In January, BlackRock accidentally leaked confidential sales data by posting spreadsheets unsecurely online – certainly not the first time we’ve seen sensitive information “escape” an organization. Incisive CEO Diane Robinette provides guidance companies can follow to minimize spreadsheet risk.
Several weeks ago, the world’s largest asset manager, BlackRock, accidentally posted a link to spreadsheets containing confidential information about thousands of the firm’s financial advisor clients. As reported by Bloomberg News, the link was inadvertently posted on the company’s web pages dedicated to BlackRock’s iShares exchange-traded funds. Included in these spreadsheets was a categorized list of advisors broken into groups identified as “dabblers” and “power users.”
While BlackRock was lucky in the fact that there was no financial information included on these spreadsheets, they are still left to deal with reputational damage. For the rest of us, this breach brings an important issue — spreadsheet risk management — back into the spotlight.
Despite years of rumors predicting the demise of spreadsheets, they are still widely used by businesses of every size. And why shouldn’t they be? Beyond providing an easy way to categorize clients and business partners, spreadsheets continue to meet the analytical needs of finance and business executives. They are especially useful for analyzing and providing evidentiary support for decision-making and for complex calculations where data is continuously changing. Yet, as we’ve seen time and time again, spreadsheets represent continued exposure to risk.
Accidentally clicking on the wrong spreadsheet is an easy mistake to make, especially when all documents are stored and treated equally. For example, it may seem obvious that a confidential spreadsheet should not sit alongside a football or Oscars pool spreadsheet, yet sometimes they do. When this happens, in a rush, it’s easy to click on the wrong spreadsheet and hit “send” or “post” before realizing the error. Putting policies in place that dictate such things as where confidential spreadsheets are stored is a good start. However, policies and procedures alone are simply not enough. Technology that enforces these policies and limits spreadsheet access to only authorized users is critical to stopping spreadsheets from escaping.
In an effort to gain control over spreadsheet risks, it’s not uncommon for companies to focus on change management. And while there is great value in the ability to track who changed what, when they changed it, etc., change management alone is also not enough.
It’s essential to put controls around spreadsheets that allow policies to be set and enforced and to dictate such things as who can access a spreadsheet or whether a spreadsheet can be saved outside the system. Spreadsheet risk management technology cannot entirely prevent scenarios like the BlackRock one from happening (yet). However, the ability to house critical spreadsheets in a controlled environment, along with policies and procedures, can limit these situations from happening.
Human error is always a liability. And while technology alone isn’t the answer, the right technology will provide the visibility and transparency to ensure you’re doing the right things. Implementing controls to manage the risks associated with business-critical spreadsheets will help keep companies from becoming the subject of embarrassing or devastating headlines.