Assuring Information Security within End-User Computing Applications
Hackers, criminals, or even nation states may (and eventually probably will) find a way into your company’s networks. In addition, the insider threat, both unintentional and malicious, is omnipresent. Companies that have developed a strong information security/risk management framework are at the best possible advantage to reduce the potential for losses. But many overlook end-user computing applications (EUCs). That’s a problem. The reality is, many of the most significant and damaging data breaches and loss incidents have involved EUCs – especially spreadsheets.
To fully address all data risks, it is critically important to include EUCs as part of your enterprise information security architecture. Even though the problem may seem too big to address, there are steps companies can take to protect unstructured information contained within EUCs and thus minimize the potential damage to their business.
Why traditional data security strategies are no longer enough
Modern realities have made cybersecurity and information security a top concern for both senior management and security professionals alike. Fighting an array of dynamic threats can be challenging, and traditional IT security tools including firewalls, antivirus, intrusion detection systems are simply not as effective as they once were because hackers (sometimes state-sponsored) have become more sophisticated and determined in their methods to get around them. Add in the sheer number of devices on which information is shared and stored (desktops, laptops, PDAs, tablets and mobile phones) and the possibilities for attack are seemingly endless.
One of the softest targets is end-user controlled (EUC) files that are unstructured and may contain sensitive information such as PII or PHI. Regardless of whether it’s in the form of a database or a spreadsheet, such data breaches are extremely costly. New regulations such as the General Data Protection Regulation in Europe amplify those costs. Others like the New York state DFS’s regulations on cybersecurity place “SOX-like” personal liability on senior executives. Given the magnitude of the downside, the attack surface for EUCs should be minimized and made an integral part of information security planning.
The very real dangers of EUC related data loss
There are countless incidents of cyberattacks in the news, many relating to EUCs. Here are just a few recent stories that illustrate just how widespread and damaging these incidents can be:
The 2014 theft of files from Sony by hackers included spreadsheets with password lists and also sensitive information including salaries of employees and top executives. Not only did the breach have significant legal and financial costs, the release of this information was a huge public relations issue and had a material impact on their business. The total direct and consequential damages have been estimated by some industry experts to exceed one hundred million.
In July of 2016, it was revealed that hackers accessed spreadsheets maintained by the Democratic National Committee which contained personal information including names, phone numbers, physical and email addresses, and contribution amounts from thousands of high-profile donors.
There are many lessons that can be learned from these past breaches but perhaps the most important one is how cost-effective it can be to proactively mitigate these risks before a breach occurs. As Warren Buffet once said, “an ounce of prevention is worth a pound of cure is understated… and a delayed pound of cure will need a ton of cure”.
Why EUCs often aren’t protected… but must be
End-User Computing (EUCs) includes many applications and file types (and it has many alternative acronyms including EUCA, EUDA etc.). The defining characteristic is that these files or applications are not controlled by IT and thus don’t have many of the data protections and controls that exist on enterprise applications.
Excel spreadsheets are arguably the most widely used tool for analysis, reporting, and other computational tasks. These models, tools, and spreadsheets often play a critical role in financial reporting processes across all industries. Given their ubiquity, ease of use and flexibility, spreadsheets are often used to list and manipulate sensitive data. These EUCs are highly vulnerable to data breach since they are rarely monitored or controlled.
Assessing your EUC risk is step 1
Experts recommend information security policies based on identifying the information assets that are valuable i.e. there is high impact of their loss to the business. This is preferable to attempting to secure everything because it’s impossible to cover all the assets all of the time. In the case of EUCs, the sheer number of files (often tens if not hundreds of millions) precludes encrypting it all. Systematic methods and tools to identify these files and do an automated risk ranking are required. With this quantitative information (which can be augmented with qualitative information), the prioritization of which files should have an added layer of protection can begin.
Assure your ability to respond & recover to an EUC data breach
In the aftermath of a successful attack or other data loss event, companies must enter into the disaster recovery phase to ensure business continuity. Endpoint and data back-up is an area of expertise unto itself. However, if that infrastructure is not in place, EUC management technology can assist in disaster recovery. As part of standard monitoring operations, typically the last version of a controlled model/spreadsheet is maintained by the EUC management application. If stolen, or ransomware is present and/or the file is otherwise corrupted, the repository has a “clean” copy of the file that can be immediately put back into use. Having this resiliency in this business-critical subset of your company’s vast end-user computing domain is equally important as it is for the IT managed systems.
Why the time to take action is now
Cyber and information security strategy that focuses solely on keeping hackers out is destined to fail because, with the increasing volume and sophistication of attacks, it must be assumed that some will eventually penetrate the many walls. In addition, no matter how big a wall you build, it does nothing to protect you from the information security risks you face as a result of ill intentions or accidental data loss by those already on the inside. The high cost of data breach requires that in addition to defensive systems, you also have information security in place to further protect sensitive data. Given that sensitive data will almost always be found within an organization’s portfolio of End User Computing (EUC) applications and files, your cyber and information security strategy needs to address it. Fortunately, there are software tools available that can help you comprehensively address this in a timely and cost effective way.
Our white paper True Data Security offers more in-depth information on how to assure information security within EUCs. Download it free
About the author
Craig Hattabaugh is CEO of CIMCON Software. With 25 years of innovation, experience, and knowledge, CIMCON has been the leading pioneer in EUC management and control solutions, and its technology has consistently been ranked as the market leader by third party analysts and in customer surveys. With the largest installed client base of close to 500 Companies in over 30 countries, CIMCON is today recognized as the de facto industry standard for managing EUC risk.