By Nigel Thorpe, technical director at SecureAge explains why our love of spreadsheets poses a security threat and why we need a new approach to protecting the data
Where would we be without spreadsheets? Since Microsoft first launched its Excel spreadsheet software in 1985, it has grown to become arguably the most important computer programme in workplaces around the world. The spreadsheet has become entrenched in business processes as well as critical applications. Public Health England even used an Excel spreadsheet to collect and collate thousands of COVID-19 test results. Unfortunately, in this case an outdated XLS format was used to import data which had a limit of 65,000 rows of data, resulting in the loss of over 15,000 positive COVID-19 test results.
The ability to instantly carry out calculations, produce graphs and charts and generate detailed reports using large data sets, makes spreadsheets part of the staple diet for financial services. But with popularity comes complacency when it comes to security. It’s all too common for information to be stored in spreadsheets on laptops, shared via email or USB sticks, which is putting security at risk.
In 2019, the world’s largest asset manager, BlackRock, unintentionally shared a link to spreadsheets with confidential information about its clients. Broken down in these spreadsheets was a list of advisors identified as ‘dabblers’ and ‘power users.’ While there was no financial information exposed, this breach brought spreadsheet risk management into the spotlight.
Data is usually secure and well managed when held in business applications. But people need to use data in ways that applications do not help with such as financial planning, business planning, ‘what if’ analysis, reports, presentations, meeting notes, etc. Once taken out of the database or application, data is no longer controlled or secured but stored on local had disks, cloud storage or corporate file shares.
So, if we can’t be sure of preventing unauthorised access to data held in spreadsheets from a cyber attack, disgruntled insider or ransomware, we must rethink the traditional ‘castle and moat’ methods of information protection and adopt a data centric approach, where security is built into data itself.
Full disk encryption will protect all data when it is at rest on a hard disk or USB drive, which is great if you lose your laptop or memory stick, but is of absolutely no use in protecting data against unauthorised access or theft from a running system – including an Excel programme. Staff need to extract and analyse data locally, and particularly in the current pandemic, this is done on remote endpoints such as home PCs, laptops or tablets with local storage – where extracted, it is often stored. Data therefore needs to be protected not only at rest, but also in transit and in use, on site or in the cloud.
When it comes to spreadsheet data – as with any structured or unstructured data – deciding what is most important to protect is difficult and needs to take into account risk and business impact analysis and regulatory requirements. Manual classification is impractical for most organisations, but automation means that search patterns and rules must be developed. However, patterns and rules are not perfect so it is highly likely that a proportion of the sensitive data which is being searched for will be mis-classified. Then there is the question of where do you set the bar – what is sensitive data anyway? Even seemingly trivial information can be useful to a cybercriminal, since they are adept at amalgamating small pieces of data to form a bigger picture, to build a spear phishing attack for example.
A universal approach
The obvious answer would be to protect everything, but the accepted norm is to encrypt only what is considered the most important or sensitive data. This is largely because traditionally, encryption has been seen as complex and costly to deploy and detrimental to performance and productivity. But with today’s technology and processing power it is possible to deliver full data protection that is transparent to the end user. The ability to slide encryption technology in ‘behind’ other software exists, automatically securing data – including spreadsheet data – without having to change any applications or decide what is important. By actively choosing to encrypt all data – whether it is stored, in transit or in use – we are finally designing security into the only thing which has value – the data itself. This way, the risk of spreadsheet complacency is avoided as any lost or stolen information remains protected and useless to a thief.