Microsoft’s Excel is cost-effective and easy to use, which are major draws for public sector organizations and small businesses. However, Excel has been under the spotlight over the last few months after the data breaches at the Police Service of Northern Ireland (PSNI) saw personal information inadvertently exposed in spreadsheets shared as part of a Freedom of Information (FOI) request.
The fear of another high-profile incident was so great that in September, UK regulator the Information Commissioner’s Office (ICO) issued a warning against using Excel spreadsheets when responding to FOI requests.
There’s no doubt Excel is a flexible tool for data management and analysis, but its openness can lead to security concerns and leave it vulnerable to breaches of regulation such as the General Data Protection Regulation (GDPR).
Many public sector organizations are currently using Excel to manage and analyze their data. What are the risks and benefits of each approach?
How easy is it to use Excel for data analysis?
Excel is well-known and has been around for a long time so ease of use is one of its biggest benefits, says Katie McCullough, CISO at Panzura. “Virtually everyone knows how to navigate an Excel spreadsheet and that's a huge plus when you're trying to implement a system across an organization with varying levels of technical skill.”
Excel enables a variety of data manipulations and calculations, which is why it's often leaned on for data analytics, says McCullough. It’s also specifically aimed at business users and the best Excel courses can teach employees how to use the software to dramatically improve their efficiency at work. However, she says, Excel’s accessibility can be a “double-edged sword”.
When using the tool for data management, Excel's openness can lead to significant security concerns, says McCullough. “When you're handling sensitive public sector data, the unstructured nature of Excel can make it difficult to maintain control over who has access to the information and how it's being altered.”
Auditability can also be a challenge. “If you can't track the provenance of the data or the changes made to it, you're going to run into problems when you need to substantiate your findings or decisions, says McCullough. “While Excel is a powerful tool for analysis, its use for managing data – especially sensitive information – requires careful consideration of these inherent risks.”
Discover how banks and financial services organizations can deliver the digital experiences customers expect
While sensitive data can be easily stored in Excel spreadsheets, this can be hard to do in compliance with data protection policies and procedures. Indeed, Excel was never designed as a data management tool: It is “simply too easy” for users to expose sensitive information to unintended audiences, says Nelson Petracek, CTO at business planning company Board International.
“Data is not managed in a way that is easily controlled or secured, and users can hide information via hidden tabs and columns, embedded data elements, formatting – or even by moving it to an area outside of the normal viewpoint,” Petracek says.
“This makes it difficult to determine if sensitive data exists in a workbook or Excel application.”
Security in Excel is typically set at a workbook or worksheet level, which is “simply not a fine enough level of granularity to ensure proper data security and privacy”, adds Petracek. “It is also easy to send files over insecure channels, lose track of versions, or for files to be sent or carried outside of an organization’s firewall.”
The risk of Excel macros
Another security issue that has already been the subject of a warning by the UK’s National Cyber Security Centre (NCSC) is macros. These are action scripts used to automate tasks in Excel and are often helpful for obtaining insights within the software. But they can also negatively impact security as Blake Jeffrey, general manager, security and identity at Intelliworx, tells ITPro. “Macros are often created for legitimate reasons, but they can also be used by attackers to gain access to or harm a system, or to bypass other security controls.”
At the same time, building a proper data governance strategy and meeting compliance checks can be a challenge with Excel, says Jeffrey. “Excel lacks the specific features needed to manage complex tasks related to GDPR for example, such as data mapping, consent management, and data subject access request handling.”
The issue is not unique to UK organizations, as the US is impacted by security and data protection concerns too. “In the US and UK, public sector organizations often deal with sensitive data and Excel may not provide the level of security required,” says Jasmine Harrison, account manager at Data Protection People.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) “emphasize stringent data protection measures”, she points out.
Beyond regulation, Microsoft’s own guidance recommends using Excel for data analysis and its software Access for data management – but this is frequently ignored. Experts say Access is a more structured and secure database management system. However, Excel's familiarity and popularity can make it the go-to choice, even when it's not the best fit for data management, says Harrison.
Excel is also readily available as part of the Microsoft Office suite that most organizations already have, McCullough points out. This means that despite the best intentions of Microsoft's guidance, the “convenience and familiarity of Excel” often leads to its use in scenarios better suited for a dedicated database management system such as Access. But this doesn’t make Excel the best option for database costs, performance, and value in the long run.
Alternatives to Excel for data management
It’s clear Excel is not fit for purpose when it comes to storing sensitive data, but what’s the alternative? While there are other options available, many of the pitfalls are the same, says McCullough. “It’s important to weigh the options against the risks, especially given the recent ICO guidance. The ICO emphasizes the importance of data integrity and security, which are critical for any organization, regardless of size.”
For smaller organizations, the key is to find solutions that maintain the simplicity and user-friendliness of Excel while offering enhanced security and data management features, says McCullough.
Google Sheets is one alternative to Excel. “It's a familiar spreadsheet environment with the added advantage of automatic Google cloud storage and version control, which is not a perfect solution, but can help with data integrity,” McCullough says. It also allows for easier control of user access, which she says “aligns somewhat” with the ICO's emphasis on data protection.
While other options are available, the likes of OneTrust might be too expensive for smaller organizations, says Harrison. With this in mind, she recommends alternatives such as DataWise, which “may be more budget-friendly in comparison”.
However, it's not just about picking a different spreadsheet tool: Organizations must understand the need for structured data management practices, says McCullough. “Even with alternatives such as Google Sheets, the principles of good data management are the same – knowing where your data is, who has access to it, and ensuring it's backed up and recoverable in the event of an incident.”
To protect your company from the next big data breach, it’s important to assess the tools you use for data management. Ease of use or employee familiarity should never come second to proper data controls.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.