28 Oct 2019

Excel vulnerabilities show risks in using the popular tool for SRM

In 11 years’ of research, State of Flux has demonstrated one very consistent feature of the way organisations manage relationships with suppliers: they fail to invest in technology. In the decade that has seen an explosion in business-ready cloud-based software such as Salesforce.com and HubSpot, it is remarkable that for 86% of organisations, the main software for managing information about supplier relationships is Microsoft Excel.

Excel is a great desktop tool, but it is not enterprise software. That is, it has not been designed to be consistent and secure across a large organisation performing complex tasks. Security, in particular, should concern companies when they are holding so much supplier data in Excel.

Security intelligence firm Mimecast has found there are two distinct ways a hacker can access Excel spreadsheets. Firstly, Power Query is an Excel feature allowing users to combine data from multiple different sources with a spreadsheet, can be used to facilitate Office 365 system attacks. “This mechanism for linking out to another component… can be abused to link to a malicious webpage that contains malware. In this way, attackers can distribute tainted Excel spreadsheets that wreak havoc, from granting attackers system privileges to installing backdoors - How Hackers Turn Microsoft Excel's Features Against It . The attack is very accessible, reliable and cheap because Power Query is an Excel feature, not a flaw. These attacks can operate across different versions of Excel and different operating systems. Security scans need to be specifically monitoring these attacks in order to catch them because they originate from Excel’s Power Query feature, which makes them hard to detect.

The other feature actively weaponised by attackers launches through malicious macros and can even break through the most up-to-date security systems. Macros are meant to be ​a ​helpful ​way ​of automating specific tasks, but they can also be programmed to run a series of instructions designed to target users and steal information. With constant Windows updates, programmes become more adaptable and easier to manipulate. Both Power Query and macros are controlled by a Microsoft feature named, “group policies” which allows administrators to change settings on all of their organisations’ devices at once.

Organisations should only be concerned about the openness of Excel to attack if they store valuable data on the tool. The problem is, too many businesses are using the tool for important corporate data.

At its core, Excel is designed for individual users: collaborative features are severely lacking. It is easy to replicate and store multiple versions of a data set, which creates inconsistencies and means time is wasted checking and correcting documents. As a result, users miss deadlines and make mistakes: Mimecast found 88% of spreadsheets contain errors. On average, poor quality data costs organisations $14.2 million annually. For example, in 2012 a mistake in a spreadsheet cost JP Morgan Chase nearly $6 billion in what became known as the London Whale incident.

Since the majority of organisations manage supplier data in Excel, the question is why?

In my opinion, it’s simply because most business people have grown up using the tool for most of their data management and see it as a natural fit for supplier information – without being aware of its weaknesses. But the world has moved on and specialist tools are available for supplier management. Yet, only 6% of organisations use an SRM system to produce reports. State of Flux’s SupplierBase offers interactive graphs that generate statistics on supplier performance automatically – a task which would require lengthy data analysis and time in front of a screen with Excel. Most importantly, it is secure and personalised. Organisations can configure it to be accessible only to individuals with the right level of authority.

Migrating to new technology for SRM will offer a leap forward in performance. Excel may be the default tool for supplier data, but it is a risk organisations no longer need to take.​​

Click here to watch our latest SupplierBase video. Request demo now to discuss how to refresh your supplier performance management approach.