The robot takeover we have longed fear is here. Well, not really. But Robotic Process Automation (RPA), business technology that intelligently automates mundane and repetitive tasks typically performed by humans, is indeed hot and growing.
2019 data from Gartner finds the RPA market grew over 63% that year, which makes it the fastest growing enterprise software category. And market forecasts predict the global RPA market size is expected to reach $7.2 billion by 2025.
RPA is heralded as a breakthrough that can help companies innovate and push forward in their digital transformation journey because it can take low-level, manual and, well, boring, tasks and turn them over to bots that can do them without human intervention. This way, humans can get busy working on more important and creative stuff.
But, as with any new technology introduced to the IT infrastructure, of course we have to ask: How secure is it?
"Despite the massive value RPA can deliver in terms of increased productivity and improved compliance, the technology does introduce a new vector for cyberattacks," says Jon Knisley, principal, Automation and Process Excellence at FortressIQ. "RPA bots require the same access to systems as humans because they operate at the presentation layer. Because they constantly access different applications to cut, copy, paste and move data, credentials are too often hard-coded into scripts or pulled in from an insecure location."
There are multiple risks to consider, and, as Knisley notes, one of them ties back to access. The bots are often accessing sensitive systems and information, which means if they are exploited, an attacker can use that access to steal data or gain unauthorized access to systems and applications. In other words, they are yet another conduit into an organization's crown jewels.
"Much (sic) of the security risks associated come from the information it processes," says Gautam Roy, head of product security with Automation Anywhere. "RPA bots utilize privileged access to perform tasks, including connecting into CRM, ERP, or other platforms – concurrently moving data across systems from one process to the next. In the wrong hands, malicious actors could potentially use RPA software to gain access to sensitive data."
Knisley says the way to address this is and prevent unauthorized access is to ensure credentials are stored in a centralized encrypted location, and bot access should be limited by the principle of least privilege.
The next shadow IT?
But exploiting credentials and access are just one scenario security managers need to be mindful of when evaluating and deploying RPA – that is if they are even asked to get involved at all. RPA is popular because many vendors offer what is known as low-code or no-code solutions, making it extremely easy to find and implement bots for a specific workflow without the help of IT.
"Often, employees are unaware that the bot they are implementing is creating a security risk due to a lack of collaboration with IT," says Roy. "In many organizations, non-technical personnel are now using RPA for the first time. In organizations where citizen developers are piloting RPA, and are not trained on application security best practices, it can lead to a security incident."
The takeaway here is that security managers need to ensure they are actively collaborating with employees who may be implementing new technologies in order to uncover hidden security risks. Secretly deployed RPA could very well become another problematic version of shadow IT that CISOs need to watch out for and warn about.
Other RPA risks to consider
Another scenario to consider when deploying RPA is denial-of-service interruptions, in which bot activities are scheduled in rapid sequence and overwhelm system resources and result in a stop to bot activities – or disrupt other operations.
"When part of critical systems, RPA can constitute a single point of failure and cause outages that are hard to recover from," says Cuneyt Karul, director, Information Security & Compliance with BlueCat.
And, in the wrong hands, they can also potentially be used to launch denial of service attacks, he says.
"Bots scale well, but so do the security risks they pose, which makes them the perfect tool for DDoS attacks," he says. "RPA is also susceptible to zero-day vulnerabilities that are inherent to the platforms and operating systems they run on."
As with any other system, security should be part of all phases of designing, building, and operating RPA, says Karul. The same best practices that security teams follow for other kinds of software, such as assigning a unique ID, enforcing strong password rules, automating and centralizing credential management, are essential when using RPA.
"To mitigate the risks of RPA, it should be treated as any other system in the IT infrastructure. That means it should be rigorously designed, developed, tested, and monitored," he says.
And, take heart, even with inherent security risks, keep in mind that RPA is actually viewed as more secure than many other types of technology in play today, because using bots removes the potential for human error.
"Deployed correctly, bots are more secure and less error-prone than a human doing the activity even though they create a new threat vector," says Knisley. "Security managers can stay clean by ensuring the security features enabled by the major RPA vendors are implemented properly during development."
- In App Development, Does No-Code Mean No Security?
- As Offices Reopen, Hardware From Home Threatens Security
- 10 Tips for Maintaining Security During Layoffs