Automation Security: The Questions You Should Be Asking

It is an understatement to say that credit unions have been profoundly impacted by robotic process automation (RPA). With automation estates in some credit unions now extending into the hundreds and their annual RPA spend on the rise, credit unions increasingly are shifting from legacy tools to a newer generation of cloud-based intelligent platforms, while using RPA to automate both repetitive, rules-based tasks and more complex, end-to-end processes.

While greater use of automation has increased productivity and saved money for countless credit unions, it has also opened the door to a wide range of security threats. As with so many other technological advances, cybercriminals are chomping at the bit to test the vulnerability of automation processes currently in use. Without proper security measures in place, an RPA bot potentially could introduce ransomware into the work environment, expose sensitive data, or reveal private credentials such as passwords and usernames.

To guard against all sorts of outside threats, from hacking and data theft to viruses, malware and other malicious actions, credit unions should be asking five critical security questions in order to stay safe and keep their RPA bots up and running.

Question #1: What systems can my RPA bots access? Since an RPA bot is completing tasks previously performed by an employee, it likely needs access to email, ERP systems and any other required SaaS solutions. And just like an employee, the RPA bot should follow the principle of least privilege: It should only have access to exactly what is needed to get the job done. Doing so minimizes any potential damage should a cybercriminal gain access to a bot. With that in mind, credit unions should conduct regular access audits of their RPA bots to determine exactly what solutions each bot has access to and what it potentially can do with that access.

Question #2: Were any RPA security corners cut in initially implementing RPA? RPA came on the scene quickly and spread like wildfire as credit unions looked to lower costs and improve productivity. This sometimes led to a few corners being cut when it came to RPA security. A common security practice overlooked by some RPA developers, for example, was assigning a unique identity to each bot. Creating a single account for four or five different automated workflows potentially can make it extremely difficult to pinpoint the point of entry after a security breach. It can also magnify any damage resulting from the breach since its exposes four or five bots, not just one. While security practices have improved over time, credit unions should check older workflows to update any shared access issues currently in use.

Question #3: Are there rigorous security processes for retiring bots? Like all things, RPA bots are eventually retired. When that happens, though, are the systems they had access to still left open? If so, it could leave the door open to the introduction of ransomware or other malware. As a result, it is essential for credit unions to have a rigorous process in place when retiring RPA bots that are no longer in use, which includes closing and deactivating any previously required accounts.

Question #4: Who has access to your RPA tools and how easy is it for them to login? Typically, whoever has access to an organization’s RPA tools may also have access to its RPA bots. Given that, it is important for credit unions to ensure that the only people who have access are those who absolutely need access. In addition, credit unions should deploy up-to-date security measures, such as multi-factor authentication or a secure password manager. It also represents another reason why credit unions should perform a regular audit of its RPA tools, disabling any accounts that may no longer be needed.

Question #5: Are cloud-native, security-minded vendors being used to handle the RPA toolset? Before partnering with any RPA vendor, credit unions should make certain they have an-depth understanding of the security practices and backup procedures the vendor uses, as well as any auditing standards and accreditations for personnel working on the account. Because third-party breaches are a common problem for enterprise organizations, if a vendor being used gets breached, your credit union might also be breached.

For the most part, modern cloud solutions offer far more security benefits than concerns. A top cloud solution such as Microsoft Azure, for example, provides state-of-the-art physical security and has data centers in regions around the world where data can be siloed for data residency, rigid backup procedures and sophisticated security practices. These include 24/7 Security Operation Center and Security Information and Event Management monitoring software, which can detect a potential security incident at its earliest possible point.

While automation is continuing to heighten productivity and reduce costs for credit unions, those benefits can immediately be undermined by a miniscule gap in security. To keep automations secure and productive – and their members safe and free from security worries – it is essential for credit unions to take RPA security seriously. If they don’t, cybercriminals undoubtedly will, and will be ready to take advantage of any security lapse they can find.

Tony Higgins is the Chief Product Officer at Blueprint Software Systems, a provider of digital process design and management solutions based in Toronto, Ontario, Canada.