6 hidden risks of IT automation

Automating business processes continues to be a high priority for enterprises and IT organizations, as they look for ways to improve services, cut costs, and add efficiencies.

According to the 2024 State of the CIO survey, IT leaders cite business process and IT automation as the No. 2 technology initiative driving the most IT investment at their organizations this year, behind only security management. And automating business and IT processes is the No. 1 way IT organizations are becoming more business-driven, according to the 875 IT leaders surveyed.

To do so, companies are applying automation tools such as robotic process automation (RPA) to areas such as administration, reporting, customer support and customer experience, data migration, data analysis, and others.

The global RPA market is expected to grow from $13.86 billion in 2023 to $50.5 billion by 2030, at a compound annual growth rate of 20% over the estimated period, according to research firm Fortune Business Insights.

The firm’s October 2023 report on the market says RPA adoption is increasing across organizations of all sizes, and major market players are launching new platforms based on artificial intelligence (AI), machine learning, and cloud models to help meet the increasing demand.

More and more organizations are adopting RPA to automate business processes and handle increasingly complex data, the report says.

IT automation can come with some unexpected risks, however. Following is a look at the most common downsides to automation strategies IT leaders should be aware of.

The data access paradox

Providing employees with secure access to the information necessary to do their jobs is a top priority for enterprises. But sometimes automation can get in the way of that effort.

“While IT automation aims to streamline processes and improve efficiency, it can inadvertently create barriers to accessing high-quality, reliable data foundational for making informed business decisions,” says John Williams, executive director of enterprise data and advanced analytics at RaceTrac, an operator of convenience stores.

“This paradox underscores the complexity of automation in IT environments, where the benefits of streamlined processes must be balanced against the risks of fragmenting information access,” he says.

One significant risk of IT automation is the potential for reinforcing or creating new data silos within an organization, Williams says. “These silos occur when data is compartmentalized within different departments or systems, making it difficult or impossible for other parts of the organization to access or use that data effectively,” he says.

These silos can lead to operational challenges, including inconsistencies in data handling, inefficiencies in operational processes, and, ultimately, a negative impact on productivity and cost management.

RaceTrac implemented a data intelligence platform from Alation to centralize metadata scattered across the business and to make information easily searchable and more easily understood. “This enabled us to consolidate data sources into a single, definitive source of truth,” Williams says. “By doing so, we could ensure consistency in calculations, enhance reporting reliability, and, importantly, facilitate better-informed decision-making across the organization.”

New cybersecurity threats

Bad actors will look for any opportunity to exploit vulnerabilities, and IT automation initiatives can present some new avenues for penetration.

“Automated processes are inherently trusted, and this trust can be abused by a malicious actor,” says Jason Kichen, CISO at Tricentis, a global provider of continuous testing and quality engineering products. “An automated process usually needs to be provisioned with a trusted or privileged account, which unfortunately, a malicious actor can then take advantage of.”

When abused accounts are privileged, the activity is inherently trusted, Kichen says. “This means it’s likely not being closely monitored, and the automation can be a channel for malicious actors to achieve malicious things.”

One of the biggest hidden risks of IT automation is not securing the data used to train automated systems, says Kevin Miller, CTO, America, at enterprise software company IFS. “Taking it a step further, automated systems may have vulnerabilities that bad actors can exploit — even anomaly detection itself can be hacked,” he says.

This leaves companies susceptible to the automated propagation of threats, Miller says. “For instance, if an attacker gains control over an automated process, they can spread malicious code, software, or activities across the system much more quickly than in a non-automated environment,” he says.

This could lead to faster and more extensive damage before detection and remediation efforts can be initiated, Miller says. Companies must have full visibility and constant monitoring of systems to determine whether an anomaly is caused by a bad actor who can steal sensitive data about an asset, the company, or its customers.

Magnified data management issues

Data management can be a crucial part of IT automation, but it might not occur to teams when deploying tools to automate processes. This can lead to problems.

“Using stale data — whether it’s by seconds, minutes, hours, or days — to automate IT technologies is a lot like using old, non-current traffic data to summon an Uber,” says Erik Gaston, CIO of security company Tanium.

“It won’t work, and it’s not a good idea,” Gaston says. “Without real-time data, organizations are limited in what they can scale. To add to the risk factor, when organizations try to automate beyond what they can scale, it can break critical processes.”

Moreover, Gaston says, lack of real-time data when scaling automation can add to cybersecurity vulnerabilities. “When automation technology is not using real-time data, it can fail to detect a critical threat or zero day, which could result in a data breach going unnoticed long enough for the bad actors to exploit vulnerabilities and gain unauthorized access to systems or data,” he says.

To address such issues, RaceTrac’s Williams says the convenience store operator has in place a federated data governance strategy that provides a structured methodology for data management. “The cornerstone of this approach is ensuring that all data underpinning IT automation is thoroughly vetted, compliant with relevant regulations, and meets the highest quality standards,” he says.

A federated data governance strategy achieves a delicate balance between centralized governance controls and the flexibility of decentralized access, Williams says. “This methodology allows for top-down governance oversight while empowering users with the autonomy to self-serve,” he says.

This strategy enables organizations to “harness the full potential of IT automation, ensuring that their efforts are built on a foundation of solid data governance and are resilient in the face of evolving technology landscapes,” Williams says.

Complacency

Another risk is that tasks, once automated, are likely to not be reviewed by IT later.

“Complacency is a very real risk when it comes to IT automation,” Tricentis’ Kichen says. “When something works without much need for human intervention, it has the potential to be easily overlooked. IT teams may forget or ignore the underlying process steps, and this way of thinking leads to potential problems and risks that can easily arise undetected and unaddressed.”

One example is human resources off-boarding. “The potential of the process breaking down is very high and problems going undetected are common, as everyone tends to assume everything is working as intended,” Kichen says.

If the automation works and it doesn’t create obvious errors, IT teams might forget about it. “This means it doesn’t get periodically reviewed to see if prior security or IT assumptions remain true,” Kichen says.

At the time of its creation, those decisions were probably reasonable, Kichen says. “But over time, the underlying assumptions that drove those decisions change,” he says. “If IT teams don’t have a corresponding process to periodically review the automation and its implementation, they can get exposed to serious risks that may have been nonexistent when it was initially created, but are now there and relevant.”

The failure to monitor automation systems can extend to a failure to keep tabs on the marketplace. “In the intervening months or years, new vendors may appear that actually build a product that more securely and efficiently does the thing the team originally automated,” Kichen says. “If teams are not on the lookout for these advancements because their process in place works, then it won’t be until something bad happens that they begin to rethink their approach and realize that the technology and vendor landscape has advanced.”

Governance isn’t a given

It might sound like a contradiction, but IT needs to monitor and manage the flexibility and autonomy enabled by automation. Otherwise things can spiral out of control.

“Automation is ultimately a spectrum, meaning it is up to each organization to determine its individual risk tolerance and act accordingly,” Tanium’s Gaston says. “And while this flexibility can be beneficial, it necessitates careful planning, regular and real-time monitoring, and ongoing training for IT personnel to ensure they have the skills necessary to manage and troubleshoot automated systems.”

It’s also important to know the dependencies of any workflow that is automated, to maintain reliability and resilience. “This is especially important when it comes to dated legacy systems that often don’t do well with change and become more brittle with automation,” Gaston says.

One solution to controlling the use of automation is to create a governance program. “As with any emerging technology, regulations and standards continue to emerge regarding automation, and many organizations have yet to determine how to embrace automation in a manner that best aligns with business objectives,” Gaston says.

“Even as we automate using best-in-class platforms, it is imperative to look at workflows and processes and ensure the right guardrails, dependencies, and actions are in place,” Gaston says. “This ensures you can build a modern organization that reduces risk and moves IT from administration to innovation.”

Overdependence on automation

Is there such a thing as too much reliance on IT automation? Possibly, if it means a decline in other areas.

“Relying heavily on automation can lead to skills atrophy among IT staff, where manual troubleshooting and intervention skills may decline,” IFS’ Miller says. “This becomes a significant risk when automated systems encounter unexpected issues that require manual resolution.”

An overdependence on automation can also result in a loss of institutional knowledge about the intricacies of system operations specific to the business, Miller says, making it harder to adapt or innovate outside the automated processes.