Throughout National Insider Threat Awareness Month there has been no shortage of thoughts and ideas proffered on how to manage and mitigate insider risk that comes with having humans as part of the ecosystem. It\u2019s true, the human is both the strength and the weakness. They are called upon to mitigate the risk and ameliorate the actions of the malevolent or careless employee. Where discussion has been sparse is how machine\/device identity plays a part in insider risk management.\u201cThere needs to be more application of the insider threat framework toward devices at the same level as we do with humans,\u201d says Rajan Koo, chief customer officer, DTEX Systems.Yash Prakash, chief strategy officer at Saviynt, observes, \u201cInsider threats are increasingly introducing risk to organizations, primarily as insider identities have grown over recent years to include human identities and machine identities (i.e., APIs, bots, vendor accounts, etc.). By strengthening an organization\u2019s identity program, companies can more effectively mitigate this risk and reduce the impact of malicious insiders by spotting fraud early on and preventing the exfiltration of critical data.\u201dBot as privileged userIn further fleshing out how the human-machine engagement may be leveraged in a deleterious manner, Prakash provides the example of the finance department, responsible for approval and payment on vouchers. The manager has a script in place that automates the approval process, for the more routine and thus freeing up time for the manager to focus on the more complex. From an efficiency perspective it\u2019s a multi-level win. From a cyber risk perspective, the software bot\u2014robotic process automation (RPA)\u2014is now a privileged user within the finance process and presents new risks.The introduction of RPA, with privileged access, within the workflow carries risk. The bot needs to be credentialed to perform the business process required\u2014access the system, scan, analyze, and process. Those credentials are hard-coded into the process and rarely, if ever, updated.Then we have employees who create their own bots, extant from CISO\u2019s processes, much in the same way employees evolve their shadow IT processes. They are simply trying to get their job completed for their vice president, or in the example Koo provides below, were trying to hoodwink the enterprise as to their dedication to their job.Koo relates how in one of their investigations they came across an employee whose network access resembled a sine wave\u2014login 0700, apps accessed, opened and closed, refresh apps access around lunch time and then close apps and logoff at 1800. Eleven-hour days, all controlled by a script created by the employee to give the appearance of working on those days when the employee wished to play hooky.In a separate case, Koo related how non-human or script\/bot behavior was exfiltrating the CFO of the firm\u2019s financial presentations. When the dust settled it was confirmed that the CFO had fallen victim to a targeted phishing attack and his credentials had been compromised. The compromise opened to the adversary the permissions afforded to the CFO to include the many RPA bots. Interestingly, the adversary in this case did not use any complex malware. They used low-profile commercial off-the-shelf applications to FTP the information accessible via the CFO\u2019s instance.Better visibility neededThe obvious question for CISO\u2019s is, \u201cWhat level of visibility does the infosec team have over the RPA bots within their network and what are the processes surrounding their care to ensure that if compromised the credentials cannot be used to elevate privileges beyond that which was intended?\u201dBeyond the RPA bots is the need, to the extent possible, to remove the \u201cforever\u201d instances of credentials within devices within the ecosystems, and in all instances ensure that an authentication process takes place prior to scripts, machines, or other forms of automation being actuated.In sum, Koo has it right: Equal attention must be paid toward devices and processes as is given to the individual when addressing the insider risk management strategy.