Businesses generate considerable volumes of data and increasingly use data as a driver for business growth and innovation. More so than ever, spreadsheets are routinely used to store, dissect and analyze both non-sensitive and sensitive data alike.
In a recent blog post “Mind your spreadsheets: Tips to improve your data governance before an incident”, Dan Michaluk and Eric Charleston of Borden Ladner Gervais, provided some excellent advice for organizations on how to manage spreadsheets and other “file share” documents. Their blog highlights how spreadsheets usage increases sensitive content under management and can increase the risks associated with data exfiltration and can “double the population of individuals affected by a network compromise”.
If individual documents are not encrypted or the drives on which they are stored are not encrypted then the risks associated with third-party network attacks and data exfiltration are increased, particularly when data contains Personally Identifiable Information (PII) or Personal Health Information (PHI).
In the June issue of Wired Magazine, Clive Thompson wrote about the rise in the use of “relational” spreadsheets. Relational spreadsheets are those that contain information that is related to or affected by, the information contained in other documents or spreadsheets. In his article, Thompson notes that some spreadsheet application designers are using spreadsheets in a similar way to how larger organizations use databases and that some of the new spreadsheets are designed to accept and store any kind of data, rather than just names, numbers and dates. Thompson even waxes lyrical about spreadsheets, and calls them “the Rosetta Stone of file formats: They’re easy to view like a Word file, they can do math like a programming language, yet they store info like a database.”
The use of this kind of “relational” spreadsheet may pose an even greater risk to an organization than the staid, simple Excel spreadsheet of old, because of the massive amount of additional information stored in a relational spreadsheet, and other connected spreadsheets and documents.
Another risk associated with spreadsheets is that they are often shared between colleagues via email, and so are particularly vulnerable to exposure in a typical network breach or a Business Email Compromise (BEC). We have seen a marked increase this year in BEC events and the exfiltration of documents such as spreadsheets. If “relational” spreadsheets are exposed, stolen, encrypted or exfiltrated during a breach, the organization suffering the breach risks losing more than just a list of names and addresses as an example. The relational information is likely to contain considerably more such as business-critical and performance information, proprietary information, project-specific information or at the very least confidential information relating to the business, its employees, investments, investors, suppliers, clients, and financial information or any combination of those categories.
This is not the kind of information most businesses can afford to lose or to have stolen, via a phishing attack, BEC or a ransomware case.
Businesses would be well advised to keep relational spreadsheets encrypted, password-protected, locked down, stored off the main network, and securely backed up at regular intervals, to ensure that their use is limited to essential functions, and ensure that proper data hygiene and data security policies are applied to relational spreadsheets in the same way that critical network infrastructure is protected.