How rampant robotic process automation (RPA) adoption is introducing new threat vectors
Robotic process automation (RPA) is nothing new. In fact, it’s an automation toolkit that was first introduced back in the 1990’s. But in 2020, in the midst of a global pandemic and the all new remote work norm, RPA interest and adoption hit a new high. Why? Because with RPA, digital workers are able to take over repetitive, manual tasks traditionally performed by their human counterparts -- freeing up time, energy and critical human resources.
Gartner’s Fabrizio Biscotti, research vice president, put it best: "The key driver for RPA projects is their ability to improve process quality, speed and productivity, each of which is increasingly important as organizations try to meet the demands of cost reduction during COVID-19. Enterprises can quickly make headway on their digital optimization initiatives by investing in RPA software, and the trend isn’t going away anytime soon."
In fact, Gartner predicts that by 2022, 90 percent of organizations globally will have adopted robotic process automation (RPA). What’s more, through 2024, larger enterprises are expected to triple the capacity of their existing RPA portfolios.
Yet, in today’s world, we know that when it comes to adopting emerging technologies, cybersecurity is far too often an afterthought. Even more vitally, when it comes to RPA adoption, organizations aren’t just adopting new technologies -- and the threat vectors and bad actors that inevitably come with them in the digital age -- they’re adopting new identities as well. Machine identities that have access to the DNA, the networks, and the ins and outs of the business.
So as RPA adoption continues to accelerate, it’s imperative that organizations proactively account for the cybersecurity concerns that will inevitably come -- and prepare for them accordingly.
Why the RPA risk
In order to proactively mitigate any RPA risk, organizations must first understand that RPA -- these new 'digital workers' -- have identities of their own.
MetLife’s Gaurav Priyadarshi writes, "Introducing a new technology to an organization always comes with certain vulnerabilities that can be exploited by hackers. For example, automated solutions or bots may not have the ability/functionality to identify malware, thereby increasing the threat and providing opportunity to hackers."
Just like you and me, these new digital identities have 'minds', capabilities and access of their own. They’re equal employee counterparts, who have just as much access to sensitive systems as you or I, and they can just as easily give up that access if not properly secured.
Earlier this year, Forrester predicted that 33 percent of breaches in 2021 will be insider threat-related. Meaning that over a quarter of all breaches that take place this year will be due to exploited employee credentials (i.e. bad actors taking advantage of internal access), or internal cybersecurity negligence. With that being said, RPA is just another avenue for bad actors to potentially take advantage of unprotected or unmanaged insider access or credentials. Particularly as 'identity sprawl' proliferates, and organizations find themselves having to manage more disparate 'identities' (both human or non-human), the need for proactive, preventative cybersecurity has never been greater.
Mitigating RPA-related threats
Zero Trust -- an industry framework largely predicated on the notion 'never trust, always verify' -- was lauded as an industry best practice this year.
What Zero Trust essentially means is that if someone tries to access your networks, data, or any business asset, they’d be required to validate their identity before gaining access or entry whether they are the CEO or an intern, and that same practice should be standard for RPA, or 'digital identities'. Risk isn’t one size fits all, and there are no guarantees when it comes to identity security, so a Zero Trust approach is one major way organizations can mitigate risk when it comes to RPA.
Another way to minimize RPA cyber concerns is through third-party security solutions like privileged access management (PAM). Through a PAM system, when a digital worker needs privileged access, the robot can retrieve credentials automatically, without any exposure to the bot owners or developers. This in turn, not only provides a full audit trail (i.e. which digital workers accessed which applications), but also provides individual accountability and proof that no one can obtain the password, in a noncompliant manner, without slowing down robotic operations.
With a PAM tool that connects to RPA systems, organizations are better equipped to proactively secure, control and audit the credentials and privileges of the bots. Plus by choosing a PAM solution that is easy to deploy, and one that integrates seamlessly into your pre-existing security stack, PAM can be achieved quickly without compromising the productivity that RPA affords.
Like any other new technology, RPA is at its best when the business ROI is high, and the security risk is low. But as new bad actors and threat vectors continue to emerge, it’s critical that enterprises build cybersecurity into the core of their business growth strategy -- leveraging it in tandem with new technologies. Making it more than just an afterthought.
Bhagwat Swaroop serves as President and General Manager of Quest’s One Identity Business Unit and joined the company in November 2020. He is responsible for driving the overall strategy, product innovation, GTM and P&L for One Identity. Bhagwat is a seasoned strategic leader and brings a deep understanding of the enterprise security landscape, technology ecosystem, SaaS and cloud-driven business models. He is a sought-out expert and public speaker on Cybersecurity and implementing Identity Centric Security models in the cloud age.