Are your spreadsheets a security risk?

I recently wrote an article exploring some key areas where spreadsheets are holding back your business and your team. This article further elaborates on the limitations and risks that come with leveraging spreadsheets in your business.

Spreadsheets might not be first to mind when you think cybersecurity, but with many businesses using them for critical information and key processes - proper consideration must be put into how they are stored, accessed, and worked into your overall security and compliance plans.

Companies of all sizes are increasingly being forced to spend time and money on their cybersecurity and to implement policies and tools for new compliance and regulations aimed at protecting personal information, financial data and more.

When it comes to evaluating how this applies to spreadsheets it expands far beyond the documents themselves to aspects like how they are stored, accessed, shared and communicated, backed up and more. With countless ways to approach each of those factors, there are a number of ways things can go awry.

Points of failure

As mentioned above, to properly consider the security and compliance implications of your spreadsheet use, we have to look outside the documents themselves. Below are some of the most common components and some things to consider as you review them.

Storage

When it comes to where your spreadsheets reside, most businesses fall into one of three methods. 

The first is local storage. They have Excel (or similar software) installed on their local machines and store documents directly on their computers, or on local servers - usually via “shared drives”. While there may be a perception that this is “secure” because it’s not stored online - it ultimately comes down to the security of your local environment. That involves a larger review into your network security, the security of your endpoints and the security practices, or “hygiene”, of your team. 

Next up is cloud storage. In this case, we’re still looking at  Excel files or similar, but they are stored in web-based shared drives like Microsoft OneDrive, Google Drive, Dropbox, or one of the many similar services available. Some of these services invest significant resources into security and compliance and I would encourage a thorough review of your specific service’s information to determine if it’s adequate for your specific business requirements. For example, your business may fall under a compliance requirement to store only domestically - and many of these cloud services leverage infrastructure based in the USA - which could be a violation. There is no one-size-fits-all when it comes to cloud storage and how it aligns with security and compliance, but with so many options available - it’s promising with a little legwork.

Lastly, many businesses have moved to browser-based spreadsheets via hosted solutions like Google Docs (GSuite) or Office365. These businesses, much like those using enterprise-grade cloud storage, are benefiting from the ever-evolving, and substantial, security measures that Google or Microsoft have put in place. Much the same as the previous scenario, it comes down to your specific requirements and ensuring the solution you’ve adopted meets them. 

With any of the above storage scenarios, or any other method that may be used, just be sure to consider the security of the infrastructure, the implications of its physical location, and the security of how it’s accessed.

Access

Statistically, when we look at malicious attacks versus human error - the numbers aren’t as far apart as you think. In a report by the OAIC (Office of the Australian Information Commissioner), 37% of total breaches reported were caused by human error compared to 57% being driven by criminal or malicious activity.

So, even if your storage is up to par - we have to consider how your documents are accessed, and that can be a bit trickier.

When it comes to physical access, we’re looking at network security for local networks, email security for cases where files are emailed back and forth between parties, and any external systems set to access the same “repositories” where your spreadsheets are housed. 

Outside of physical access, we need to look at how your users are accessing your documents. This goes full circle back to the human component and you may have a variety of different user types - both internal and external.

We’ve all received an email in error at one point or another, to be quickly followed up with a frantic “please delete”. In a 2008 survey, 32% of participants admitted to accidentally emailing the wrong person. A more recent study found that 78% had made the same mistake, and in a UK poll, 70% of a 2,000-person poll admitted to sending an email or text to someone other than intended. 

Most recently, an interesting report from the Office of the Australian Information Commissioner showed that 12% of all data breaches in the reporting period were caused by sending information to the wrong email recipient. The second most common cause was the unintended release or publication of a document. 

These types of issues span far outside of spreadsheets and hammer home the need for businesses to look at reducing manual data entry and to find ways to better control and review their data. User error is a massively preventable component of cybersecurity that isn’t always adequately explored. 

All this in mind, it points to one of the biggest issues with spreadsheets - access control. Taking measures to sidestep some of these types of issues is challenging, as there just aren’t many options available spreadsheet-specific to resolve them. When considering local networks, we have to consider downloading to USB drives, uploading to unauthorized third party accounts, emailing to external parties not privy to the data, and so on. While there are some basic measures that can, and should, be taken - it’s not nearly enough.

Worksheet/workbook passwords, cell locking, macro protection and hiding formulas are nearly the extent of the security put in place - and can all be easily broken. Programs built to crack and unprotect files are plentiful online and anyone with access can easily copy all of our data, formulas and other information to other files if granted access in the first place. Even those taking additional encryption measures and VBA macro code passwords are thwarted as these are easy to crack (and well documented). 

All of these measures also only move to deter the user who shouldn’t have access and doesn’t consider those who are granted it. Those who have access, have limitless and unmonitored access to the entirety of your file and are free to do it with it as they please. Even if we throw aside the prospect of that access being abused for malicious intent - consider the issues with the files data integrity and the lack of editing trail and accountability and how that plays back into the core issues with spreadsheets we reviewed in my previous article.

Beyond the limited (and easily bypassed) methods available for securing the file itself, we also have to consider that we cannot tailor the data to different user types and thereby have to “accept” that users be given the whole picture instead of only the data that’s pertinent to them. Sharing controls are virtually non-existent, you either have access or you don’t.

Lastly, controlling any measures for access control and restrictions is made significantly more cumbersome when you consider the number of spreadsheets and users that often exist.

Communication

Closely related to access is communication - essentially how files are shared between users.

When it comes to communication, emailing a file comes with another set of security concerns surrounding the email security itself and how data is physically transmitted. Companies need to evaluate their specific methods for doing so, and again cross-reference that with any compliance measures they need to be taking. As we explored in the access section, emailing files also doesn’t allow for a “clawback” of information (back to the previous statistic on sending to the wrong parties). While there are some measures that can be taken, once you send a copy to someone, it’s theirs to keep, copy, edit and do with as they wish - and this can be a major issue when dealing with data retention policies and general file custody. 

In companies with remote workers and BYOD (bring your own device) policies, extensive policies have to be written and implemented to address this issue, costing time and money, and still not necessarily covering all of their bases.

External Factors

Commonly, spreadsheets are imported and exported for systems - from inventory systems to e-commerce solutions, financial systems - the applications are nearly limitless. While the exporting of data somewhat limits considerations to the security involved in doing so, importing data invites new considerations in the integrity of those external systems.

Spreadsheets sent via email for automated importing pushed to FTP servers for import/export, or extended with add-ins and connections are all subject to a full series of considerations from platform and communication security to even malicious code and more.

Compliance

Hand-in-hand with security is compliance, which we’ve touched on in a few points above.

Companies are increasingly becoming subject to different types of compliance, such as HIPAA and PIPEDA to name a couple specific to personal information. Depending on how these companies are storing, accessing and communicating their spreadsheets - they may or may not be in compliance with those acts, exposing them to liability.

Even if the spreadsheet itself is “compliant” - how it is stored and/or sent may not be. Enterprise solutions like Microsoft Office 365 have taken steps towards many of these types of compliance, but many organizations use other solutions, online backup applications, etc.

Again in considering limitations, some of these types of compliance call for specific data handling and retention rules - items which are extremely difficult to enforce in multi-user environments - either putting the organization at risk of non-compliance or severely limiting the avenues they can explore in granting access to files in the first place.

Striving for security

When it comes to taking steps towards increased security or conforming to compliance requirements, it’s important to start with a thorough review. Consider how your documents are being used today and whether or not a spreadsheet is the best application based on the factors explored above.

Circling back to the earlier report from the OAIC, it was suggested that business leaders evaluate more intuitive systems, tighten their system processes and restrict data access - some of which are difficult, or not possible, to achieve using spreadsheets alone.

In my previous article, I offered some suggestions both for how to take better steps for spreadsheets that need to remain in place, and some considerations for alternatives if it’s time to move away from them.

If you’re looking for help identifying areas of your business that could benefit from moving away from spreadsheets, and strategies for doing so, I’m on a mission to help brands do exactly that.