Are you considering implementing RPA (robotic process automation or bots) as part of your digital transformation? RPA security best practices will help you utilise this growing trend safely and for maximum benefit. RPA usage grew by 63.1% to $1.3bn in 2019, and is expected to reach $7.2bn by 2025, making it the fastest growing segment of the global enterprise software market, and it is easy to see why. RPA revolutionises workflows, saves money, improves services, and crucially removes an element of human error from both workflows and information security.
However, RPA like any other form of technology that is introduced to an organisation’s network, also introduces new security risks, which if not considered, could have a negative impact on an organisation’s overall security posture. To get the best out of robotic process automation, it is important to implement RPA security best practices.
Understanding the bot security risk
Simply put, RPA introduces a new vector for cyber attacks to your network. RPA utilises technology to carry out tasks, and like any program within a network they present an additional attack vector, especially if they are poorly designed, neglecting key information security principles. If RPA technology is exploited, an attacker could carry out malicious activity on a large scale, causing significant damage.
If an RPA solution is designed poorly, it may be able to breach security controls by utilising high privilege user permissions, revealing sensitive information to untrusted parties and potentially releasing sensitive data outside the organisation.
In order to perform set tasks, RPA is granted access to multiple systems, many of which contain sensitive organisational or personal information. If attackers are able to compromise the bot’s RPA privileged access they may access both the information the bot can access, and potentially use it as a back door to other parts of the network.
Many RPA solutions are described as plug and play integrations, meaning that they do not necessarily require input from an IT professional in order to set up and operate them. While this is useful for a small business who don’t have dedicated IT resources, it is not ideal from a security perspective. RPA like any new technology should be checked over before it is added to a network to avoid unintentionally exposing the network to a malicious device.
RPA bots are designed to carry out tasks quickly and efficiently, but if poorly configured, they could overwhelm the network, making it operate slowly, disrupting services, and leading to a denial of service. This denial of service could cause some security controls to be inactive, enabling security breaches.
RPA security best practices
Implementing RPA security best practices enables an organisation to reduce the security risks of bots operating in the network. The key to managing security risks in RPA is to treat the RPA in the same way as you would treat any other system or even employee in the organisation.
Some RPA security best practices are summarised below.
Choose your RPA carefully
Not all RPA developers are created equal. When it comes to choosing a new RPA technology, information security needs to be considered alongside functionality requirements. A poorly coded bot could contain malicious code or security vulnerabilities. Where possible, ask for security assurances from RPA suppliers, carry out code reviews or penetration testing before connecting an RPA solution to the network.
Create a security governance framework for RPA
It is important to manage the security risks of RPA through a set of dedicated controls. An RPA governance framework shall include regular risk assessments and audits of RPA processing activities. Employees overseeing the RPA shall have clear security responsibilities, including controlling the access to the RPA environment, logging and monitoring its activities and more. A security requirement checklist shall be maintained for the RPA technologies in place, and there should be defined responsibilities to carry out regular assessments of the RPA’s information security compliance.
Implement password management controls for RPA systems
Bots use passwords to access multiple systems. These passwords are set and maintained by network administrators, and they may need to be accessed by several employees overseeing the RPA. RPA security best practices recommend storing RPA credentials in a centralised, encrypted location that can only be accessed by a limited number of employees (for example in a password vault).
Reinforce data and network security around the RPA
The RPA bot accesses the network in order to carry out tasks. Managing the security risks in RPA access to the network requires proper management, including:
– Limiting bot access to the network resources by applying the principle of least privilege, giving them access to only the systems needed for defined tasks
– Maintaining proper segregation of processing machines, based on the tasks the bot is carrying out
– Ensuring that security updates are applied to patch vulnerabilities
– Checking the functional specification documents before the bot is connected to the network
– Assigning unique IDs to each bot, and maintaining a repository of bots, IDs, access permissions and more to enable monitoring
Define roles and responsibilities for the RPA and overseeing humans
In the same way as every employee has a defined role and access to systems based on that role, so should every RPA in the organisation. Access privileges should be defined based on the bot’s tasks, and access to data should be segregated based on the bot’s role. Bots should not get admin permissions or elevated access to systems unless it is strictly necessary.
On the human side, a dedicated bot administrator should oversee the RPA workflow, and manage bot schedules, monitor progress, carry out security checks, audits, and updates. There shall be a robust change management process, which defines who is responsible for changes, assessing risk, reviewing performance, approving new tasks or changes, and controlling backups.
Maintain accurate logs
Managing security risks in RPA requires knowing what the bot is doing. Each bot connected to the network shall have complete audit logs to track activity, and to help understand the causes in the case of an incident.
The logs shall also be analysed regularly to monitor for abnormal activities, unusual system behaviour, or abuses of privileged accounts. The logs should also be audited independently to confirm that the RPA is performing as expected.