The risks of spreadsheet complacency

05 Aug, 2021
Nigel Thorpe
Nigel Thorpe
Technical Director
Where would we be without our beloved Excel spreadsheets? Since Microsoft first launched its Excel spreadsheet software in 1985, it has grown to arguably become the most important computer program in workplaces globally.  The spreadsheet has truly become entrenched in daily business processes as well as critical applications - but the million dollar question is - are spreadsheets secure?

Unfortunately when it comes to spreadsheet security, with popularity comes complacency. It's also common for spreadsheets to be on a laptop or shared via email or USB sticks which means security is at risk.                    

Case in point - Excel security at risk

In 2020, Public Health England, an executive agency of the Department of Health and Social Care, used Excel spreadsheets to collect and collate thousands of COVID-19 test results. Unfortunately, in this case they used an outdated XLS format to import data which had a limit of 65,000 rows of data. This resulted in the loss of over 15,000 positive COVID-19 test results.

In another incident in 2019, the world’s largest asset manager, BlackRock, was found to have unintentionally shared a link to a spreadsheet which contained confidential information about their  clients. The  spreadsheets categorised advisors into groups labelling  them  as either ‘dabblers’ or  ‘power users.’ While there was no financial information exposed in this incident, this data breach brought spreadsheet risk management into the spotlight.

Why aren't spreadsheets secure?

The problem is, data is usually secured and well managed when it’s held in business applications. But the reality is, people need to use data in ways that their normal business applications do not help with. For example, financial planning, business planning, ‘what if’ analysis, reports, presentations, and meeting notes are frequently executed by exporting data from the database, then processing inside ad-hoc Excel spreadsheets. This means that once the data is exported, it is no longer controlled or secured - it doesn’t matter whether it’s stored on local hard disks, cloud storage or corporate file shares - it no longer has the security on controls that were in place inside the business application.

So, if we can’t be sure of preventing unauthorised access to data that is held in spreadsheets from either a cyber attack, a disgruntled insider, or ransomware, we need to rethink the traditional 'castle and moat' methods of information protection.

Is full disk encryption able to protect Excel spreadsheets?

Full disk encryption will protect all data when it is at rest on a dormant hard disk or USB drive. This of course is great if you lose your device or USB drive, but it is of absolutely no use in protecting data against unauthorised access or theft from a running system – including an Excel program.

The inconvenient truth is, people need to be able to extract and analyse data locally, and particularly in the current pandemic, this is done on remote endpoints such as home PCs, laptops or tablets with local storage.  What we’re suggesting is that data needs to be protected not only when it is at rest, but also in-transit and in-use. And, it shouldn’t matter whether the data is being used on-site or in the cloud.

Data classification is putting spreadsheet data at risk

When it comes to spreadsheet data – as with any form of structured or unstructured data - deciding what’s the most important to protect is often cited as the most difficult challenge. When performing data classification, a business needs to take into account the risk and business impact analysis as well as regulatory requirements - not an easy task.

In fact, we advocate that the manual nature of data classification is impractical for most organisations. Sure, automation has helped to create search patterns and rules, but as the number of cyber attacks continue to rise, it’s evident that a large proportion of data is still being mis-classified.

The other question that looms is where do you set the bar when classifying what data is sensitive? Today, even seemingly trivial information can be useful to a cybercriminal.

A better way to protect spreadsheet data

The obvious answer is to protect everything, but unfortunately, the accepted norm has become  to encrypt only what is considered the most important or sensitive data. This misconception is held  because most encryption products add complexity, are costly, and negatively impact system performance and employee productivity.  That’s where the SecureAge Security Suite is different.

With today’s technology and processing power, it is possible to deliver full data protection - including spreadsheet data - that is transparent to the end user and compatible with other existing software. This can be done without having to change any applications or decide what data is important - after all, ALL data is important.

By actively choosing to encrypt all data - whether it is stored, in-transit or in-use - we are finally designing security into the only thing which has value – the data itself. This way, the risk of spreadsheet complacency is avoided as any files that are lost or stolen remain protected and useless to a thief.

We use cookies to improve our website experience and assume that by continuing to browse, you’re OK with it. To find our more about how we use cookies, please see our Cookie Policy.