Cybersecurity in Business Process Automation: How to Protect Data and Stay in Control

The security of automation systems requires more than just basic security

Business process automation (BPA) and artificial intelligence (AI) are changing the way businesses operate, accelerating routine tasks, optimizing processes, and increasing employee efficiency. However, in a world where data is a key asset and cyber attacks are becoming more advanced, implementing automation can easily expose your business to unwanted effects as well. Standard data security procedures, such as encryption of information or proper password management, are not enough to protect against this. Companies need an approach that simultaneously takes into account the complexity of modern threats and their possible impact on automation systems that (due to their specificity) process a lot of sensitive data.

So how to effectively secure automated processes?

Secure automation is one that takes into account technology, human factors and legal regulations — including those related to the GDPR, i.e. the flow of personal data. The subject of data protection is complex and any errors in this regard can cause your company to be held accountable, for example by imposing financial penalties.
‍

‍

Below we present 6 solutions that show with real examples (also from our experience) how effectively you can ensure the security of your data and processes for your company.

1. Data protection in AI models: educating employees and managing access to personal data

We will start with a very popular in recent months automation with AI. More and more companies come to us to implement this type of process improvement, fortunately many of them are also aware of the potential risks. However consciousness is usually not enough. So what if, as a manager, you know the rules for processing personal data and when and how you can use it, when less informed employees also have access to this data. Without addressing the topic of data protection in organizations, confidential information often ends up in LLMs (i.e. language models such as ChatGPT) precisely through the actions of employees who try to facilitate their work on their own. Therefore, the first step to achieving effective data protection in the company should be the implementation of appropriate information access management, as well as conducting digital security training for employees.

If you implement the right data processing policies in your business, you will minimize most of the potential risks of using AI. If, on the other hand, we decide to manage personal data in automation and want to “hand over” some of this information to an external system, we should stop for a moment and develop an appropriate data protection strategy before taking any action. Below you will find an example of how we have ensured data security in our client's process:

Problem: one of our clients planned to use AI to automatically create commercial offers — the system's goal was to analyze existing documentation and previous correspondence with customers in order to prepare price proposals faster. However, there were legitimate concerns about data security: the documents contained personal data of customers, confidential information about how prices were calculated and the rates themselves, which constituted the company's key know-how. The problem was that in the case of AI, traditional security such as data encryption is not enough — the risk also applies to attacks specific to AI models, such as manipulating training data to disrupt the model's operation (so-called data poisoning) or leaking information that the model “remembers” and can reveal in other, external queries. Therefore, it was necessary to design additional means of protection that take into account these new threats, and not just classic cyberattacks.

Solution: we designed a process in which the role of AI is deliberately limited. AI merely “pulls” key information from documents and correspondence, feeding it to a dedicated, secure valuation algorithm. Personal data is automatically anonymized before being sent to AI (i.e. transformed in such a way that it is impossible to identify it), and the AI model runs on a private infrastructure, isolated from public clouds — so our client remains the only data administrator. Thanks to this, we have minimized the risk of leakage and ensured full control over the information processed.

More about AI data processing we wrote in this article: https://www.sagiton.pl/en/blog/the-most-common-mistakes-while-implementing-ai-automation

2. Granular access control: minimize human error

In addition to managing access to data, security in automation must also include control of the activities performed. This means that not every employee should be able to initiate processes, approve actions or perform all available operations. Permissions should be allocated in such a way that the user can perform only those steps that are required as part of his duties, without access to functions that he does not need. This approach allows you to precisely limit the risk of errors and abuses. Read how we provided access control when implementing automation for our client:

Problem: the service company wanted to automate the management of leads in the sales department, in such a way that salespeople would not have to log into the CRM system each time to make even minot changes. We decided to implement the integration of the CRM system with the company's internal messenger — Slack — in such a way that salespeople can handle all leads from its level through commands. The challenge? Not every employee should have the right to assign or remove leads. The lack of precise access control could lead to errors, such as the removal of a valuable lead by an unauthorized person.

Solution: we implemented an access control mechanism that clearly defined who could perform which operations — for example, only managers could assign leads and selected users delete them. In addition, we introduced logging of all actions, which made it possible to track who and when took specific actions. This solution gave the company full control over the process and minimized the risk of unauthorized access to perform activities.

3. Acceptance Mechanisms: Human Verification in Automation

Many companies are afraid to implement automation due to the loss of control over processes. To some extent, this is a legitimate concern — putting our internal procedures completely “in the hands” of automation systems can be dangerous. Therefore, as an automation agency, we always anticipate potential risks and establish human acceptance mechanisms with the client. What does that mean? Even if the process is fully automated, at crucial moments it can be paused and handed over for human approval. This allows you to maintain control over the most important decisions — for example, to verify the correctness of data, to confirm compliance with procedures or to assess exceptional situations that may require human judgment. We also implement automations, which from the beginning have programmed waiting for verification by the employee — e.g. acceptance of working time by the manager before sending the settlements to the personnel. Thanks to this, automation really speeds up the work, but at the same time does not take away from the company the supervision of the process.

Problem: the construction company struggled with the problem of losing cost invoices and delays in accepting them. We implemented automatic scanning of managers' mailboxes and OCR for receipt images, but there was a risk of phishing — fake invoices could be accepted and erroneously posted.

Solution: we introduced a mechanism for accepting invoices through Slack, where the manager or supervisor confirmed the document with the “accept” or “reject” button. We also automated notifications to remind you of the need for verification, speeding up the process and minimizing the risk of fraud (so-called Invoice scam).

4. Monitoring, alarm systems and encryption: continuous background protection

Perhaps one of the biggest mistakes we can make when implementing automation is forgetting the need to test and periodically check the system we have created. This applies both to the correct operation of automation and the achievement of its intended goals, as well as to the issue of information security. What if we implement improvements that will actually save our budget in the sales department if an unforeseen system failure causes us to pay a high fine for violating the GDPR? We cannot implement automation and later forget about it because it makes a profit. If we do not monitor the operation of the system on an daily basis, we may be unpleasantly surprised when a security incident actually occurs. Therefore, in Sagiton we offer our clients not only the implementation of automatic monitoring of systems, but also the so-called post-implementation support, i.e. the period during which our team remains at our disposal to be able to react to possible system errors. Below you will find an example of our implementation of continuous data security monitoring:

Problem: the technology company implemented automation of logistics processes, but feared that vulnerabilities in the system could allow unauthorized access. An earlier security incident in which an unnoticed attempt to attack the API compromised customer data showed that data encryption alone is not enough.

Solution: we have implemented a continuous cybersecurity monitoring system that continuously monitors the traffic in the system, detects suspicious activity (e.g. API requests that are not typical for the organization) and immediately notifies network administrators. We secured API connections with end-to-end encryption and OWASP-compliant penetration testing to identify and fix potential vulnerabilities that could lead to data breaches.

5. Compliance with the GDPR: Technical approach to the regulation of the processing of personal data

A key challenge in implementing automation is ensuring compliance with personal data protection regulations, including the GDPR. As we wrote above, internal processes often process large amounts of customer or employee data, which requires both properly secured data management systems and clearly defined data access rules. In practice, this means that when designing automation, it is necessary to identify which data is really necessary for the implementation of the task, anonymize it accordingly, or limit the scope of its processing. Thanks to this, automation not only improves processes, but also supports compliance with data regulations resulting from, among others, GDPR and minimizes the risk of violations.

Problem: the training company planned to automate its platform to simplify customer service and speed up access to materials, however, during the analysis, serious violations of the GDPR rules were detected. It turned out that photos of employees published in the system contained location data in EXIF metadata — hidden information automatically saved by a camera or phone — that could reveal where the photo was taken. In addition, the platform's API returned more personal information than necessary, such as email addresses and phone numbers in situations where only names were needed. Such action violated the Privacy by Default principle, which requires that data processing be kept to an absolute minimum.

Solution: we implemented a mechanism to delete EXIF data when uploading photos and optimized the API to return only the necessary information. This ensured compliance with the GDPR on a technical level, going beyond the standard legal verification.

6. Password security: implementing SSO and 2FA in automation

Finally, the most basic type of security that appears in any security policy - that is, SSO and 2FA. What exactly is it? SSO (Single Sign-On) is a mechanism that allows a user to log in once and access multiple systems without having to enter a password again (just like logging in to Google Workspace works, for example). This reduces the number of passwords to remember and reduces the risk of repeating them in different places. 2FA (Two-Factor Authentication), on the other hand, involves the addition of a second stage of identity verification, such as an SMS code or an in-app notification, which makes unauthorized access difficult even when the password is known. The combination of SSO and 2FA significantly increases user convenience while increasing the level of security.

Problem: a high-profile case of theft of funds from the XTB platform has shown how dangerous it can be to use the same passwords on different systems. The user lost $150,000 because the password was leaked from another platform and the hackers used it to attack. In the cybersecurity context of business automation, a similar problem can be related to shared access to tools, such as sending newsletters, where employees use weak or repeated passwords.

Solution: To avoid such automation situations, you can implement single sign-on (SSO) with SAML2 or OAuth2 protocols, which centralizes access management and eliminates the need for multiple password entry. In addition, it is worth using two-factor authentication (2FA) based on TOTP (i.e. the function of assigning unique, one-time verification codes), sent e.g. via Slack, SMS or a dedicated application, and a password manager (e.g. Bitwarden) with the requirement of strong, unique passwords. Thanks to automation, we can use these mechanisms to automatically generate one-time passwords. This minimizes the risk of human error and ensures that each password is unique and secure.

Automation vs. Cybersecurity — Secure Automation Requires Knowledge and Experience

Business process automation and AI are tools that can significantly accelerate the growth of a company, but only if they are implemented with cybersecurity in mind. As the examples above show, standard solutions such as encryption or simple password management are not enough to protect against modern threats — from phishing to GDPR violations. An approach that combines technology, precise control mechanisms and human verification is key.

That is why it is so important that when choosing an automation agency to which we actually entrust our internal processes, you pay attention to its cybersecurity experience.

At Sagiton Automation, the safety of automation systems is our top priority. Not only do we make sure that the improvements we implement are secure, but if necessary, we also implement additional tests to verify the effectiveness of data protection in our implementations.

Before you decide on automation, consider: is your system prepared to defend against attacks? Are customer data and company know-how safe? Working with an automation team that is knowledgeable in technology and cybersecurity will make automation a mere asset, not a source of potential risk.