There are multiple risks to consider, and, as Knisley notes, one of them ties back to access. The bots are often accessing sensitive systems and information, which means if they are exploited, an attacker can use that access to steal data or gain unauthorized access to systems and applications. In other words, they are yet another conduit into an organization’s crown jewels.
Knisley says the way to address this is and prevent unauthorized access is to ensure credentials are stored in a centralized encrypted location, and bot access should be limited by the principle of least privilege.
The next shadow IT?
Security managers need to ensure they are actively collaborating with employees who may be implementing modern technologies to uncover hidden security risks. Secretly deployed RPA could very well become another problematic version of shadow IT that CISOs need to watch out for and warn about.
Other RPA risks to consider
Another scenario to consider when deploying RPA is denial-of-service interruptions, in which bot activities are scheduled in rapid sequence and overwhelm system resources and result in a stop to bot activities – or disrupt other operations.
As with any other system, security should be part of all phases of designing, building, and operating RPA, says Karul. The same best practices that security teams follow for other kinds of software, such as assigning a unique ID, enforcing strong password rules, automating, and centralizing credential management, are essential when using RPA.