??? Cybersecurity ≠ Data Protection ???

In our world of #ransomware attacks, #hackers, #BusinessEmailCompromise, and other #phishing attacks, it's easy to focus on the cybersecurity tools and training to prevent them. But not all data loss is as a result of #badactors. If your staff ever have a need to share sensitive information in documents, for example spreadsheets, it's vital that they fully understand the applications they're using to do so. Southend-on-Sea City Council has just suffered a major data breach via an Excel spreadsheet which was shared publicly as a result of a #FreedomOfInformation (#FOI) request.

The Council has done the right thing in reporting itself to the Information Commissioner's Office (#ICO) and has immediately started an investigation so they can learn from the incident and put measures in place to prevent it happening again in future. The details are therefore not yet available, but #Excel presents particular risks when sharing sensitive information - and here's how.

The usual culprits are either #PivotTables, hidden sheets, or even hidden rows and columns. Imagine the scenario - you have a huge amount of data that needs to be cleansed, summarised, and shared on your organisation's website. As there's sensitive information in the source data there's a lot of people involved, and, as always, there's a tight deadline.

A. PIVOT TABLES

The easiest and most reliable way to summarise data in Excel is to use pivot tables. These days they're simple to create, look professional, and do all the hard work for you. So, you select all the source data, create a pivot table, and get to work creating the summary that's required. You ignore the columns containing sensitive information and just create a high-level summary showing total numbers per category. As the spreadsheet contains sensitive information, you copy the pivot table to a new workbook so it's just showing the summary information. Unfortunately, what many miss is that copying a pivot table also copies the entire set of source data that sits behind it so anyone who knows how to use a pivot table can add that information back into the table and see all the detail you were trying to hide.

Solutions:

1. Train your staff in the intricacies of Excel
2. Put a procedure in place to check exactly what is being shared
3. Print the pivot table sheet to PDF and share that publicly, not the spreadsheet
4. Take a copy of the source data and cleanse (delete!) all sensitive information prior to creating the pivot table summary

B. HIDDEN SHEETS

Hiding sheets in Excel takes 2 clicks and is a really simple way to remove the distraction of having too many sheets. So, the person summarising your data creates a summary and hides any sheets with source data on them. The spreadsheet gets sent to someone else for checking and publishing and unless they specifically go and check for hidden sheets they'd never know they're there. The summary looks good so the spreadsheet gets published. Again, anyone who knows how to use Excel will use 1 click to check for hidden sheets and find all your sensitive information.

Solutions:

1. Train your staff in the intricacies of Excel
2. Put a procedure in place to check exactly what is being shared
3. Print the summary sheet to PDF and share that publicly, not the spreadsheet

C. HIDDEN ROWS AND COLUMNS

The most basic way to hide information in a spreadsheet is to hide columns and/or rows. It's usually fairly easy to spot hidden rows and columns if you know what you're looking for, but the originator of the sheet may have turned off the headers to make the sheet look nicer for publishing. Again, if this is the case, anyone else looking at the sheet would have no idea that hidden information existed unless they specifically checked.

Solutions:

1. Train your staff in the intricacies of Excel
2. Put a procedure in place to check exactly what is being shared
3. Print the sheet to PDF and share that publicly, not the spreadsheet
4. Take a copy of the source data and cleanse (delete!) all sensitive information rather than hiding it

There are other options available around protecting sheets and workbooks and so on, but hopefully the above has highlighted that there's more fundamental ways of working and checks that can be done to avoid data loss in this way.

It will be interesting to hear the outcomes of the investigation at Southend to see what the culprit was in this case.

If you'd like to know more or need help with how your organisation is using Excel, please get in touch.