September 2017 NPFM Meeting: Spreadsheet Security Techniques

NPFM

Summary:
Scott Hagerty presented on how improve spreadsheet security using tools like Microsoft Excel and Google Sheets. He discussed and demonstrated methods to protect specific data or the entire spreadsheet. He also presented strategies for protecting the integrity of the data with conditional formatting, data validation rules, linking data from various sources, and other advanced spreadsheet tips.

Presenters:
Scott Hagerty is currently an IT Manager with Insource.  He is an experienced technical professional with an extensive background in software applications and hardware, workstation, server, and network-related troubleshooting.  At Insource he is responsible for managing the technical needs of his clients and drawing upon his knowledge of Windows and Mac environments to design and implement projects and solutions that best fit their specific needs.

Topics Covered During the Presentation

  • Excel vs. Google Sheets
  • Spreadsheet design
  • Spreadsheet security
  • Data integrity, protection from unintentional errors

Excel vs. Google Sheets

Excel’s advantages and features:

  • It’s the de facto standard spreadsheet application;
  • It includes powerful tools, especially in terms of macros & scripting;
  • It’s designed to function offline;
  • Excel can handle enormous datasets;
  • It’s able to link data between sheets and documents, and share selectively.

 

Google Sheets’ advantages and features:

  • It’s cloud-based: You don’t need to worry about backup, transporting files between computers, and keeping track of multiple versions;
  • Multiple people can collaborate on the same document simultaneously;
  • Files and data can be manipulated quickly and simply;
  • It covers most common Excel functions;
  • Like Excel, it can link data between sheets and documents, and share selectively.

 

Spreadsheet design recommendations

  • Show your work: That is, be explicit, label everything, and keep your steps visible.
    • Use titles — be descriptive;
    • Keep calculation components visible and label them clearly;
    • Be explicit – don’t hide too much in formulas lurking inside cells.
  • Be consistent in formatting. When possible, use templates and standardize reports.
  • Use color fill (pastels are easier on the eyes?)
    • To highlight important values or totals;
    • To communicate purpose to others.
  • Break down figures into comprehensible pieces, and use comments in nearby cells to let other users know what they’re looking at.

 

Spreadsheet security: Sharing and folder permissions

  • On a traditional file server, sharing is generally managed by mapping drive letters to different shares on the server.
    • Each user has drives mapped to home, shared, and public network shares;
    • Work with your IT department to tailor the system to your particular needs.
  • With cloud-based file sharing, such as Box, Dropbox, and Google Drive, there are additional considerations.
    • Internal sharing, within your organization, is managed by setting access levels on shared folders and files;
    • Sharing with external users who have their own accounts can be managed by granting specific permissions (such as download, upload, edit, view) to particular folders and files.
    • Options are fewer for sharing externally with users who lack or don’t want an account.
      • You can set the link to expire after some amount of time;
      • You can password-protect a file.
    • Caution: Read-only does not hide information within your spreadsheet. It only prevents changes from being saved.
  • Encrypted files and email
    • Email is very commonly used for external collaborators. Email is not necessarily secure.
    • Encrypted email is a more secure option. With this, the entire message is encrypted from end to end. To decrypt the message,  the receiver signs in through a secure portal. The system is usually set up by your IT department. You can create a method for signaling when a message is encrypted — for example, by putting a tag in the subject;
    • You can attach an encrypted folder, using zip or another archive format. An attached folder can hold several files, requires a password to unlock. It’s recommended that you provide the password through an entirely separate medium–that is, not email.
    • You can also lock or encrypt an Excel file. A password is required to unlock it, but the password can be “brute forced,” since there’s no mechanism to stop someone from trying an unlimited number of passwords.
  • Protecting & locking spreadsheets
    • You can protect a sheet within a workbook, or protect the entire workbook. This makes the sheet or workbook read-only. However, even if a sheet is locked, a reader is free to unhide hidden cells or ranges. When you protect a sheet, it prevents someone from saving changes to the same file.
    • You can protect a sheet with or without a password. If you’re mainly concerned about inadvertent changes, forgo the password.
    • When protected, the default is for every cell to be locked. If you want to allow editing of specific cells or ranges, you can manually reformat them as unlocked.
    • You can allow users to edit specific ranges with a password you provide, while the rest of the sheet remains locked. For someone to change the requirement on a range, they would need the password for the entire sheet.
    • You can track changes, which creates a record of changes made to the workbook, and allows a reviewer to accept or reject each change.

 

Data integrity: Preventing errors through spreadsheet design

  • Leave raw, source data that you want to remain unaltered in a separate, protected sheet to prevent accidental changes;
  • If data will be frequently referenced, use named ranges for transparency and easy adjustments in the future;
  • When performing calculations, use summary sheets or an additional row or column to reconcile, using control totals. For example, sum subtotals to expose any discrepancies from expected total values.
  • If preparing sheets for others to modify:
    • Enact data validations or warnings;
    • Protect or lock sheets, ranges, and cells to allow changes only where desired;
    • Hide sensitive data, either within the spreadsheet, in a separate protected sheet, or via an external link to a protected file.
  • Name commonly referenced ranges:
    • Doing so simplifies interpretation of formulas, especially when using VLOOKUP functions;
    • It also allow you to easily expand and contract ranges, for example, if you need to add additional rows or columns for time-based values.
    • When using ranges, a single change will affect all formulas referring to range.
  • Link your data:
    • Within a workbook, references are generated automatically;
    • Between workbooks (separate files), the same process applies only when the other file is already open. When linking between workbooks, make sure you know the filename and location of each;
    • Note that named ranges work both within and between workbooks;
    • Lastly, linked files are susceptible to errors or disconnections when:
      • File names are altered;
      • A file is moved to an inaccessible location;
    • When a link to another file is disconnected, breaking the link will convert it to the last known value, as a static, unlinked value.
  • Hide sensitive information:
    • When protecting a sheet, you can opt to prevent selection of locked cells within the protected sheet;
    • You can also enable the  “hidden” checkbox under the protection tab (format cells) to show the calculated value but not the formula, when a sheet is protected;
    • As mentioned, you can link to data within hidden sheets in a protected workbook;
    • You can make a summary workbook that pulls data from multiple submitted files. You can make either the source data or the summary accessible only to authorized users;
    • Quick hack for hiding data: Set the background and text colors to match each other. When you do this, the cell’s contents are visible only when selected.
  • Use data validation tools:
    • Configure drop-down lists for ranges. The choices can be manually entered, or can be set to pull from a range of cells elsewhere in the spreadsheet;
    • Data can be limited to certain calculated values, which can be set up using custom cell references;
    • If a user enters data that does not pass validation, you can configure it to stop or disallow the entry, to pop up a warning, or to pop up an informational message, which you can customize;
  • You can also apply conditional formatting to highlight values that do or don’t meet your criteria.
  • When working with multiple sheets:
    • Shift + select all tabs at the bottom (for separate sheets), and what you enter in the open sheet will be entered in the same place on all sheets.

Link to Google Form to get access to materials: Link to Insource Services