Spreadsheets Seen As Security Hole

Companies moving to protect data in Excel and other BI tools

In the wake of multiple high-profile laptop thefts and data breaches, some IT shops are launching initiatives to ensure that sensitive corporate data stored in spreadsheets and business intelligence tools remains secure.

The security efforts are taking on greater urgency as more and more workers gain access to BI tools and spreadsheets used for data analysis functions.

Several recent breaches have involved unsecured spread¿sheets -- including an inadvertent e-mail exposure of sensitive data on about 5,000 customers that Verizon Wireless disclosed last week, and the theft in May of a laptop from the U.S. Department of Veterans Affairs that contained personal information on some 26 million people.

IT managers and analysts said that spreadsheets are the most common method used to analyze corporate data and are increasingly being used as a front end to more advanced BI systems. However, in most cases the ubiquitous application and the more traditional BI tools have not yet received the same security scrutiny as transactional systems and Web applications have, they said.

Mayur Raichura, director of information services at The Long & Foster Cos., met last week with various executives, including the company's chief financial officer and controller, to kick off an IT security initiative that will place a heavy emphasis on securing BI data.

"There is a tremendous amount of BI data that seems to be in the hands of a lot more employees than [there was] five years ago," Raichura said. "The average user outside of IT doesn't have a clear understanding of the implications of what they do in terms of downloading data."

In addition, the Fairfax, Va.-based real estate company has historically had "no policies on how this data is given to [employees] and what they do with it once they are given it," he added.

At the meeting, Raichura and his fellow executives decided to hire a corporate chief security officer, assess the security of each internally developed and packaged application at the company, and create a set of corporate security standards during this year and into 2007, Raichura said.

Six weeks ago, Long & Foster began to deploy a system to warn users about downloading salary and financial-incentive information to spreadsheets on desktops and laptops, he added. The new system issues a pop-up warning to users each time they attempt to download sensitive data into an unsecured spreadsheet on desktop and laptop systems, Raichura said.

Securing Spreadsheets
Don't allow users to copy reports and spreadsheets generated in a BI system into an empty spreadsheet for modification.
Put in place a header and a footer in every report delivered from the system, noting that it is authorized, unmodified and cannot be copied.
Discipline users who break corporate policy and modify reports.

Source: Gartner Inc., Stamford, Conn.

He acknowledged that the new policy does not prevent any of the company's 2,500 employees from inputting data from paper-based BI reports into an Excel spreadsheet.

"We are just beginning to bring control over [data from printed reports]," he said. "That is the one area I know we need to be very good at."

The new emphasis on security by Long & Foster IT and financial officials has been supported by a "fantastic awareness" of the issue by executives outside of IT, which was brought about mostly by recent high-profile data breaches, Raichura added.

A year ago, Long & Foster itself was the victim of the theft of a laptop from inside one of its buildings. Although the data on the machine -- requirements for a new BI system, written in Microsoft Word -- does not appear to have been misused, the theft prompted the company to establish a policy requiring all employees to take their laptops home every day.

The policy, which Raichura acknowledges may seem counter¿intuitive, aims to promote a sense of responsibility among users, prompting them to "guard the laptop like it is personal property."

Few Are Vigilant

Bill Hostmann, an analyst at Gartner Inc., said that while many organizations go to great lengths to secure transactional systems and Web applications, many more "do almost nothing, or a very limited amount," to protect data housed in BI applications and spreadsheets.

"[Users] may have [sensitive] data on their PC in a spreadsheet, Access database or on an unprotected/shared workgroup server," Hostmann said. "It's often the company's most sensitive data, too."

Michael Hader, director of IT at Odom's Tennessee Pride Sausage Inc., said his company is tackling BI security at the desktop log-in function and with a tool that limits the changes that users can make to spreadsheets.

The Madison, Tenn.-based company uses Microsoft's Active Directory to ensure the security of its BI reports and spreadsheets. It is building portals, customized for partners and customers, that use directory services to determine which reports or spreadsheets can be accessed by specific external users. The portal was built using BI tools from Actuate Corp. in South San Francisco, Calif.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon