The security risks of Robotic Process Automation and what you can do about it

PCQ Bureau
New Update
Evolving Security Threats Protection against the changing cybersecurity risk landscape

As the impact of the pandemic subsides and the business environment goes back to normal, many organisations in India are preparing to leverage available opportunities in the market. The outlook is bullish, and most analysts are optimistic about India’s growth prospects. Recently, the IMF said that India deserves to be called a bright spot due to its fast-growing economy.


To further improve their competitiveness, many Indian organisations are accelerating their automation-related initiatives by using robotic process automation (RPA). In fact, analysts estimate that 84% of Indian organizations will scale up their RPA initiatives or achieve enterprise-wide RPA deployment by 2025.

RPA is a productivity tool that allows enterprises to create scripts (also called bots) that mimic the steps taken by users for carrying out a specific task or tasks. For example, RPA can be used to create bots that can extract the name, email address and phone number from emails sent by customers and create a database. Other common use cases include sending personalized emails to thousands of customers, sending invoices, onboarding customers etc. The basic objective of RPA is to automate repetitive tasks that require human intervention. As a result, it is common to see thousands of bots deployed across many Indian enterprises.

It is crystal clear that RPA promises numerous benefits to organizations investing in it, including increased worker productivity, the automation of tedious and monotonous tasks, and improved efficiency. But with its huge ascent also comes a wave of machine identities, in the form of RPA bots that undertake these tasks, resulting in increased attack surface that organisations need to protect.


RPA introduces a new cyberattack surface for human and non-human identities

RPA software bots require privileged access (or “power access”) to perform their required tasks, such as logging into ERP, CRM, or other business systems to access, copy or paste information or move data through a process. This need for constant access means that privileged credentials are often hard-coded directly into the script or rules-based process the bot follows. In addition, the script may include a step to retrieve the credentials from an insecure location, such as a commercial-off-the-shelf (COTS) application configuration file or database.

RPA credentials are often shared so they can be used repeatedly. Because these accounts and credentials are left unchanged and unsecured, a cyber attacker can steal them, use them to elevate privileges, and move laterally to gain access to critical systems, applications, and data. In addition, users with administrator privileges can retrieve credentials stored in locations that are not secured. As many enterprises leveraging RPA have numerous bots in production at any given time, the potential risk is very high. Securing the privileged credentials utilised by this emerging digital workforce is an essential step in securing RPA workflows.


The CyberArk 2022 Identity Security Threat Landscape report highlights that 68% of non-humans or bots have access to sensitive data and assets. Since machine identities now outweigh human identities by 45x on average, this can be extremely dangerous.

The explosion in identities is putting more pressure on security teams since it leads to the creation of more vulnerabilities. The management of machine identities, in particular, poses the biggest problem, given that they can be generated quickly without consideration for security protocols.

Further, while credentials used by humans often come with organisational policy that mandates regular updates, those used by robots remain unchanged and unmanaged. This puts these credentials at risk from bad actors who can read or search scripts and, ultimately, gain access to the hard-coded credentials. Risk also comes from users with administrator privileges, who can retrieve credentials stored in insecure locations.


If organisations fail to ensure the secure deployment of their bots, it can slow down the RPA implementation process. This is highlighted in the same report referenced above, which states that security concerns have led 74% of organisations to slow down RPA and bot deployments. Only 28% currently have Identity Security controls in place to secure RPA.

Preventing unauthorised access and misuse

Organizations need to secure and manage credentials used in RPA appropriately by protecting them against unauthorised access and misuse.

  • Limit the applications to which software robots have access while ensuring that security teams can monitor RPA administrators’ interventions in robot-executed processes.
  • The security of the RPA console must be controlled by managing the credentials leveraged by the RPA admins and isolating, monitoring and suspending or terminating suspicious sessions to minimize risk. Maintain a comprehensive audit trail of those interventions.
  • Remove privileged credentials from RPA scripts and use a privileged access management (PAM) solution to store and manage these credentials centrally.
  • By implementing robust privileged access security controls directly in the RPA pipeline — organisations can simplify operations, strengthen security, and more efficiently scale RPA deployments. PAM solutions help organisations reduce vulnerabilities and make the most of their RPA investments by making it easy for citizen developers to adhere to corporate security standards and policies.

The importance of automation

While it may seem relatively straightforward, implementing the above best practices at scale is very difficult to do manually across thousands — or even hundreds of thousands — of bots. Automating credential management processes wherever possible will help remove much of the security burden on employees — whether they’re developing RPA bots or tasked with approving deployments. For example, by storing all credentials in a centralised repository, organisations can enforce fixed security standards for bots and applications, automatically create complex passwords and rotate them regularly, and remove hard-coded credentials from bots and secure them.

By following some of the best practices described above, enterprises can take full advantage of their RPA initiatives securely.

Author: Sumit Srivastava - Solutions Engineering Manager - India & SAARC at CyberArk