The deployment of RPA (Robotics Process Automation) has been proceeding rapidly as a tool for streamlining operations. While RPA brings about many operational conveniences, new risks unlike any that have arisen before are creating new problems. We asked Kai Ohta of NRI SecureTechnologies about the risks associated with the use of RPA and countermeasures against such risks.
RPA realizes significant work reduction through automation
Workstyle reforms are being pushed forward throughout Japan, and when it comes to dealing with the issue of reductions in the labor force due to a decreasing birthrate and an aging population, the improvement of operational efficiency is an important matter. As a means of achieving this, RPA has been getting a lot of attention.
RPA is mainly a mechanism for automating simple administrative work using PCs, and can be used for various purposes. Some examples of work that can be automated are cross-checking data, transcribing email contents onto business applications, and collecting specific information from the Web.
How much can workloads be reduced by using RPA? Kai Ohta of NRI Securities has the following to say. “It differs depending on the content of the work and calculation methods, but at one government agency, the workload was reduced by roughly 80% by the deployment of RPA. It is our impression as well that such a figure is well within a scope that can be realized.”
New risks that arise from the deployment of RPA
Ohta points out that while RPA can significantly reduce workloads in such a way, there are new security risks that can arise.
“For example, the impact from setting errors for robots associated with the automation of work is a concern. When we think of robots, we might tend to think that robots never make mistakes, but robots consist of programs, and erroneous settings can occur. Such setting errors can create problems such as erroneous billing of customers and erroneous transmission of important information. Further, unauthorized use of a robot through a virus is another big risk. Not only is there a possibility that important information will be stolen, but a virus infection can cause a robot to malfunction, forcing operations to be stopped.
In addition, Ohta states that unauthorized use of a robot by an insider is also a concern. “When data is inputted into an internal system using a robot, the necessary IDs and passwords will be set with the robot. If a person who is not authorized to access the internal system operates the robot, it will be possible for that person to use the ID and password set with the robot to gain unauthorized access to the internal system.”
Not only will new risks arise from the deployment of RPA, but existing risks may also be amplified. One specific example is the impact of abnormal processing from operational errors. Because robots can handle large volumes of work quickly, compared to operational errors by humans, an operational error by a robot will have an impact on a much larger amount of data.
Further, when an attack aimed at confidential information is carried out, if a robot with access rights to several systems is hijacked, confidential information can be accessed more efficiently than by attacking individual systems. Such a cyberattack can be regarded as one of the risk factors that are amplified by RPA.
To minimize risk, collaboration by user departments and system departments is important
In aiming to streamline operations by using RPA, it is necessary to understand such security risks. However, automation by RPA is often carried out by user departments, and robots are frequently set up without sufficient knowledge of IT or security risks. Ohta states that consequently, it will be important for system departments and user departments that use RPA to communicate with each other.
“If a user department wishes to achieve something using a robot, it is necessary to determine the feasibility and security risks. You need to have a framework in place, and to develop a mechanism for using robots after the user department and the system department have reached a common awareness. Further, it is important that with such a mechanism, the system department, with its expertise, supports and gives advice on the use of robots. Finally, a check should be done from the viewpoint of an IT specialist. Otherwise, it would be very difficult to sufficiently minimize the risks.
However, currently, RPAs are often used without fully understanding the unique risks that have arisen from their use. To deal with such issues, NRI Secure has systemized various risk management know-how cultivated in the RPA field including security measures as “RPA Risk Management Tools”. These tools comprise materials that explain RPA risks, templates for internal rules, and risk check sheets for each type of robot. Utilizing these tools makes it possible for an internal management system and the rules necessary for managing RPAs to easily be put in place.
It can be said that RPA is a “double-edged sword” with significant advantages and risks. In the use of RPA to streamline operations, the risks also must be fully understood. With such un understanding, RPAs should be used only after a mechanism is developed to ensure that they are used safely.
Nomura Research Institute, Ltd.
Corporate Communications Department