Exploring the Risks of Automation

What are the risks of Automation?

There are three areas of risk to consider:

• Security – The enforcement of controls
• Compliance – The adherence to legal and standards requirements
• Business – The impact on the business today and in the future

In enterprise organisations there can be specialist teams for IT Security, Compliance and Risk Management each responsible for policy, monitoring, etc.

Each team often has many business processes to perform on a daily basis; hence their activities are potentially candidates for automation.

As automation is being implemented what happens to the risks in these areas?

1. TLDR
2. What Changes with Automation
3. Password Risk
4. Security enhanced with MFA
5. Fraud Prevention by Design
6. Gossip and Careless Talk – Data Leakage
7. The Less They Know, the Better
8. Security by Design
9. Manage Risks from Automation Deployment
10. Automation Operating 24 x 7
11. Withstand an Attack by Design
12. On-Going Activity for Automations
13. Prepare for the Worst Case Scenario
14. Risk of Too Much Complexity
15. Commercial Risk

1. TL;DR

There are changes to risks for a business from the introduction of automation. By adopting best practices each new risk can be mitigated and the automation will itself reduce some other risks for the business.

2. What changes with Automation?

A business process which already exists and operated by people, will change with automation. The business process will still exist, but in the case of RPA (Robotic Process Automation) being used in the solution, the execution will be achieved with software robots.

In this scenario, the RPA software robot will be executing in a PC / Server controlled by the business. It will have a User Id and Logon to the system just like a person. The software robot will interact with the GUI screens just like a person.

As it is an RPA software robot, the risks from human errors are removed. A clear positive impact for the business,

3. Password Risk

A person may forget their password and require it to be reset. An RPA software robot will never forget a password, but it does need to be stored somewhere. That storage does create a risk.

People use passwords that are relatively short as they need to memorise them. The shorter the password, the easier it is for a hacker to “Crack” it.

An RPA software robot can use very long passwords, making them almost impossible to crack. In addition, as the value does not need to be memorised by a person, the value of the password can be changed frequently providing there is a process in place to implement the changed value.

4. Security enhanced with MFA

A person can work with Multi-Factor Authentication (MFA) by using extra devices (e.g. Mobile Phone) to enhance the security access.

An RPA software robot can access multiple devices to assemble logon details like an MFA process but it does not have a separately “Held” device. One approach to address this weakness is to have person involved in the password reset process on a periodic basis.

5. Fraud Prevention by Design

Within an organisation there will be a segregation of roles, to ensure that individual is not easily able to commit fraud within the business.

During the implementation of automation within a business, individual processes will be automated. It is important that the RPA software robot which executes the automation is not granted more access than would be given to an individual person. If that approach is not adhered to, in the event that a software robot is compromised, it could perform damage to the business through its privileged connections.

The requirement for segregation can lead to a need for more automation licences and less than full utilisation, as automated processes are linked to specific RPA software robots.

6. Gossip and Careless Talk – Data Leakage

People are people, they talk to each other. Sometimes in confidence, expecting the conversation to remain private.

Healthcare in particular, is subject to a high degree of confidentiality. When people perform a business process they see the data. They may not intend to leak it, but gossip about a Celebrity having a treatment can easily occur.

When an RPA software robot executes a business process the data is processed but not remembered. An RPA software robot does not talk about it’s day with a partner, in the pub or on the train.

The reduction in data visibility is a strength in many respects but if “Bad Data” gets into the system it is less likely to be seen.

7. The less they know, the better

A person may leave a business and work for a competitor. Staff who have processed data may well remember the “Prices” that were used for a particular client and that commercially confidential data may transfer with the person to the competitor.

RPA software robots process data within the business—and unlike employees, they never take that knowledge elsewhere.

Once a business process is automated, there is a risk that people will not know how to execute the process manually in the event of a business contingency.

8. Security by Design

During process automation, data gets stored to enhance scaling, re-run and re-start. For example, data being placed on a queue. Any such data storage needs to encrypt the values to ensure that in a scenario where the RPA software robot is stopped from processing the data it has obtained with privileged access is left in a more exposed state.

To minimise the risk data should be Encrypted at rest (data storage) and in transit (data transmission). This does require more computing resources, but it is necessary for compliance in many industries.

9. Manage Risks from Automation Deployment

The process of creating an automation using RPA software robots needs to follow the established IT pattern of using different environments for development, testing and production.

Access to each environment can follow usual IT practices and the data contained in each environment should reflect the other systems used in the environments. This keeps the risk profile the same as the use of other IT systems.

Code for an automation should be able to follow the same procedure used for a control release across the environments so that minor software fixes and new automations can be released to production with the same risks as other IT work.

Processes need to be implemented to make regular upgrades to RPA software and to apply any available software patches released by the software vendor in a timely manner.

10. Automation operating 24 x 7

One of the benefits of automation is that activity can occur 24 x 7, it delivers a lot of capacity. It does create a risk in that some of the activity could occur when other people are not actively working, which provides a time period for any compromise to operate for hours before the activity is detected.

With the RPA software robot operating independently, its activity should still be subject to a level of monitoring. Software robots are able to produce detailed audit trails which can be checked to verify the activity.

One approach is to have RPA software robots independently checking the audit trails produced by other robots. This helps reduce the risk from a single RPA software robot being compromised and operating without being detected.

When an automation deployment is first established, it is frequently the case that there is a lot of spare capacity.  With the 24 x 7 operation, checks need to be established to avoid the risk of the available capacity getting used for an unauthorised process which is left undetected

11. Withstand an attack by Design

One of the ways an RPA implementation ca be compromised is by a Denial of Service attack

The scenario is that an attacker attempts to overwhelm RPA with many requests.

The risk is mitigated in many situations monitoring activity on network traffic and cloud software management tools.

When designing automations, it is important to not leave connections in place longer than is necessary for the specific activity of the task. This minimises the potential for any exploitation should an RPA software robot become prevented from operating normally.

The potential for external attacks can change depending upon the RPA software infrastructure used between the location of the executions, the applications being automated, etc.

Automation can benefit from the use of secure VPNs and cloud infrastructure just like other IT systems.

12. On-going activity for Automations

The Best Practice for Secure RPA Implementation and Operation is to ensure RPA operates with the appropriate Cyber security approach:

• Conduct regular risk assessments to verify changes and enhancements have not created a vulnerability.
• Inspect Authentication and Access Control to ensure appropriate credentials are used and that “Least” privilege access has been implemented with appropriate segregation.
• Check that RPA software is updated with current patches.
• Refresh staff involved with RPA about cyber security awareness.
• Verify back-up and recovery processes are active, secure as well as regularly tested. There may not be a second chance, when business contingency is invoked, everything has to work.

13. Prepare for the Worst Case scenario

Knowing that the worst case scenario of an automation having been compromised is possible, it is sensible to address the risk with an Incident Response Plan (IRP).

Best practice suggests creating a broad IRP tailored to RPA-related incidents, as the specifics of the comprise cannot be known in advance. The plan should include strategies for incident-

• detection
• reporting – determine classification and escalation path
• containment
• eradication
• recovery
• post-incident analysis.

Plans may not be perfect, but any plan is better than no plan.

14. Risk of too much complexity

Risks need to be kept in proportion to the business. The more protection, monitoring and controls that are implemented the more complex the automation becomes. A quick look at the risks discussed indicates the idea of asking AI to generate an Automation is clearly not going to be a complete solution.

What are the risks of NOT deploying automation in a business?

That is a topic for another edition of the newsletter.

15. Commercial Risk

There is a cost to the implementation of automation and its on-going operation, providing appropriate activities have been automated there will be an ROI for the business.

Once an initial automation is established, the ROI is usually improved by the development and deployment of additional automated tasks as it provides a broader base to share the automation infrastructure costs.

 

For more information on Robotic Process Automation (RPA) as well as Agentic Automation and the journey to implement automation please see our website: https://www.ether-solutions.co.uk/.

Manager’s Guide to Automation: https://www.ether-solutions.co.uk/managers-guide-to-automation-using-software-robots/

#businessbeyondautomation

Article Author

David Martin

Managing Director, Ether Solutions

https://www.ether-solutions.co.uk/