Treat digital workers as securely as humans

arm wrestling robot against man battle fight artificial intelligence
Thinkstock

Automation and digital workforces are bringing new levels of efficiency to all aspects of business, particularly at a time when the skills shortage is huge in many industries. But many are failing to consider the security risks that are introduced if not managed properly.

Robotic process automation (RPA) offers enterprises the opportunity to employ automated digital workers to augment and complement their human employees. These digital workers automate time-consuming, mundane and repetitive tasks, freeing up human talent to focus on higher value activities that serve to differentiate the business and enhance the customer experience.

Like with the human workforce, RPA has the potential to touch every enterprise application, as well as the critical data within it – whether it be related to employee, financial, customer or other business information.

This of course streamlines processes, but given a digital worker is attributed a number of privileges, it’s critical to ensure that data isn’t misused. In many cases, this information will be sensitive and must be protected under the rules of Australia’s Notifiable Data Breaches (NDB) scheme and the Privacy Act.

The cost of a security incident can be tremendous. The 2019 Cost of a Security Breach Report by the Ponemon Institute and IBM indicates that the average cost of a data breach was $3.9 million in the past year and the average time to identify and contain a breach is 281 days.

Organisations have come to understand that a digital workforce requires oversight, security and governance safeguards similar to their human counterparts. Strict controls must be in place to regulate how digital workers are configured and how any changes are managed and approved.

Prevent risk

Ensuring privileged credentials are managed in a secure manner reduces the risk of a breach through compromised access to confidential customer and business data. This is a top priority for the development and adoption of RPA, particularly since a digital worker with super-user access to all applications for all processes becomes a major weak point in the security coverage.

In addition to credential management, it’s important to segregate duties for greater control of digital workers and processes across multiple business units within a single environment. This also allows organisations to create multiple teams with varying levels of permission and access to processes, objects and digital workers that make automation safer and more scalable across the enterprise.

This delivers granular control so only certain specified users can build and access processes based on permissions, ensuring compliance. Without this separation in key processes, fraud and error risks are far less manageable.

Ensure security and compliance

There are three other high-level considerations business leaders must address to ensure the security and compliance of their digital workforce.

1. Infrastructure Security

At a minimum, organisations that plan to implement RPA should create an environment where their digital workers can operate — as well as be configured and assigned — that’s free from interference, informal or casual inspection, and especially, tampering. Such is the inherent problem with digital workers running on user desktops. Segregate processing and management environments, then impose separate governing controls for each.

2. Platform activity logging

Organisations can only ensure accountability and responsibility when all user activities – design-time, run-time and administrative – interacting with the platform are recorded in real-time and securely stored, including any changes made. This is an essential aspect of an unmalleable and irrefutable audit trail.

3. Process transaction logging

Having an irrefutable audit trail in place is a critical element of RPA, providing a mechanism through which perpetrators can be held to account or errors can be corrected. Automatically and systematically capturing a log of all transactions and all process steps is a minimum prerequisite for successful RPA programs.

Ultimately, the quality and integrity of the audit trail will not only discourage malicious activity, it will provide non-repudiation. Implement an RPA operating system that not only logs everything, but centrally stores the log to eliminate any and all tampering of the record.

Get RPA right … from the beginning

The rapid adoption of RPA has led many organisations to jump into initiatives without proper analysis and planning. All of this elevates the risk of errors by failing to focus on security issues and access rights for the new digital workers.

When done right, digital workers …

  • Never store passwords on notepads, phones or post-it notes.
  • Love passwords like: m%^&e,Y61kxF*OoEY5c+*eZXQgHbul#Xx!T`OfmNP"Q+uMnN~2D^+.
  • Never look up personal information of the person they met last Friday.
  • Don’t leave their workstations unlocked.
  • Change passwords daily and never forget them.
  • Aren’t susceptible to shoulder surfing or threats.
  • Follow the rules to the letter.
  • Tell you every single thing they do.

So, plan the security of your digital workforce properly and you’ll be wishing your humans workers could be more like your digital workers.

About the author

Dan Ternes is chief technology officer, APAC for Blue Prism. He is a senior IT executive with 25 years’ experience in the enterprise software industry, architecting and evangelising innovative solutions across RPA, BPM, integration, document management and big data. For more information, visit: https://www.blueprism.com/

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?