The advents of disruptive technology like RPA (Robotics Process Automation) can help companies save costs; and improve processes, resources, productivity, quality, customer experience, and compliance. However, the adventures don’t end here, even in a dismissive scenario it can go to a great extent in threatening valuable enterprise data.
RPA tools, where on one hand can handle sensitive enterprise data including account numbers and amounts from invoices, on the other hand, it can expose such data to attackers as the RPA-bots have privileged access to enterprise systems and resources. This requires immediate security practices to be incorporated across an enterprise.
Leaders are required to treat Robotics Process Automation as an approach to automating business processes, not just a recorder and launcher of scripts. If RPA is deployed once, it becomes an integral part of the enterprise infrastructure, which subsequently means security should also be integrated into enterprise security.
It has been observed that companies do not choose their Robotics Process Automation tools based on security features, but rather on price and functionality. They tend to ensure security only after the selection process and at the time of implementation. Such security features commonly include the encryption for the data the tool handles.
According to Gartner, an assessment of the RPA tool from a testing supplier should be a requirement in the selection process. RPA tools often facilitate with the assurance that they have been tested for vulnerabilities from an application security testing supplier. If proper security assessment of the RPA tool is not done, at worse it can leave security holes in the implementation.
Moreover, there are certain security features in RPA implementations that cannot and should not be provided via third-party tools. As per Computer Weekly, while third-party auditing tools can be used, ideally the RPA tool should generate the log itself since it has full visibility of the actions it has taken in the applications it has accessed. Also, the RPA tool must be able to provide a complete, system-generated and immutable log of its activity.
The tightening of RPA’s data access is required as some companies have expressed concerns about allowing Robotics Process Automation to modify databases directly. This could subsequently lead to data tampering or data corruption.
As suggested by the Gartner, IT departments should avoid using free versions of RPA tools with production data. Such free versions of RPA tools often are intended only for trials and do not provide security functionality and further, they may render any data used with them public. Therefore, they should only be used as trial tools with test data.
The global research advisory firm also recommends that security leaders should restrict Robotics Process Automation access to what each bot strictly needs to conduct the assigned task. Moreover, the bot operating the script should only have read access to the database. They should not be allowed with write access.
Itay Reiner, head of product management, process automation solutions, NICE says, “like any enterprise software, it’s important to have security in mind: first and foremost, ensure you comply with security standards. Make sure that every access is authenticated and encrypt and secure data in transit and at rest. Any standards you use elsewhere in the organization need to be applied to RPA as well.”