Robotic Process Automation (RPA) is a true game changer, allowing businesses to turn thousands of hours of manual, repetitive tasks into automated processes that are completed in seconds. However, like all technological advances, cyber criminals are clamoring to turn your shiny new RPA toy into illegal profit. In order to stay safe and keep your RPA bots productive and running, here are 5 RPA security questions you need to ask and have answers for in 2023.
What is RPA Security?
RPA security refers to the process of keeping your automated processes secure from outside threats such as hacking, data theft, downtime, viruses, malware, and other malicious actions. An RPA bot, or automated process, is essentially a digital employee, meaning that your bots face the same security threats that can impact your real life, human workers. Without proper security measures in place, an RPA bot could inadvertently introduce ransomware into your environment, expose sensitive data, or reveal private credentials such as passwords and usernames that a cyber-criminal could use to gain access to your systems or even to commit fraud.
Question #1: What does my RPA bot have access to?
Like an employee, your RPA bots should follow the principle of least privilege. Since an RPA bot is completing actions that were previously done by a human, your automation likely needs access to email, your ERP systems, and any other required SaaS solutions. It is important to ensure that your automated process only has access to exactly what it needs to get the job done. No more, no less. By ensuring that the principle of least privilege is in place, you are minimizing any potential damage if a cyber-criminal gains access to your bot.
You should conduct a regular access audit of your RPA bots to find out exactly what solutions your bot has access to and what it can do with that access. Blueprint’s RPA Analytic Dashboards allow you to search for applications used within your entire RPA estate, which can significantly improve the quality and time to completion for an access audit exercise.
Question #2: Did we cut any RPA security corners when we first implemented RPA?
RPA came onto the scene quickly and spread like wildfire. Eager to lower costs and reach the lofty promises RPA offered, companies often automated everything they could in a quick and dirty fashion. COVID-19 continued this “wild west” approach to RPA development as companies desperately needed ways to save money and handle an increase of repetitive, manual tasks. In many cases, this led to a few corners being cut when it came to RPA security.
One common security practice that was overlooked by RPA developers was assigning a unique identity to each bot. For example, to expedite the bot creation process, an RPA developer might create one Windows Active Directory account that is used by four or five different automated workflows. While easy, this is also a major security concern as it makes it extremely difficult to pinpoint the point of entry after a security breach, meaning that you might not properly close the door that the cyber-criminal used to access your systems. This process also amplifies any damage caused by a leaked password, since instead of exposing one “digital worker,” you have exposed four or five.
RPA security practices have improved over time, but you should look back at your older workflows and ensure that you update any shared access issues that may be in use.
Question #3: Do I have rigorous security processes for retiring bots?
Back in 2021, Colonial Pipeline, the largest carrier of jet fuel and gasoline in the southeastern United States, was hit with a ransomware attack that led to them halting all pipeline operations. This caused public fear that there was a gas shortage, which brought about panic buying throughout many southeastern states, eventually leading to President Biden issuing a state of emergency. The ransomware attack was caused by one unused, yet active VPN account being breached and posted on the dark web, which was used by the cyber-criminal gang DarkSide to initiate the Ransomware attack.
When RPA bots are retired, it is possible that the systems they had access to are still left open, which could easily lead to the introduction of ransomware or other malware. Make sure that you have a rigorous process for retiring any RPA bots that you may no longer need, which includes closing and deactivating any previously required accounts.
Question #4: Who has access to your RPA tools and how easy is it for them to login?
Remember, whoever has access to your RPA tools may have access to your RPA bots. Ensure that only people who absolutely need access have access, while also deploying modern security measures such as multi-factor authentication (MFA or 2FA) or a secure password manager. Perform a regular audit of your RPA tools to disable any accounts you may not need as well.
Question #5: Am I using cloud-native, security-minded vendors for my RPA toolset?
When cloud-based software first became popular, many large organizations were concerned about security and data residency issues. Today, modern cloud solutions offer far more security benefits than concerns. Top cloud solutions like Microsoft Azure have state-of-the-art physical security, data centers in multiple regions all over the world where data can be siloed for data residency, rigid backup procedures, and sophisticated security practices such as a 24/7 Security Operation Center (SOC) and Security Information and Event Management (SIEM) monitoring software that can detect a potential security incident at its earliest possible point.
Before you partner with any RPA vendor, make sure you have a strong understanding of their security practices, backup procedures, auditing standards, and personnel accreditations. Third party breaches are a common problem for enterprise organizations, which means that if your vendor gets breached, you could be breached too.
A new year is a time for improvement and hope. As an intelligent automation leader, you should be focused on new and exciting trends such as AI, machine learning, and digital twinning, not just RPA security. However, even the smallest security gap can bring your lofty goals crashing down, so remember to take RPA security seriously so those bots can stay healthy, running, and productive.