Infosec pros wake up to Excel spreadsheet security risks

CISOs are beginning to turn their attention to an often ignored data security threat: the poorly managed Excel spreadsheet.

Threats posed by viruses, Trojans and unencrypted USB sticks are all well known, but leading security professionals are now turning their attention to a growing danger inside organisations -- poorly managed Excel spreadsheets.

A recent poll by the Information Security Forum (ISF), a user-based group made up of about 300 major corporations from around the world, found that many respondents had, for the first time, identified user-developed applications, especially spreadsheets, among the top 10 most serious threats they expect to face by 2011. The 200 responses received by the forum were from CISOs or equivalent level executives.

Mark Chaplin, a senior research consultant with ISF, said Excel spreadsheet security problems arise because spreadsheets tend to grow over time, but they are not subject to the same controls and disciplines as properly managed IT projects. Designed initially as personal productivity tools, programs such as Microsoft Excel have mushroomed within organisations and are now used to support critical parts of the business and key decisions, he said.

"Spreadsheets may often start off as just a list for storing information and then they grow up," Chaplin said. "They are not developed in a proper way, and there is no proper documentation or training, or maintenance and support. You don't realise there is a problem until something goes wrong."

The dangers of trusting in spreadsheets have been documented over many years. The European Spreadsheet Risks Interest Group (Eusprig), an independent organization, displays on its website a long list of disasters and mishaps that have been caused by poorly written spreadsheets. Professor Ray Panko at the University of Hawaii has also spent many years analysing the problem.

The mistakes that lead to data leaks

Even when policies, staff training and data leak prevention (DLP) devices are in place, data leaks often still occur because of poor business processes.

But as Chaplin conceded, spreadsheet security has not been recognised as an enterprise security problem. "From an information security perspective, this is still uncharted territory," he said. "It doesn't appear on the radar of senior management."

He added that in his research among ISF members and other organisations, he found that desktop applications such as Microsoft Office were generally included in the standard configuration of users' PCs. "More than 75% of people say that spreadsheets are included in the default configuration of their desktops. And yet there is very little training provided for these applications," he said.

"People start by doing a few calculations, but slowly their spreadsheets grow and they start making critical decisions based on them. Then they start linking spreadsheets together, and you end up with a network of spreadsheets that organisations begin to rely on. In the U.S., organisations like Freddie Mac and Fannie Mae were being run on huge spreadsheets. They had thousands of spreadsheets that were all interlinked."

The situation is no better in Europe. For instance, after identifying pricing errors from a small number of traders, the Financial Services Authority slapped a £5.6m fine on Credit Suisse Group in August 2008 for "failing to conduct their business with due skill, care and diligence and failing to organise and control their business effectively."

According to Grenville Croll, chairman of Eusprig, those errors were due to problems with spreadsheets that supported the trading of complex financial instruments, such as CDOs (collateralised debt obligations).

"Some of the stories we've heard from the regulator over the years are enough to make your toes curl," he said. "Some institutions are beginning to realise they have a problem, but nobody senior in most of the banks has the faintest idea of how dependent they are on spreadsheets."

Croll said spreadsheets suffer from a range of problems. Several research studies have found that up to 70% of spreadsheets contain errors which would result in serious miscalculations. Furthermore they tend to operate outside the scope of the information security department, and so can be freely copied without proper controls. "It's a house of cards," he said.

And as Chaplin added, while most companies apply good practice within their ERP environment with identity and access management and segregation of roles, that discipline is lost once data is exported to a spreadsheet. "If you allow the user to export that information to their desktop, which then goes into a spreadsheet that may modify the data, then you have lost the integrity you had in the enterprise application. If the user can upload the information back into the enterprise application, then you've got a problem. You introduce risk, and the loss of data integrity," he said.

But some information security departments are now trying to initiate proper procedures for spreadsheet development. "Some members are putting in place policies and guidelines with regard to end-user developed applications. They are raising awareness in the organisation, and explaining the scale and degree to which these applications are being used," Chaplin said.

He recommends companies try to introduce the general principles of software development lifecycle management to spreadsheet users. That means getting users to define the requirements of the application they are going to develop, working to a proper structure (such as having one sheet for logic, one for input and one for output), documenting the application, and also getting an independent person to review it before it goes into use.

Companies could also adopt an automated tool to test spreadsheet logic, but as both Chaplin and Croll agree, uptake on these tools is quite limited. "Enterprise spreadsheet management systems can help manage the problem. But in the city of London, there are 25 installations at most, and worldwide probably around 100," Croll said.

Read more on Application security and coding requirements