Your IT team just wrapped an exhaustive security test. The network is locked down. Your organization’s tech stack has MFA enforced across the board. Employees just finished anti-phishing training.
And yesterday, Bob from Finance shared Q3 revenue projections with a Google Sheets link set to "anyone with the link can edit." Bob was just doing his job in a way that works for him. Still, that doesn’t stop Bob’s Google Sheets link from becoming your entire system’s weak link.
Insider threats typically mean disgruntled employees stealing data. But well-meaning people like Bob reaching for spreadsheets because their approved tools can't do everything they need is much more common.
Maybe that beefy ERP software does 90% of the work people need to do, but that last 10% – whether it's tweaking charts or exporting PDF reports – just doesn't quite get projects across the finish line.
So people export. They pull data into spreadsheets, do that last 10%, and then maybe — maybe — update or reconcile the official system later. That spreadsheet is still out there, floating around for anyone who has the link. Let’s call this a ‘shadow spreadsheet’.
Here at Grist Labs we see IT teams dealing with shadow spreadsheets on a daily basis. We’ve built an open-source spreadsheet-database to kill these shadows, but more on that later. First, let’s look at why shadow spreadsheets are a real problem.
How a shadow spreadsheet becomes a security risk
When teams move critical data to spreadsheets, we usually see one of two scenarios, both less-than-ideal:
Oversharing by default
Someone creates a master spreadsheet for collaboration. They set sharing to “anyone in the organization with this link” and send it en masse to everyone in a Slack channel.
... continue reading