As part of their ongoing digital transformation journeys, enterprises are turning to robotic process automation (RPA) to enhance efficiency and productivity. According to Deloitte, 53% of organisations have started to leverage RPA in 2018 to automate repetitive tasks so human workforce can focus on higher value work, accelerate business value and increase process scalability.
RPA adoption is expected to increase to 72% by 2020 and, if adoption continues at its current level, RPA will achieve near-universal adoption within by 2023.
In Asia-Pacific region, significant growth will also be anticipated as the RPA market is expected to increase by 203% by 2021. The finance sector is leading the way in the adoption of this technology in the region, as experts forecast that RPA will be in use in 40% of banks and insurance companies by 2020.
RPA: Expanding the cyber attack surface
Despite its many benefits, RPA can introduce significant new security risks and expand an organization’s overall attack surface. In a typical enterprise RPA deployment, an organization may utilize thousands of software robots in production, which are activated and deactivated on-demand.
These robots can perform a huge number of automated, functional tasks every hour – or even every minute. Each one of these software robots requires privileges to connect to target systems and applications to perform assigned duties. If these non-human credentials are left unsecured, they become ripe targets.
Attackers can compromise these valuable credentials to move laterally and advance their attack. Given the number of bots deployed in production at any given moment, these unsecured credentials can expand the attack vector exponentially.
All of this would mean that as organizations embrace RPA, security teams has to manage and protect privileged credentials for these robots just as they would any other privileged user or process.
Building the business case for RPA privileged access security
As organizations consider RPA, Chief Information Security Officers (CISOs) and security leaders have a timely opportunity to drive conversations with the business about the value of applying strong cybersecurity to this transformative technology, and related business outcomes.
The following are three ways in building the business case for RPA security – centered on protecting privileged access:
- Reduced risk = additional cost savings. Though current industry estimates on RPA cost savings vary – from 25 to 50% – the ROI is undeniable. The Deloitte study points to total ROI in less than 12 months, with significantly improved compliance, quality, accuracy, productivity and cost reduction. In order to realize its full financial promise, security must be built in from the start.
Monitoring and protecting the privileged pathway are the first and most critical steps in securing RPA workflows. This would prevent unauthorized users from gaining access to data processed by RPA software robots, and stops malicious insiders and external attackers from progressing their attack. - Greater operational efficiency. Approximately 10 to 20% of all human work hours are spent on repetitive computer tasks. RPA helps automate much of this manual “hand work” involved in daily business, such as entering data (like invoices and POs) from one application into another.
Implementing privileged access security for RPA not only drives down risk, but also extends automation to the management and rotation of software robot privileged credentials. This helps IT operations teams streamline processes and improve operational efficiency. By refocusing these teams on less laborious, more business-critical, intellectually stimulating tasks, organizations can motivate employees, reduce stress, spark interest and job satisfaction and reduce employee burnout and churn. - Simplified compliance. RPA minimizes human access to sensitive data, which can reduce risk and compliance issues. However, RPA requires a host of new non-human “robots” that need privileged access to connect to sensitive systems and information, opening the door to new compliance challenges.
A strong, centralized privileged access security solution can dramatically simplify audit reporting by automating the enforcement of privileged access policies and providing complete visibility into “who,” “when,” “why” and “what” took place during privileged sessions.
The clear business benefits of a strong privileged access security program can be realized across numerous digital transformation initiatives – from RPA and cloud to DevOps. Effectively conveying the value of privileged access security in enhancing the business will help in gaining critical executive support and obtaining necessary budget and resources.
From there, executive leadership could help rally employees to make it an organizational priority, impart a sense of urgency and ownership, and prevent it from being derailed.