Monthly Archives: April 2015

Immediate Vault Immediate Byte

The Risky Side of Unmanaged Spreadsheets

Posted on by

For years enterprises have attempted to move away from spreadsheets in favor of enterprise resource planning (ERP) systems, accounting systems and various other software systems and applications. Yet, no matter how hard organizations try, it seems spreadsheets will not go away.

Besides being easy to use and accessible, people are comfortable working with spreadsheets. When they have a job to do, spreadsheets are there—not waiting for IT. Yet when left unmanaged, the risks associated with spreadsheets can prove costly, resulting in bad business decisions, regulatory penalties, and even lawsuits. In some instances, unmanaged spreadsheets are costing organizations millions of dollars.

For example, last October a spreadsheet mistake cost Tibco shareholders $100 million during a sale to Vista Equity Partners. Goldman, Tibco’s adviser, used a spreadsheet that overstated the company’s share count in the deal. This error led to a miscalculation of Tibco’s equity value, a $100 million savings for Vista and a slightly lower payment to Tibco’s shareholders.

Earlier this year it was discovered that the Lubbock Housing Authority mistakenly posted applicants’ personal information on its website. In a rush to get the spreadsheet online before the holiday break, staff inadvertently posted the wrong file. As a result, the names, addresses, complete social security numbers and estimated incomes of applicants appeared online for all to see.

Then there was the case of Bulkhead Beef. The company filed a federal complaint against rival meat purveyor, Revere Meat Co., for taking key competitive information including its most valuable data found within its yield formula spreadsheet. While one case involved theft and the others appear to be fat finger errors, these cases confirm that left unmanaged, spreadsheets expose organizations to risk.

Despite the risks associated with spreadsheets, however, they remain a critical analysis tool for enterprises large and small. In the coming years, spreadsheets can be expected to grow in size and complexity. This means the challenges of managing them, and the associated risk, will only increase.

Why spreadsheets remain relevant

For years, businesses have attempted to do away with spreadsheets in favor of ERP systems, which offer the controls necessary to minimize risk. In today’s global economy where outsourcing is the norm and M&A activity is high, however, there is a lot more collaboration. The complexities associated with integrating data between multiple ERP systems makes spreadsheets an appealing option for analysis.  Disparate ERP systems don’t work together; therefore, rather than waiting on IT, spreadsheets are being used as the point of integration. Once data is exported to an Excel spreadsheet, however, the controls in place are gone. There is no way to monitor changes, control access, or to ensure that errors or risks were not introduced into the process.

While there are many cloud-based applications businesses can purchase to replace spreadsheets, the reality is that spreadsheets remain a reliable standby. When business shifts and an application that was purchased no longer fits, or an analysis is requested that the application doesn’t provide, the ability to export data to Excel is a reliable option that business users continue to turn to. While there are risks, they are willing to take them to get the job done. Fortunately, technology advances are enabling enterprises to overcome spreadsheet complexities. Automated risk and analysis solutions provide much needed insight into potential risk and errors that may be hiding in spreadsheets. Yet many organizations don’t use spreadsheet management solutions simply because they are unaware this technology exists.

Taking the risk out of spreadsheets

Taking a methodical approach to understanding where risks may hide is the first step in managing spreadsheets across an organization. Spreadsheet management solutions offer detailed insight into spreadsheets, regardless of where they reside on a network or how many exist. These solutions provide visibility into who is working on a spreadsheet, how many people are working on it, when something changes, what changed, and who made those changes. The ability to monitor and track this information over a period of time provides valuable insight into whether policies are being met, while making it significantly easier to identify potential risk.

For even greater transparency and risk management, many spreadsheet management solutions will allow threshold alerts to be set if certain changes occur such as commission percentages or diluted shares. These red flag-type alerts can be customized to meet a certain criteria and can be as basic or detailed as necessary. Thresholds also can be set to alert auditors to disparate currency and tax changes; this information is especially useful when dealing with global mergers and acquisitions. Threshold alerts serve as automated checks and balances to ensure that inaccuracies are not missed. For example, had an alert been set to notify auditors when the number of shares was changed in the Tibco case, this issue could have been avoided.

Threshold alerts also could have prevented the Bulkhead Beef and the LHA situations as well. There is significant value in understanding the data lineage and being alerted when things just don’t appear right. If people are downloading documents and information that is not within their job responsibilities or there is a sudden increase in the amount of data being viewed or pulled that is inconsistent with past access, for example, having an alert system in place can help enterprises stop potentially damaging situations before they occur.

Spreadsheets aren’t going away

Spreadsheets can be found nearly everywhere within a company. Excel spreadsheets continue to meet the analytical needs of companies today, especially when it comes to analyzing and reporting financial results and providing evidentiary support for decision-making. They are used for managing forecasts, inventory levels and much more.

It is clear that spreadsheets are not going away. Until enterprises wake up to this reality, news stories will continue to appear detailing the latest spreadsheet disaster. There are user-friendly enterprise offerings available for managing spreadsheets. With the right infrastructure, transparency and governance can be achieved, and costly errors and unwanted headlines avoided.

 

Guarding Against PoSeidon and Other Point-of-Sale Breaches

Posted on by

According to Cisco’s Security Solutions team, there is a new malware family targeting point-of-sale (PoS) systems, infecting machines to scrape memory for credit card information and send the payment card data to servers for harvesting and, likely, resale. This malware, which the group has nicknamed PoSeidon, works like this:

Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PCWorld reported, PoSeidon communicates directly with external servers and can update itself automatically, and also has defenses against reverse engineering.

PoS malware using the “memory scraping” technique also caused the Home Depot and Target data breaches. In the latter, hackers were able to save names, credit card numbers, expiration dates, security codes from the backs of cards and encrypted PINs when at least 40 million customers swiped at in-store registers.

“The new PoSeidon malware has retailers on alert, particularly as the frequency and relative ease with which POS system breaches are occurring is forcing them to take a closer look at their IT infrastructure and reassess how secure it actually is,” said Andrew Avanessian, EVP of consultancy and technology services at security firm Avecto. “It is also prompting many to ask, what will it take to get ahead of these attacks?”

Avanessian believes the answer is clear: a more defense-in-depth approach to security. “While perimeter technologies like firewalls can prevent against certain types of external attack, it cannot block malware that has already found its way onto endpoints within an organization,” he explained.

buy abilify online metabolicleader.com/p7pmm/img/jpg/abilify.html no prescription pharmacy

“With a multi-layered security strategy that incorporates solutions like patching, application whitelisting and privilege management, organizations can more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation.”

As I wrote in the March 2014 issue of Risk Management, the adoption of EMV chip technology presents one of the most promising ways to increase PoS security. Already common in Europe, EMV technology—named for its founders, Eurocard, MasterCard and Visa—utilizes embedded chips that, unlike magnetic strips, make it nearly impossible to counterfeit cards. In Europe, 81% of cards have EMV chips, and countries that have adopted the technology saw sharp declines in credit card fraud. Meanwhile, the United States accounts for 27% of worldwide credit transactions, but sees 47% of card fraud.

As organizations roll-out chip and pin technology across the country, these breaches may start to decline, Avanessian agrees, but he urges a more holistic approach to fighting PoSeidon and other PoS malware. “EMV (or chip-and-pin) will absolutely help stop card fraud, however, retailers should not become complacent and think this is the silver bullet they have been waiting for,” he said. “Yes it will help stop fraud once the details have been stolen, but it does not stop businesses from being breached. Companies gather a huge amount of data about their patrons, such as names and addresses, and this data is still valuable to fraudsters.

buy lexapro online metabolicleader.com/p7pmm/img/jpg/lexapro.html no prescription pharmacy

Unless retails take a multi-layer defense-in-depth approach to security, they will still get breached.”

To prevent consumers from losing and shopping elsewhere, Avanessian believes it is critical to evolve the means of combatting cyberattack just as the means of hacking has changed. “In our experience, retailers are still relying on antiquated ‘detection’-based technologies to keep the bad guys out. They all spent hundreds of thousands of dollars on detection, yet they still get breached,” he said.

buy arimidex online metabolicleader.com/p7pmm/img/jpg/arimidex.html no prescription pharmacy

“The world has changed, the players have changed, cyberattacks are now a trillion dollar industry—the approach has to change.”