Low quality applications created by employees pose a security risk to data

The creation of applications from spreadsheets and desktop database programmes by end-users is posing problems within organisations.

Mark Chaplin, senior research consultant at the Information Security Forum (ISF), highlighted new social networking technologies, mobile devices and a more flexible and tech-savvy workforce as causing greater security challenges in the increasingly complex and diverse end-user environment.

However, another significant but often overlooked issue in the end user environment involves the widespread development and use of spreadsheets and desktop database programmes by end-users to create their own applications, according to Chaplin.

He said: “In many cases these types of application are developed in an ad hoc manner, often outside of corporate control and are poorly protected. This can introduce significant risks when organisations become dependent on them (e.g. to support financial transactions or a manufacturing process) and they fail, for example, as a result of coding errors."

Commenting Chris Wysopal, CTO at Veracode, claimed that a lot depended on the type of business that was affected but this activity did pose a problem. He said: “If they are under a requirement like HIPAA or PCI DSS, a company database may be managed with user control but if someone pulls the data and adds it to a spreadsheet database and puts it on to a laptop and uses Excel to harvest the data, then the company has lost control of the data.

“Then the laptop can go to the user's home and be shared on the network, then the only protection is by a desktop security. The appeal is some know how to Excel sourcing, it is not a sophisticated application but building an application that can be intercepted and lead to network access.”

Recent research by the ISF found vast differences in the knowledge, behaviour and actions of end-users create further security risks; and it believes organisations need to empower employees to take more personal responsibility for protecting critical and confidential information.

Chaplin said: “The first step is to understand the broad range of security challenges associated with end-user environments in an organisation. It is not unusual for management, including senior executives, to be unaware of the value of information that employees have access to and use; the threats this information is exposed to when not adequately protected; and the potential business impact if this information is compromised in the end-user environment.”

Sign up to our newsletters