Many of us would, if asked, be able to list a few common computer security risks – viruses inadvertently downloaded with files from sharing systems, malware payloads in emails, “phishing” websites and malicious links in messaging apps. However, the creators and users of malware have many more surreptitious entry points into a computer system that might not be so obvious. For instance, office software, such as spreadsheets, commonly use scripts to carry out sophisticated calculations and these scripts or macros can be abused by third parties with access to the spreadsheet.
A diligent information technology (IT) department at a company or organisation will ensure that its users are using the latest, most secure, versions of any software on the system, that antivirus, malware protection, and firewalls are in place. Moreover, they will preclude the downloading and installation of non-verified software. However, not all IT departments are diligent all of the time and users needing a workaround for a particular problem may well install third-party or older software on their personal computer and potentially render the whole corporate computer system to attack by malicious third parties.
Writing in the International Journal of Business Information Systems, a team from Serbia, describes the findings from a structured questionnaire of computer users focusing on spreadsheet use. Lazar Raković, Marton Sakal, Stojanka Dakić, and Jovica Đurković of the University of Novi Sad in Subotica, found that most users see spreadsheets as important in their jobs and to the functioning of an organization. However, few of their correspondents seemed aware of the risks associated with spreadsheet use. These risks are not confined to malicious scripts but consider spreadsheet errors, credibility, security, data abuse, and poor analysis.
Other problems include lack of version control, inadequate user qualifications, a lack of spreadsheet development guidelines, loss of data, breach of legal regulations, and unauthorised access to data all add to the putative risks associated with spreadsheet software in an organization. This is particularly worrying if that software is being installed and run as “shadow IT” rather than under the oversight of the IT department.
The obvious answer to the insidious problems is for organizations and companies to have a well-defined spreadsheet risk management strategy, to adopt appropriate standards and rules, and to better educate their users regarding the risks of shadow IT.
Raković, L., Sakal, M., Dakić, S. and Đurković, J. (2022) ‘Spreadsheets: risk from the shadow’, Int. J. Business Information Systems, Vol. 41, No. 1, pp.1–19.