How to prevent security black spots when utilising RPA

The insurance sector increasingly is turning to robotic process automation (RPA) to accelerate digital transformation and automate claim and underwriting processes. While RPA can be a true game changer, allowing insurance companies to automate thousands of hours of manual, repetitive tasks while reducing human errors, it can also be the target of malicious cyberattacks which can expose sensitive data that can be used to access systems, destroy productivity, and commit fraud.

Given the potential for RPA to be compromised, the need to keep automated processes secure from outside threats such as hacking, data theft, downtime, viruses and malware is obvious. An RPA bot, after all, is essentially a digital employee and, just like real-life human workers, is subject to security threats. With that in mind, insurance companies should focus on the following key areas in order to make certain their automated processes remain up and running.  

Monitor which systems RPA bots can access

RPA bots should follow the principle of least privilege. Specifically, each bot should only be able to access those internal systems – ERP, SaaS, CRM, HR, email – that are absolutely necessary so that it can complete its work. No more. No less. By putting appropriate restrictions to access in place, insurance companies can minimise any potential damage that could occur should a cyber-criminal be able to gain access to its automated processes. In tandem with these limitations, companies should implement regular access audits of its RPA bots in order to determine whether access to specific solutions has been changed or compromised in any way and, if so, what that access enables the bot to do.    

Choose which humans access your RPA bots

Just as it is important for insurance companies to restrict the access RPA bots have to their internal systems, it is essential for them to limit human access to RPA tools and bots to those people who must have access. Remember that whoever can access a company’s RPA tools can likely also access its bots. With that in mind, insurance companies should deploy a range of measures, such as multi-factor authentication or a secure password manager, that will limit access and heighten security. It is equally important for companies to conduct regular audits of all RPA systems to confirm that access is available only to those individuals who must have it in order to do their jobs while simultaneously disabling the accounts of any workers who no longer require access or are no longer with the company.      

Similarly, before partnering with any RPA vendor, it is important for insurance companies to have a thorough understanding of that vendor’s security practices, backup procedures, auditing standards, and personnel accreditations. While data centres throughout the world typically use rigid backup procedures and sophisticated security practices such as a 24/7 Security Operation Center and Security Information and Event Management monitoring software, third-party breaches can still happen. And if an insurance company’s RPA vendor gets breached, the company also gets breached.  

Review your initial RPA security practices

When RPA was initially introduced, some insurance companies automated everything they could as fast as they could in an effort to lower costs and reach the lofty promises offered by RPA. The pandemic exacerbated this Wild West approach to RPA development as companies desperately looked for ways to save money and handle an increase of repetitive, manual tasks. Unfortunately, this approach to RPA led to more than a few corners being cut when it came to security. Common security practices such as assigning a unique identity to each bot were often overlooked, making it extremely difficult to pinpoint the point of entry if a security breach occurred. While security practices have improved over time, it is important for insurance companies to look back at older workflows to ensure that any shared access issues or other areas which could compromise security are remedied.  

Rigorously retire any unneeded RPA bots

When RPA bots are retired, it is possible for the systems they could access to be left open, creating an easy avenue for the introduction of ransomware or other malware. A recent instance of this occurred in 2021 when the Colonial Pipeline, the largest carrier of jet fuel and gasoline in the Southeast US, was hit with a ransomware attack that was eventually traced to one unused but still active VPN account.

Cyber-criminal gang DarkSide initiated the attack after the account was breached and posted on the dark web. With that in mind, insurance companies need to implement a rigorous process for retiring any RPA bots that are no longer needed. This process includes closing and then deactivating any previously required accounts. 

Clearly, even the smallest security gap can bring an insurance company’s lofty goals for RPA crashing to the ground. Given that, it is important to take RPA security seriously so that those bots can stay healthy, running and productive, which in turn can lead to lower costs and higher productivity.

About the author

Tony Higgins is the Chief Product Officer at Blueprint Software Systems and is responsible for the vision and evolution of Blueprint’s platform, a powerful solution that helps large enterprises understand their RPA estates and automatically migrate them to intelligent automation platforms quickly and efficiently. Tony has a broad base of software delivery skills and experience ranging from start-ups to global enterprises.