As Robotic Process Automation’s credibility, clarity and applicability matures, many important questions surrounding security have arisen. Potential adopters are ever wary of the possible risks associated with digital technologies and processes and we, at Virtual Operations, are keen to get to the facts.
Security is paramount in any workplace environment but especially in data rich industries like financial institutions, healthcare and insurance providers (our most common clients). In addition to the stringent (and ever changing) regulatory requirements a primary reason behind the need for ironclad security is down to the highly confidential, personal and/or valuable nature of the data being used.
We’ve been given exclusive access to ‘Bot’, a robot who has been programmed to take over knowledge workers most mundane and repetitive tasks.
In this interview, we talk to ‘Bot’ to get the inside information on security issues in Process Automation.
We asked “In a recent survey by Cognizant, 52% of respondents said data security in RPA “is, will be and shall remain” the biggest digitisation issue they’re confronted with, now and in the future. How can you assure them that RPA is safe and secure? “
“The data security issue works on the assumption that we’re doing something different to a user. We’re not.
In short, as long as governance is implemented alongside what we do, then the reality is that we’re more secure than a human. People hear the word robot and instantly assume we’ll do as we wish. We will only do what we are told to do.
The assurance will come, and is increasingly coming from, case studies and prolonged exposure to RPA. RPA is used with great success in banks, law firms, and insurance firms and, since the beginning; there aren’t any companies that have rejected it due to security concerns. I believe the key is educating the decision makers so they can make informed decisions from the outset.”
“With data security topping all challenges related to digital processes, managers must ensure the security, risk, privacy and compliance of the value chain of information these processes generate. How managers ensure auditability? “
As previously mentioned, “We will only perform the activities that we’re programmed to. Different tools have different levels of auditing and logging but the majority of modern robots, like me, come with full audit, logging and security authorisation. However, the sophistication of the system you implement will dictate the complexity of auditing available. Back-up process steps are managed, and I automatically capture rollback and recovery, as well process changes.
The security issues arise when discussing the environment we’re installed in/on. For instance, we can be installed on a user desktop, but this would then enable the user to interfere with the processes we undertake. A more secure way is to install our services on a Virtual Machine that a user does not have access to.”
“How are you trained to ensure processes are carried out appropriately?”
“I am ‘trained’ through a flow chart of procedure’s I’ll be managing. This flow-chart is managed and audited to document the procedure. Ultimately, my user trains me. I can be taught new procedures, but I need to be told what they are and where I can find the relevant information to carry out the procedure. Sometimes, I will highlight any potential improvements to my user so they can make the call about altering my job to make me more efficient. “
“What is the difference between a human looking at data and a robot storing data to use it? “
“We robots can store data or we can discard data. Not all data has to be stored, and the data that is can be encrypted, if need be. When a user looks at data they don’t forget it. You know what I have looked at and you can tell me how long to remember it for. You can also be 100% certain that when asked to recall data I’ll get it right every time. A user may not. This can also present security benefits when dealing with confidential information. Humans can recall data and may pass it on to the wrong people, I can be told to forget everything I learn so there is no risk of confidential information being leaked.”
“Do you have traditional passwords that allow you to obtain access to certain documents and/or pieces of information? “
“We use the same logon steps as a user would. The user profile/credentials are encrypted within us and we only use them when necessary. We also have the ability to reset our own password, according to various patters to suit applications, meaning it can constantly be changed if required.
But, access is two fold; firstly there is user access to me, the robot and then there is access to the applications I am using. Access to my role and me can be controlled depending on the resource and accesses to the applications I use are defined within my make up. “
“How are process changes controlled and monitored?”
“This depends on the tool, but in the case of the resilient ones, access to me is controlled by whoever has access to the PC I operate from (Window’s ID). Within the application, there are also user profiles set so certain people can successfully log onto the application whilst some cannot.
”All logon attempts to the application are internally monitored and tracked, including changes to profiles. You can see who did what and when. “
“How do your employers keep track of what you have done/are doing?”
“Management information is gathered automatically as I operate. All processes generate statistical profiles as a by-product of completing the action. This allows my manager to tune and develop a process once real data has been collated. “
“What happens if the process is disrupted mid flow? “
“Modern robot systems come with failover and recovery inbuilt as core capabilities. It means that if changes take place, or downstream failures occur, a “smart” response can be trained into the overall system. “
“Are robots ever at risk of doing anything malicious?”
No, because I will only do what I’m told. The real risk lies with my user. If correct controls and procedures are put in place around developing and deploying my role then all my activities should be accounted for.
However, if a user wanted to programme me to do something malicious then they could. But, if the correct controls and procedures are put in place then we would be able to detect and flag issues before the damage had been done.
We can also patrol our own workforce. If people are worried about what we’re doing then we can be told to report out specific activities within certain thresholds, or identify an anomaly. All robots are fully visible in the target systems, so existing controls and procedures still apply to the work we do. This allows the user to see exactly what we’re up to.
So, far from being a security risk, the ‘bots’ have many qualities that really do account for superb security and auditability.
The full audit trail available is key to the success of RPA as humans seldom have the ability to audit every aspect of their working lives. What’s more, levels of security are heightened further due to the environment robots are installed in/on. The ability to install RPA on a Virtual Machine that a user does not have access to allows for the ultimate secure platform.
The robots 100% retention record further propels RPA in to the realms of uber security, as company directors can be sure a robot is only storing the data, or discarding data it has been instructed to. Let’s not forget, all data can be encrypted if need be.
Educating key stakeholders, CFO, CEO’s and IT managers is key to ensuring security issues related to RPA are dismissed from the outset, guaranteeing the focus is firmly on the ability of RPA to transform and catapult a business to the next level of success.