Automated workflows are at the heart of many of the latest cloud software services we’ve seen emerge over the past few years. Users are attracted to task automation and workflow systems because they are easy to set up and take the drudgery out of repetitive tasks. However, automatons can also become a support nightmare and have been disastrous to organisations’ information security posture. Kinetic IT Enterprise Architect Warren Jervis delves into task automation and shares his top tips on how organisations can implement toolsm, mitigate the risks, and reap the benefits of task automation.
The rise of task automation
IFTTT.com is a well-known task automation platform, aimed primarily at social media users. Users quickly build automatic social media account integrations, auto-posting their Facebook posts to Instagram, and then sharing them as a Tweet. There are hundreds of service connectors that can integrate a variety of actions from each individual platform together into complex workflows. For this reason, automated workflows become so complex that their effect is impossible to predict.
As platforms mature, major industry players have taken notice. The breadth of services offered has exponentially grown and the number of integrations and interactions has rocketed. Last year’s launch of Microsoft Flow saw incorporation into Office 365 and tight integration with SharePoint Online. Flow allows users to create fully automated workflows between Office 365 applications and services, with notification services and file synchronising. Flow is incredibly powerful and a wonderful tool to skill up end users and drive process efficiencies.
RELATED CONTENT: Cyber security awareness: Treat it like OHS
With power comes responsibility in task automation
But with great power comes great responsibility. Now that users can automatically intercept emails, move files to SharePoint, interface with databases and post documents on Yammer, there is a possibility that sensitive data could accidentally end up in the wrong place. Simple workflow automations provide limited functionality which restricts their use and limits the risk, but the ability to chain complicated automations together using several services needs to be considered as a potential security risk.
Even simple task automation processes become complicated very quickly. For example, a flow designed to move sales contacts from a bespoke system to a SaaS marketing platform can involve four separate task automations chained through three different task platforms, using third-party mail providers and data extractors. Organisations considering workflow automation tools should consider the following tips.
9 steps to mitigate security risks and implement task automation tools
1. Identify where task automation is being used
Talk to end-users and take note of what they are saying. Gain a better understanding of how users are interacting with their systems. For example, when you see a corporate communication appear as a LinkedIn post, a Tweet and a Facebook post, ask how this happened. If it’s unsanctioned and they have connected corporate accounts together using a task automation tool, get your security team to check whether there are any risks.
2. Don’t default to saying, “No” to automation
Automating tasks can significantly improve a user’s productivity. If the user has figured out to automate something and save time, thus removing the need for manually performing the task, surely that is a good result. Just make sure to consult the security team and address any vulnerabilities or confidentiality issues before it goes live.
RELATED CONTENT: 8 cloud security tips to keep your data safe in the cloud
3. Choose an appropriate task automation platform
IFTTT.com might well be a good platform for automating your social media postings, but Office 365 contains Flow which may be a better platform for automating your business tasks. If you need to choose a platform, again, make sure your security team has assessed it.
4. Data identification and classification
Understand the data being transferred through these automation services and understand the security controls you have in place to audit and monitor what’s being sent where and by whom. Your security policies should stop sensitive documents or files from being sent through automated workflows as this could be higher risk.
5. Address security concerns
There are steps you can take to make sure you don’t lose control of your information when deploying task automation platforms for users. These may seem basic, but don’t underestimate how much control they will afford you. Firstly, always have your security team assess new services prior to deployment. This might seem obvious, but you’d be surprised how many organisations roll out cloud platforms like Office 365 without this kind of screening.
RELATED CONTENT: 6 cyber security tips to work from home more securely
6. Provide training
Provide user training for all new services you roll out to the workforce. Most security breaches can be avoided through simple user-awareness training so always build an adoption campaign into your change programmes.
7. Terminate unused services
Retire old services if you no longer need them. Terminate services and close or suspend associated accounts so that legacy services or workflows outside of your direct control can no longer interact with your business services.
8. Go for authorisation tokens and API keys
Avoid using credentials. Many automation and integration services support the generation of an authorisation token or API key. This affords granular control over the service. An authorisation token or API key is a better way to integrate with an external platform, and if you can take central control over this through your administration team, even better. Always make sure these are unique, that way revocation can be targeted at just one service rather than many.
RELATED CONTENT: What is the most secure Multi-Factor Authentication method?
9. Manage access permissions
Review access permissions in the management platform. Err on the side of caution – if it is beyond your control and you are uncomfortable in allowing its use in your business, don’t enable it.
The bottom line
Task automation is here to stay and your end-users are already using it. Take time to understand the who, what why and how this works in your business and make sure you keep your data safe while helping users streamline their daily activities.
For more information or to speak with a security consultant, get in touch with our PROTECT+ team.