The risks with robots: How to secure RPA
Governments are looking to automate processes. Here’s what they need to look out for.
Robotic process automation (RPA) is a tech that uses robots to complete repetitive and often tedious tasks, allowing humans to do higher level work. Useful as they are, these bots present fresh opportunities for hackers. When the number of bots an organisation has numbers in the thousands, the risks compound significantly.
GovInsider looks at the value of RPA in transforming public services, the cyber risks they bring and how governments can keep their robots in check.
How governments are using RPA
Automated robots bring considerable value to governments. They improve productivity while driving costs down. They can also be easily scaled to serve entire cities and countries.
Governments have used RPA for a wide range of things, including conducting more thorough audits and streamlining recruitment. The bots can even be combined with AI and advanced sensors to do more complex things, such as in autonomous vehicles, Assistant Professor Foong Shaohui from the Singapore University of Technology and Design has shared with GovInsider.
What are the cyber risks?
These robot colleagues may introduce new threats into an organisation’s network, however. They often need special access to an organisation’s data and systems to do their jobs. Many developers write this privileged access straight into the code to make the bots more efficient.
But this makes them extremely vulnerable to malicious hackers. Hackers only need to get past one bot before they have access to an entire network.
With the right credentials, hackers can even reprogramme robots to destroy or change sensitive data, shut down the network, or transfer large sums of money directly into their pockets. These bots are built to be efficient, and will do whatever they are programmed to do fast, even if it’s a malicious act.
Five steps to securing robots
How then can organisations ensure they use RPA without risking their entire network? Chief information security officers from leading organisations around the world share their advice in this report by cybersecurity experts at CyberArk and a research institute.
First, organisations need to think about security from the start. Firms often loop in security teams only after the bots have been built, but they should be involved from the moment the organisation considers using RPA. This ensures the system is designed to place security at the forefront.
Second, security teams need to be very, very strict about who can reprogramme these bots. This means keeping close tabs on who has permission to change the code, and being quick to remove unnecessary access when users change roles.
A privileged access management system will help here. Cyber officers can easily grant or remove access to critical systems for individual user accounts, so everybody has just the right amount of access to do their jobs, and there is a lower risk of compromise.
Third, the bots’ credentials should be changed frequently, just as humans need to change their passwords every few months. CyberArk’s privileged access management tool can be integrated with the RPA system, so it can automatically rotate bots’ credentials as frequently as every four hours.
Fourth, organisations need a good system for monitoring RPA activity. They should appoint robot managers - human staff who oversee each robot’s activity. They can review a bot’s access privileges, and will be held accountable if it does anything suspicious.
Lastly, get everyone on board. Firms have to make sure everyone on the team knows the risks of RPA and how to manage them. Security teams have the responsibility to break down the implications of using RPA so stakeholders are not blindsided.
RPA will be an important part of public service in the future as governments look to automate processes. While civil servants will be able to spend more time responding to citizens’ needs, they need to be careful about securing every new tech introduced, so they can safeguard the nation’s systems and data.
To find out more on how to secure RPA workloads, please check out CyberArk's website.