Although automation is universally applicable to every organization, robotic process automation (RPA) also has unique applicability across industries. Some RPA, such as order processing and payroll calculations, are common across industry sectors, while others, such as revenue assurance and customer invoicing, are unique to certain sectors.
For example, the risks and controls applied to customer invoicing within a technology or electricity company are different from those in a manufacturing organization. RPA has access to confidential/sensitive personal information while performing these tasks, including customers’ credit limits, credit card information, user IDs and passwords, date of birth, and bank details of stakeholders including employees, vendors, sub-contractors, and customers.
Organizations should ensure they consider all the risks before implementing RPA – which is something I wrote about in my previous blog. In particular, risks related to cybersecurity and data privacy arise from unauthorized use of privileged access and vulnerabilities in RPA technology architecture – which can be exploited to steal sensitive personal information and make unauthorized changes to data – often leading to process disruption and compromise of data privacy.
Here are some of the key controls I recommend my clients implement to help mitigate cybersecurity and data privacy risks:
- Monitoring and governance
- Lay down a strong governance mechanism with clear roles and responsibilities. This is particularly important with respect to configuration and technology controls, as this is often a grey area from a responsibility and accountability perspective.
- Monitor robotics’ security policies on a regular basis.
- Review access controls, segregation of duties, and key reports containing personal information
- Centralize the robotics identity and access management process to get a unified identity management and profiles. At the same time, ensure that it does not become the single point of failure.
- Review of access rights and segregation of duties (SoD) periodically. Also ensure that the bare minimum rights, are provided to RPA to perform the operations, as required.
- Monitor reports impacting sensitive personal information to ensure that such reports are not downloaded and shared to platforms and databases openly accessible on the internet.
- Enable and review audit logging on critical/sensitive data, especially personal data.
- Enforce security controls such as passwords during the entire RPA cycle.
- Map personal data to applications and ensure that access to such applications is very stringent.
- Perform a data privacy impact assessment and implement adequate controls to protect the privacy of personal information.
- Carry out a periodic RPA audit and assessment
- Perform regular internal and external audits/reviews of RPA solutions. For example, RPA for customer invoicing should be reviewed to ensure that billing rates (especially at the time of contract renewal) are properly captured and billing is accurate. Further, calculation and disclosure requirements as per customer contracts are rightly captured in the solution.
- Perform vulnerability assessment and penetration testing to identify potential vulnerabilities and implement suitable controls.
- Monitor audit logs from controllers and bots regularly, especially when there is abnormal spike in activities and use of privileged access.
- Create awareness
- Instill a culture of awareness of the key risks about RPA solutions including the Dos and Don’ts, etc.
- Encrypt sensitive and personal data
- Encrypt data to ensure that even if the data is compromised, it is very difficult to decrypt, thereby saving the organization from loss of reputation and severe penalties.
The above risks and controls are illustrative. Every organization deploys certain controls depending on their risk assessment and appetite. What kind of controls do you employ in your organization to protect information?
To learn how Capgemini can help your organization analyze risk prior to RPA implementation, contact: email@example.com
Learn more about how Capgemini’s Intelligent Process Automation offering can stimulate the erosion of organizational silos around your front, middle and back-office processes, resulting in the emergence of a new, borderless, highly automated client-centric organization.
Ajay Gupta has diversified and rich experience in risk management, governance, risk, and compliance, automation and process transformation. He is currently the Head of Shared Service for Nordic countries at Capgemini.