Data Storage, Cyber Risk, and the so-called “Spreadsheet Revolution”

Businesses generate considerable volumes of data and increasingly use data as a driver for business growth and innovation. More so than ever, spreadsheets are routinely used to store, dissect and analyze both non-sensitive and sensitive data alike.

In a recent blog post “Mind your spreadsheets: Tips to improve your data governance before an incident”, Dan Michaluk and Eric Charleston of Borden Ladner Gervais, provided some excellent advice for organizations on how to manage spreadsheets and other “file share” documents. Their blog highlights how spreadsheets usage increases sensitive content under management and can increase the risks associated with data exfiltration and can “double the population of individuals affected by a network compromise”.

If individual documents are not encrypted or the drives on which they are stored are not encrypted then the risks associated with third-party network attacks and data exfiltration are increased, particularly when data contains Personally Identifiable Information (PII) or Personal Health Information (PHI).

In the June issue of Wired Magazine, Clive Thompson wrote about the rise in the use of “relational” spreadsheets. Relational spreadsheets are those that contain information that is related to or affected by, the information contained in other documents or spreadsheets. In his article, Thompson notes that some spreadsheet application designers are using spreadsheets in a similar way to how larger organizations use databases and that some of the new spreadsheets are designed to accept and store any kind of data, rather than just names, numbers and dates. Thompson even waxes lyrical about spreadsheets, and calls them “the Rosetta Stone of file formats: They’re easy to view like a Word file, they can do math like a programming language, yet they store info like a database.”

The use of this kind of “relational” spreadsheet may pose an even greater risk to an organization than the staid, simple Excel spreadsheet of old, because of the massive amount of additional information stored in a relational spreadsheet, and other connected spreadsheets and documents.

Another risk associated with spreadsheets is that they are often shared between colleagues via email, and so are particularly vulnerable to exposure in a typical network breach or a Business Email Compromise (BEC). We have seen a marked increase this year in BEC events and the exfiltration of documents such as spreadsheets. If “relational” spreadsheets are exposed, stolen, encrypted or exfiltrated during a breach, the organization suffering the breach risks losing more than just a list of names and addresses as an example. The relational information is likely to contain considerably more such as business-critical and performance information, proprietary information, project-specific information or at the very least confidential information relating to the business, its employees, investments, investors, suppliers, clients, and financial information or any combination of those categories.

This is not the kind of information most businesses can afford to lose or to have stolen, via a phishing attack, BEC or a ransomware case.

Businesses would be well advised to keep relational spreadsheets encrypted, password-protected, locked down, stored off the main network, and securely backed up at regular intervals, to ensure that their use is limited to essential functions, and ensure that proper data hygiene and data security policies are applied to relational spreadsheets in the same way that critical network infrastructure is protected.

Under Attack? Guaranteed 15 minute response time.

Please call our emergency hotline below or fill out the form with your name, email, and phone number.

US/CAD

1 800 762 3290

UK

0800 368 8731

AUS

61 1800 413 128

Email

response@cyberclan.com

The information you provide in this form is only used exclusively to assist you. We do not share your data.

Sugandha Sood

Executive Vice President, Finance

As a professional accountant Sugandha, CPA, CGA has over 15 years of progressive finance and accounting experience across multiple industries including healthcare, medical, nuclear waste, and transportation.

Prior to joining CyberClan she worked at Energy Solutions Canada and was responsible for various aspects of accounting, financial reporting, internal controls, process improvements and taxation. Sugandha is eager to leverage her professional skills and play a vital role in the growth of the company by providing information to make informed decisions.