Spreadsheets in the enterprise, considering integrity (pt 2/5) 0
Posted on 17, March 2014
in Category bsg insight
This post is part of a series considering the security implications of using Excel / spreadsheets for decision making. At a macro level, it is about applying a framework (CIADA) as a lens reflecting on how standalone, general tools have considerable security constraints.
The initial observations that led to this post can be found here.
Modifying the data in a sensitive data set is a huge risk. Potential ruinous of the result in its entirety and in the context of a decision support system - it is the kind of thing that people lose jobs, homes and businesses over. Shockingly, people may even want to do this for selfish and malevolent reasons… and in an Excel world they can do this without a trace (almost - which is a thought for another post).
The threat is multi-dimensional:
1. Altering a data element directly - like lowering your own sales target in the evaluation sheet
2. Altering referenced data - linking your sales total to salesman of the year Bob’s total
3. Removing key data points - deleting Bob’s biggest sales account entirely
4. Inadvertant modification of data / formulae while navigating, making other changes, etc.
5. the list goes on...
There are complex tools within Excel and, if you speak “formulae” and can trace through multiple sheets simultaneously then you’re all good, you could find the modifications. Which is cool, right? What could possibly go wrong? Well - how do you know you’ve found them all? How long have you got to do the searching and fixing? And most importantly, how do you even know that there is a data integrity problem in the first place? On top of all this, the “business case” for Excel is usually that it is quicker, but by the time you’ve done all of this digging, that business case no longer stacks up.
Of course, even transactional enterprise systems of any type are vulnerable to data threat. The difference is that an enterprise system is layered: the data source and the reporting are separated which is not the case in Excel.
To repeat the rallying cry. Use common sense, think about the data you are handling, analysing, modelling and use the appropriate systems and countermeasures to make your work simple at the same time minimising risk of breaches. Easy, right?
Stuart is a Principal Consultant at BSG (UK). Stuart has led several large systems development projects using a variety of delivery methodologies (agile, waterfall, iterative) on time, on budget and to specification. He is the lead on our Distributed Development service.