Infosec pros wake up to Excel spreadsheet security risks

By Ron Condon, U.K. Bureau Chief 10 Jul 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

A recent poll by the Information Security Forum (ISF), a user-based group made up of about 300 major corporations from around the world, found that many respondents had, for the first time, identified user-developed applications, especially spreadsheets, among the top 10 most serious threats they expect to face by 2011. The 200 responses received by the forum were from CISOs or equivalent level executives.

Mark Chaplin, a senior research consultant with ISF, said Excel spreadsheet security problems arise because spreadsheets tend to grow over time, but they are not subject to the same controls and disciplines as properly managed IT projects. Designed initially as personal productivity tools, programs such as Microsoft Excel have mushroomed within organisations and are now used to support critical parts of the business and key decisions, he said.

"Spreadsheets may often start off as just a list for storing information and then they grow up," Chaplin said. "They are not developed in a proper way, and there is no proper documentation or training, or maintenance and support. You don't realise there is a problem until something goes wrong."

The dangers of trusting in spreadsheets have been documented over many years. The European Spreadsheet Risks Interest Group (Eusprig), an independent organization, displays on its website a long list of disasters and mishaps that have been caused by poorly written spreadsheets. Professor Ray Panko at the University of Hawaii has also spent many years analysing the problem.

The mistakes that lead to data leaks Even when policies, staff training and data leak prevention (DLP) devices are in place, data leaks often still occur because of poor business processes.

But as Chaplin conceded, spreadsheet security has not been recognised as an enterprise security problem. "From an information security perspective, this is still uncharted territory," he said. "It doesn't appear on the radar of senior management."

He added that in his research among ISF members and other organisations, he found that desktop applications such as Microsoft Office were generally included in the standard configuration of users' PCs. "More than 75% of people say that spreadsheets are included in the default configuration of their desktops. And yet there is very little training provided for these applications," he said.

"People start by doing a few calculations, but slowly their spreadsheets grow and they start making critical decisions based on them. Then they start linking spreadsheets together, and you end up with a network of spreadsheets that organisations begin to rely on. In the U.S., organisations like Freddie Mac and Fannie Mae were being run on huge spreadsheets. They had thousands of spreadsheets that were all interlinked."

The situation is no better in Europe. For instance, after identifying pricing errors from a small number of traders, the Financial Services Authority slapped a £5.6m fine on Credit Suisse Group in August 2008 for "failing to conduct their business with due skill, care and diligence and failing to organise and control their business effectively."

According to Grenville Croll, chairman of Eusprig, those errors were due to problems with spreadsheets that supported the trading of complex financial instruments, such as CDOs (collateralised debt obligations).

"Some of the stories we've heard from the regulator over the years are enough to make your toes curl," he said. "Some institutions are beginning to realise they have a problem, but nobody senior in most of the banks has the faintest idea of how dependent they are on spreadsheets."

Croll said spreadsheets suffer from a range of problems. Several research studies have found that up to 70% of spreadsheets contain errors which would result in serious miscalculations. Furthermore they tend to operate outside the scope of the information security department, and so can be freely copied without proper controls. "It's a house of cards," he said.

And as Chaplin added, while most companies apply good practice within their ERP environment with identity and access management and segregation of roles, that discipline is lost once data is exported to a spreadsheet. "If you allow the user to export that information to their desktop, which then goes into a spreadsheet that may modify the data, then you have lost the integrity you had in the enterprise application. If the user can upload the information back into the enterprise application, then you've got a problem. You introduce risk, and the loss of data integrity," he said.

But some information security departments are now trying to initiate proper procedures for spreadsheet development. "Some members are putting in place policies and guidelines with regard to end-user developed applications. They are raising awareness in the organisation, and explaining the scale and degree to which these applications are being used," Chaplin said.

He recommends companies try to introduce the general principles of software development lifecycle management to spreadsheet users. That means getting users to define the requirements of the application they are going to develop, working to a proper structure (such as having one sheet for logic, one for input and one for output), documenting the application, and also getting an independent person to review it before it goes into use.

Companies could also adopt an automated tool to test spreadsheet logic, but as both Chaplin and Croll agree, uptake on these tools is quite limited. "Enterprise spreadsheet management systems can help manage the problem. But in the city of London, there are 25 installations at most, and worldwide probably around 100," Croll said.

Tags: Data Protection Solutions and Strategy,  Enterprise Data Storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition What are USB flash drive security best practices?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary