Spreadsheet Risk Management: A Real-Life Cautionary Tale

Almost every company in the world depends on hundreds or thousands of spreadsheets every day. This makes spreadsheet risk management a critical business concern, with significant consequences if not addressed comprehensively and consistently.

The Liverpool University Hospital Foundation Trust (LUHFT) in the United Kingdom (UK) just learned this lesson the hard way. As reported on February 9 by the Liverpool Echo, the Trust accidentally shared the salary details of some 14,000 UK National Health Service (NHS) employees with hundreds of managers.

Those managers received a single spreadsheet as an email attachment. In his apology for the unintended data breach, Trust chief executive James Sumner said, “The spreadsheet file included a hidden tab which contained staff personal information. Whilst it was not visible to those receiving the email, it should not have been included in this spreadsheet.” 

Indeed. As everyone who has ever created or used a spreadsheet knows – or should know – “hidden” is only hidden from view. A tab may not be visible, but the information in it is still easily accessible. Worksheets, columns, rows, and cells that are hidden are just as easily unhidden. As are spreadsheets protected by human-set passwords. There are numerous, widely available programs specifically created to break Microsoft Excel spreadsheet passwords.

The not-so-well-hidden tab in the accidentally emailed spreadsheet included multiple pieces of personally identifiable information (PII). These included NHS staffers’ names, addresses, birth dates, National Insurance numbers (equivalent to Social Security numbers in the US), genders, ethnicities, and salaries. In his apology, Trust CEO Sumner said the spreadsheet did not include bank account details, and the event “has been assessed by the Trust as being low risk to individuals.”

It may or may not be appropriate for the Trust to determine whether this breach is actually “low risk.” However, US-based data analytics and consumer credit reporting company Experian has said publicly that some 40 percent of consumers worldwide have been victims of online identity theft. This translates into billions of dollars of fraud annually – definitely a big business.

And make no mistake – spreadsheets are just one source of what many refer to as end-user computing (EUC) risk. The explosive proliferation of low-code/no-code development platforms has created legions of citizen developers. They are developing and deploying applications that interact with core business systems and data, but often have little to no oversight to ensure adequate compatibility or security. A similar trend is emerging with the growing use of open-source tools and technologies.

The LUHFT incident was as preventable as it is and will be as damaging to the Trust’s reputation and disruptive to its operations. Spreadsheet risk management and EUC risk mitigation begin with understanding and acknowledging their significance and pervasive nature, starting with executive leadership. Those leaders must then learn, implement and require adherence to best practices for management and mitigation of spreadsheet and EUC risk. They must also adopt policies, processes, and technologies that promulgate and enforce those practices and quickly and effectively identify and address instances of non-compliance. Only a comprehensive, consistent approach will adequately minimize and mitigate the risks associated with the spreadsheets and other end-user tools that increasingly run today’s modern businesses.

Diane Robinette is CEO of Incisive, makers of solutions for managing and mitigating risks associated with spreadsheets and other end-user computing (EUC) tools and maximizing their business value. 

Mitgate Risk. Accelerate Innovation.
Grow Opportunities. With Incisive Software.