Print this article | Return to Article | Return to CFO.com
Will security problems render the format obsolete?
John Edwards, CFO.com | US
November 13, 2006
Lurking inside the boxes of a spreadsheet can lie some of a company's most precious and confidential financial data. While keeping that data secure is crucial, however, well-oiled finance departments often need to make it widely visible within their corporations.
Indeed, keeping the data contained within spreadsheets secure and free from malicious meddling is fast becoming a major challenge for CFOs bent on using them for effective data communication. "It's a matter of balancing information security against the need for open and collaborative access," says Guillermo Kopp, an analyst at TowerGroup, a financial industry research company based in Needham, Mass.
But help is on the way: simple yet powerful password and encryption tools can be used to lock down spreadsheets and other financial modeling documents. Google Spreadsheets, for instance, uses a basic Web services-based approach that limits document access to people who are specifically invited via E-mail.
A more sophisticated way of safeguarding data is to segment spreadsheet models into individual objects that limit user visibility to specific areas. "There's definitely a concern, particularly when it comes to the more sensitive financial information, that users can only see what they're authorized to see," says Max Kay, chief executive officer of KCI Computing, a Torrance, Calif., spreadsheet software developer. Spreadsheet products from companies like KCI and Portland, Me.-based Quantrix support a model-based security approach.
For its part, Microsoft recommends Excel spreadsheet sharing via Excel Services, a part of its new SharePoint Server 2007 collaborative computing platform. "The functions offered in Excel Services, particularly being able to lock down and hide data for specific groups of users, are highly flexible and can be personalized for individual sets of users," says Tom Rizzo, director of SharePoint technology, for Redmond, Wash.-based Microsoft.
On the other hand, passwords and encryption won't provide unbreakable protection if the computer itself is lost or stolen. While laptops are most at risk, desktop systems are also vulnerable, often tossed into the trash while still storing sensitive spreadsheets. "That's why a physical security plan is as important as a data protection strategy," Kopp says.
An even bigger security problem than keeping snoops out of spreadsheets: ensuring document integrity. Software developers now realize that they need to provide features into that prevent enterprise workers and partners from accidentally or intentionally entering incorrect data into shared spreadsheets. "If you believe you are safe by using encryption or passwords and then discover that the information has been altered or made inconsistent, it's evident that you don't have the necessary protection," Kopp says.
Yet ensuring spreadsheet accuracy is turning out to be an elusive goal for many software publishers. Excel, for example, lacks the ability to audit changes within individual spreadsheets—although an audit log can record various spreadsheet user "events." Such events include opening, modifying, or deleting files.
Kopp believes that the only sure way to ensure spreadsheet security and accuracy is by switching to business intelligence (BI) technology. "Get all the flexibility in a more structured financial information repository," he says. Unfortunately, most BI applications provide a highly structured front end that lacks the spreadsheet's flexibility and easy portability.
Spotting an unaddressed market, BI vendor Actuate is now offering e.Spreadsheet, a financial modeling application designed to combine the company's BI technology with a spreadsheet-like document that can be shared across enterprise firewalls.
To ensure data accuracy, the system automatically cross-checks data entered by users with information stored on enterprise servers. "We make sure that the data that goes into the spreadsheet is correct and scoped to the role or the responsibility of the user," says Jeff Morris, product marketing director for the South San Francisco, Calf.-based software developer. "We're trying to eliminate that case where the end users are either making up the data as they go or copying and pasting it from somewhere else," he says. "Everybody gets a consistent view of the data, because there's one set of queries that are run against the back-end data sources."
So are the day of the spreadsheet numbered? "For sensitive information, BI is definitely the way to go," Kopp says. "For everything else, the spreadsheet will join other informal tools such as calculators and pencils and pads."