Don't let them take away your spreadsheets!

Craig Hattabaugh, CEO of Cimcon Software, speaks about how firms continue to struggle with adequately controlling the risks associated with spreadsheets and other end-user applications.

Spreadsheets have been around forever; how much operational risk are we really exposed to?

For the vast majority of EUC use, there is very little operational risk. But for about 1% of the cases, where an EUC – such as a spreadsheet – is used in a critical business process, then the operational risks are significant. There are documented operational losses in the billions of dollars. That's an extreme loss, but millions and tens of millions of dollars of losses, due to an issue with an EUC in a critical business process, are very common place. There are literally hundreds of publicly documented examples and even more that are not public.

What are the common challenges in trying to manage EUC risk?

Spreadsheets are ubiquitous. So when it comes to governance and more effective controls, there are two big challenges. The first is identifying those 1% of your spreadsheets that every firm should be worrying about. For example, one company we are working with has over three thousand departmental file shares. So the critical 1% are stored across 3,000 locations which makes finding and classifying the key spreadsheets a challenge.

Second, once they are found, firms struggle to maintain effective controls. End users are not risk people and they all have their day job. Very often it is difficult for them to comply with a manual risk mitigation process. This is where technology can help – both to identify critical spreadsheets, and to provide automated controls for more effective governance.

In what ways do EUCs impact the overall approach to information security?

Sensitive information, whether it is in a structured database or in an unstructured EUC, needs to be protected. Accordingly, firms must have effective controls on EUCs. The typical corporate database containing sensitive data is encrypted – the average spreadsheet is not.

If an EUC containing sensitive information is not encrypted then, at a bare minimum, it needs a strong password. However, it's often up to the end user to devise a password and thus it's difficult to enforce password discipline. Furthermore, when a spreadsheet is used in a critical business process, that business process is often repeatable and it's used by more than one person. Although no one's corporate policy allows this, it's common practice that many people will share the same password on such a spreadsheet.

Something as mundane as password discipline is important if you are not providing encryption at the corporate level (which most companies do not do). Technology can ensure that EUCs containing sensitive information have strong passwords. The technology can also be configured so that critical EUCs will not work outside the corporate firewall further reducing the risk of data loss.

What industry trends are driving demand for your solution?

The EU's General Data Protection Regulation (GDPR) is a significant issue. In the first half of this year, corporations will focus on ensuring they are compliant with GDPR in time for the May deadline. In general however, most of the compliance effort is focused on the IT managed applications and enterprise databases.

My prediction is that in the back-half of 2018, and moving into 2019, people will start to shift their GDPR compliance focus towards the world of end-user applications/computing. We have some customers piloting the use of our technology to help in GDPR compliance right now. They are assessing their EUC risks and making sure they have the appropriate level of controls.

How are you planning on evolving your solution to meet industry needs?

In our research and development, we're looking at applying machine learning and artificial intelligence to help find errors within an EUC that a human cannot detect. Our mission is to help firms proactively prevent EUC errors. When something small goes wrong with a spreadsheet, the consequences can be material. Really big, bad things can happen when something small goes wrong in a spreadsheet. Finding, fixing and preventing errors is the common thread across all of our EUC discovery and control functionality – it is the focus of everything related to reducing EUC risk.