Email and the Internet usually get highlighted as the biggest sources of potential risk, but spreadsheets can represent...
just as much of a threat to your enterprise.
The biggest risk inherent in spreadsheets is their sheer ubiquity in financial planning. Spreadsheets are frequently built by individual staff in an ad hoc fashion. That speed of development is a key part of their appeal, but it also means that their structure doesn't undergo rigorous auditing, which can lead to major problems. In one infamous recent case, a poorly formatted spreadsheet resulted in Barclays buyout of Lehman Brothers including many assets which Barclays had no intention of buying.
Those kinds of issues might sometimes be unavoidable. "In a normal acquisition most likely this error would have been caught, but in the rush of a fire sale, it didn't," Gartner analyst French Caldwell pointed out on his blog. "Would spreadsheet controls have helped prevent this error? Maybe -- but doubtful in this case. The spreadsheet was too unique."
Admittedly, security staff can leave those broader problems of data authenticity to the CFO and auditors. However, a related issue -- the lack of security in many user-created spreadsheets, and the potential for confidential data to be stolen or misplaced -- falls much more squarely into the CSO's ambit. Excel (and its less-used rivals such as the Calc component of Open Office) include security features such as password protection, but these are often ignored.
Classic spreadsheet security problems in the form of malware embedded in spreadsheets also continue to arise. In late February, a vulnerability affecting Excel files in Office 2007 which potentially enabled Excel to be used to download other malware was identified by Microsoft.
Like most such vulnerabilities, the number of reported infections was relatively low, and most enterprises would have seen automatic patches flow through their existing security systems without needing to be specifically concerned.
Nonetheless, such problems are unlikely to disappear in the near future. Microsoft's decision to drop the macro execution features in the Mac version of Excel included in Office 2008 was so unpopular that the feature is due to be reinstated in the next release.
No-one's going to accept an outright spreadsheet ban, so what can you do? The best way to tackle such problems is by developing a spreadsheet control solution and implementing it on a company-wide basis.
Forrester Research advises a four-step process to introduce spreadsheet security controls into an organisation. The first is to carry out discovery searches to identify just how many spreadsheets are in use. The second is to carry out risk assessments on individual spreadsheets. A remediation phase adds structure to the spreadsheet creation process (by implementing mandatory testing or checking, for instance). Finally, the use of full-scale spreadsheet controls can be introduced, since all spreadsheets will now comply with the scheme.
While this is a worthy overall plan, you'll need significant management backup to make it work. The ease with which new spreadsheets can be created means that a possessive owner might just rebuild their existing favourite on a local machine while ignoring any official policies. In this context, the CFO should be your strongest source of support, since poorly-developed spreadsheets represent a major compliance risk.
One basic step that is sometimes neglected is ensuring that the settings on installed copies of Excel don't allow unsafe behaviour. Microsoft's Group Policy can be used to change settings (such as macro warnings and ability to change settings in a way which can't be readily altered by users (unlike the simpler Office Customization Tool, which can fairly easily be circumvented).