Robot process automation (RPA) — having software robots perform repetitive tasks — has expanded dramatically in recent years to meet the needs of the modern remote and hybrid workforce. RPA enables users to create software robots (bots) that can learn and then execute basic and repetitive (but precise) tasks, such as filling in forms, copying and pasting data, updating banking information or making calculations. As a result, RPA can save organizations time and money. 

Unfortunately, however, RPA can put the sensitive data that it touches at risk. 

What is RPA?

Generally, RPAs are used across any industry that uses repetitive tasks such as insurance, healthcare and telecommunications and is specifically leveraged to automate various supply chain processes including data entry, predictive maintenance and post-sales service and support.

For example, in a telecommunications organization RPA can be used to pull data from multiple systems to predict problems or triage equipment outages. For accounting teams RPA can be used to automate governance, reconcile accounts or process invoices. In transportation and logistics industries RPA may be used to automate shipping and document-based tasks. 

According to a Deloitte intelligent automation survey, in 2021 78% of organizations claimed they were implementing RPA, with another 16% doing so in the next three years.

What are the security issues with RPA?

There are two main security issues with RPA. First, RPA tools are so easy to implement that users can deploy them without involving the IT team. As a result, RPA is often part of the “shadow IT” problem. Since the IT team is not aware of the technology, they cannot monitor it, secure it properly or keep it updated. 

But larger issue is that RPA, even when deployed through proper IT processes, is still insecure for the following reasons:

MFA is impossible to implement: A bot doesn’t have a mobile phone to receive a confirmation request, let alone a fingerprint or other biometrics. This eliminates the security of using multifactor authentication (MFA) account verification. 

Encryption of bots’ actions is not possible: Since bots are operating on the users’ screen on behalf of the user, any activity done by bots can be easily recorded and replicated. This makes RPA activity easy to “steal” or use by threat actors seeking to use the user’s account. 

These insecurities make companies that use RPA technology particularly vulnerable to data leakage and fraud. Knowing RPAs are implemented in a company, a hacker can target a privileged bot instead of trying to compromise the privileged credentials of an employee. Infiltrating the RPA solution makes it possible to look for credentials used, or even to modify the bot’s actions to arrange a money transfer, for example, while remaining discreet within the IT infrastructure. 

How can organizations stay safe while using RPA?

Security breaches are inevitable, and hackers will target technologies with the greatest exposure. It’s critical to use security best practices for any RPA implementation. To mitigate these types of risks, there are a few processes and policies to put in place. 

  • First, it is essential to educate all employees about cyber hygiene and the serious risks of deploying RPA without the IT team’s knowledge. Emphasize that the IT team must be able to track all activity in the environment by both humans and machines in order to ensure security and compliance. 
  • Second, organizations should perform regular audits to assess the level of security and ensure that applicable mandates are being complied with.
  • Third, if RPA bots are deployed through a service provider, they must ensure that the project is properly secured.

RPA is increasingly the go-to technology for automating processes and making life easier for employees. But organizations must be aware of the security concerns in RPA and take steps to mitigate them to protect their critical systems and data. By increasing employee education on proper cyber hygiene best practices, performing regular security audits and assessments along with properly vetting service providers and their RPA use, security leaders can better ensure that their data remains protected and secure.