Infosec pros wake up to Excel spreadsheet security risks

By Ron Condon, U.K. Bureau Chief 10 Jul 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

A recent poll by the Information Security Forum (ISF), a user-based group made up of about 300 major corporations from around the world, found that many respondents had, for the first time, identified user-developed applications, especially spreadsheets, among the top 10 most serious threats they expect to face by 2011, making implementation of Excel spreadsheet security vital in the upcoming year. The 200 responses received by the forum were from CISOs or equivalent level executives.

Mark Chaplin, a senior research consultant with ISF, said Excel spreadsheet security problems arise because spreadsheets tend to grow over time, but they are not subject to the same controls and disciplines as properly managed IT projects. Designed initially as personal productivity tools, programs such as Microsoft Excel have mushroomed within organisations and are now used to support critical parts of the business and key decisions, he said.

"Spreadsheets may often start off as just a list for storing information and then they grow up," Chaplin said. "They are not developed in a proper way, and there is no proper documentation or training, or maintenance and support. You don't realise there is a problem until something goes wrong."

The dangers of trusting in spreadsheets have been documented over many years. The European Spreadsheet Risks Interest Group (Eusprig), an independent organization, displays on its website a long list of disasters and mishaps that have been caused by poorly written spreadsheets. Professor Ray Panko at the University of Hawaii has also spent many years analysing the problem.

The mistakes that lead to data leaks Even when policies, staff training and data leak prevention (DLP) devices are in place, data leaks often still occur because of poor business processes.

But as Chaplin conceded, spreadsheet security has not been recognised as an enterprise security problem. "From an information security perspective, this is still uncharted territory," he said. "It doesn't appear on the radar of senior management."

He added that in his research among ISF members and other organisations, he found that desktop applications such as Microsoft Office were generally included in the standard configuration of users' PCs. "More than 75% of people say that spreadsheets are included in the default configuration of their desktops. And yet there is very little training provided for these applications," he said.

"People start by doing a few calculations, but slowly their spreadsheets grow and they start making critical decisions based on them. Then they start linking spreadsheets together, and you end up with a network of spreadsheets that organisations begin to rely on. In the U.S., organisations like Freddie Mac and Fannie Mae were being run on huge spreadsheets. They had thousands of spreadsheets that were all interlinked."

The situation is no better in Europe. For instance, after identifying pricing errors from a small number of traders, the Financial Services Authority slapped a £5.6m fine on Credit Suisse Group in August 2008 for "failing to conduct their business with due skill, care and diligence and failing to organise and control their business effectively."

According to Grenville Croll, chairman of Eusprig, those errors were due to problems with spreadsheets that supported the trading of complex financial instruments, such as CDOs (collateralised debt obligations).

"Some of the stories we've heard from the regulator over the years are enough to make your toes curl," he said. "Some institutions are beginning to realise they have a problem, but nobody senior in most of the banks has the faintest idea of how dependent they are on spreadsheets."

Croll said spreadsheets suffer from a range of problems. Several research studies have found that up to 70% of spreadsheets contain errors which would result in serious miscalculations. Furthermore they tend to operate outside the scope of the information security department, and so can be freely copied without proper controls. "It's a house of cards," he said.

And as Chaplin added, while most companies apply good practice within their ERP environment with identity and access management and segregation of roles, that discipline is lost once data is exported to a spreadsheet. "If you allow the user to export that information to their desktop, which then goes into a spreadsheet that may modify the data, then you have lost the integrity you had in the enterprise application. If the user can upload the information back into the enterprise application, then you've got a problem. You introduce risk, and the loss of data integrity," he said.

But some information security departments are now trying to initiate proper procedures for spreadsheet development. "Some members are putting in place policies and guidelines with regard to end-user developed applications. They are raising awareness in the organisation, and explaining the scale and degree to which these applications are being used," Chaplin said.

He recommends companies try to introduce the general principles of software development lifecycle management to spreadsheet users. That means getting users to define the requirements of the application they are going to develop, working to a proper structure (such as having one sheet for logic, one for input and one for output), documenting the application, and also getting an independent person to review it before it goes into use.

Companies could also adopt an automated tool to test spreadsheet logic, but as both Chaplin and Croll agree, uptake on these tools is quite limited. "Enterprise spreadsheet management systems can help manage the problem. But in the city of London, there are 25 installations at most, and worldwide probably around 100," Croll said.

Tags: Data Protection Solutions and Strategy,  Enterprise Data Storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Company files at risk of employee data theft McAfee-Intel: Why the McAfee acquisition is being met with scepticism Mobile digital pad/pen helps secure patient data collection Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures PCI credit card complaince: Credit card data protection (over the phone) 3ami allows employers to track use of USB storage devices EMC adds configuration management with Configuresoft acquisition What are USB flash drive security best practices? XSS bugs, information leakage top list of website vulnerabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Protection Act 1998  (SearchStorageUK.com) Information Commissioner's Office (ICO)  (SearchStorageUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary