryption of bots’ actions is not possible — Since bots are operating on the users’ screen on behalf of the user, any activity done by bots can be easily recorded and replicated. This makes RPA activity easy to “steal” or use by threat actors seeking to use the user’s account.

These insecurities make companies that use RPA technology particularly vulnerable. Knowing RPAs are implemented in a company, a hacker can target a privileged bot instead of trying to compromise the privileged credentials of an employee. Infiltrating the RPA solution makes it possible to look for credentials used, or even to modify the bot’s actions to arrange a money transfer, for example, while remaining discreet within the IT infrastructure.

How Can Organizations Stay Safe While Using RPA?

To mitigate these types of risks, there are a few processes and policies to put in place.

  • First, it is essential to educate all employees about cyber hygiene and the serious risks of deploying RPA without the IT team’s knowledge. Emphasize that the IT team must be able to track all activity in the environment by both humans and machines to ensure security and compliance.
  • Second, organizations should perform regular audits to assess the level of security and ensure that applicable mandates are being complied with.
  • Finally, if RPA bots are deployed through a service provider, they must ensure that the project is properly secured.

RPA is increasingly the go-to technology for automating processes and making life easier for employees. But organizations must be aware of the security concerns inherent in RPA and take steps to mitigate them to protect their critical systems and data.

About the author:Anthony Moillic is Director, Solutions Engineering, EMEA and APAC for Netwrix. He has over 20 years of security and IT experience with specific expertise in cybersecurity, data governance and Microsoft platform management.