Excel and Google Sheets are great, aren’t they? As popular with receptionists as researchers, and students as statisticians. Supported by MS or Google, what could possibly go wrong? Funny you should ask.
Excel is not just a passive list builder, it’s the go-to for anyone looking to glean insights from, organise, or just create a database. User-friendly commands mean even entry-level computer skills can cheerfully manage anything from a handful of records to hundreds of thousands.
While having and using aren’t the same thing, it’s clear that there’s a ubiquity about the most popular spreadsheets that make them the go-to for anyone who needs to create a basic database or do something clever with the information we already have.
These features include rudimentary data analysis, visualising and consolidating data, sorting it, and – probably most importantly for most of us – making the calculations that help us budget either at home or in the office. While accountants will use something more focused, such as Sage. Excel or the G Suite sheets are fine for most of us. And that could be a problem.
In an earlier blog, Chris raised a number of flags about the widespread use of Excel and other proprietary software packages. A quick look at the chat rooms supports his view that we may be sleepwalking into a corporate data liability simply because we’re not paying close enough attention.
Absolutely, especially for the SME who has used MS or GS since the get-go and continues to do so – and why not? Both packages expand to meet your needs, and meanwhile, hackers are after the databases, contacts, and banking creds, right? And with all these security packages keeping watch, what’s the problem?
Exactly because of the ‘front door’ security issues, hackers are being more creative. New attack vectors include Excel commands and API calls to Windows. This expert cited a user “jumping between different cells to create a malware attack …. that is undetected.” The problem, of course, is that this ‘jumping about’ is an entirely legitimate capability in Excel and is not always malicious. Indeed, that’s why many of us use it in the first place.
The other issue is that some of these files are getting on a bit. Legacy files are another issue entirely. Some are incompatible with modern safeguards, it’s a below-the-radar issue that only shows up when it’s too late. “Many organizations have legacy files that use macros.” Excel has both.
Meanwhile, back in 2018
Many of the points Chris raised four years ago remain valid – and may be more acute bearing in mind the advancements in security in other packages, the tightening of data privacy laws, the increasing sophistication of hackers’ techniques – and their focus on soft targets that may lie outside the protective umbrella of company software security.
Spreadsheet audit anyone?
As Chris suggested, spreadsheets are great if you know where they all are, if they’re backed up, there are no duplicate versions, and whether someone can accidentally delete key data by mistake, or change something they shouldn’t for whatever reason.
While you could develop a good detection engine that can spot actual threats without generating false positives and noise, you might also choose to commission bespoke software that has all the positives of modern software security, will scale as you do, and save you having to worry about what might be where.
Let’s have a most Excellent chat.