How to Manage the Risks Associated with End User Computing

{authorName}

Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, January 28, 2020

The rise of end-user computing will pose numerous risks to businesses. What are the biggest threats, and how can you effectively manage them?

Article 7 Minutes

Every business today is a digital business, and by extension, that means every worker today is a digital worker. But while many employees may be comfortable and familiar with managing their activities though the tools provided by their IT department, some will look to take matters into their own hands.

There will always be individuals looking for ways to complete their tasks faster and more efficiently, and this often leads them to investigate their own tech solutions, outside the confines of the IT department-approved estate.

This 'shadow IT' can take many forms, from the use of personal mobile devices to consumer-grade cloud apps, but one area that's set to see particular growth in the coming years is end-user computing, or EUC.

Visit the Hub

Learn how to keep your remote workers connected and productive during the Coronavirus outbreak.

EXPLORE NOW

Why EUC is set to transform business

End-user computing is defined as any working application created outside the normal processes of the IT team, typically by employees within business units.

While it comes in many forms and can refer to complex programs that employees have coded and scripted from scratch, the most common type of EUC deployed within many businesses is Excel spreadsheets. These are particularly prevalent in finance departments, as they allow employees to get to grips with large amounts of critical financial data and manipulate it quickly and efficiently.

In the coming years, EUC tools such as this are set to become even more critical to how many employees work. The amount of data being generated is exploding, and trends such as mobility and the Internet of Things are greatly increasing the number of devices within a business. This means how employees interact with data is changing.

For instance, more than four in ten Americans now work remotely at least some of the time, while the average worker now uses 2.3 devices in their professional life - with one in seven using six or more. This means many workers will be looking for easier ways of doing things and to access their solutions from anywhere, across any platform.

The challenges posed by EUC

However, while the programs and processes these personnel create may well make their day-to-day activities easier, they won’t usually have followed the same rigorous processes of design, testing and improvement that IT-led projects will have gone through, which means they’re at far higher risk of a range of vulnerabilities, from security holes to errors in execution that lead to misinformed business decisions being made.

With thousands of lines of code and formulas potentially being used in EUC applications - much of which won’t have been thoroughly tested or regularly reviewed - and data being brought in from multiple sources, there are many things that can go wrong. Can you be certain that the data being put into these systems is accurate and up-to-date, for instance? Or is there any way in which figures could be altered, either by accident or through malice?

Other issues that must be considered include whether these solutions fully conform to regulatory requirements. This is something that will be especially important for organizations working in highly-regulated industries such as finance and healthcare, which are heavily dependent on confidential data.

Understanding your EUC environment

One of the biggest risks associated with EUC isn’t knowing the scale of the potential problems. Like many aspects of shadow IT, EUC solutions are created on an ad-hoc basis with no involvement from the IT department, which can result in a sprawling, disconnected web of applications without a clear management system.

This may mean there are serious vulnerabilities in a firm's technology estate that the IT team isn’t even aware of. Therefore, the first step in addressing EUC risks is to conduct a complete audit of the entire business to:

  • Identify exactly where your organization is using EUC
  • What data it's assessing
  • What potential vulnerabilities will need to be addressed

Special attention should be paid to solutions that depend on large amounts of complex coding, use macros, or those that depend strongly on connections with other data sources elsewhere in the business, such as spreadsheets and databases. Once you've determined which EUC solutions are the highest risk, you can then take action to manage them more effectively.

The cost of errors

A key step should be putting plans in place to reduce the number of errors that can occur within these systems, which may range from typos to poor data sharing practices.

Spreadsheets in particular can be a huge source of errors, whether this comes from incorrect formulas or mistakes that occur when data is moved in and out of these files. It's estimated that around 90% of spreadsheets contain errors, and even skilled users may find it difficult to identify these. Mistakes in data entry, formulas, the spreadsheet logic, or links to other documents and external data sources can all contribute to increased risk for the business.

A study by Chartis Research warns that in the financial sector, losses stemming from errors and misuse of EUC applications is "startlingly common", yet often under-reported - which means many IT departments may not even realize that poor EUC practices are costing them.

As a result, the average Value at Risk for the 50 largest financial institutions due to EUC stands at $12.1 billion. However, financial losses aren’t the only potential result of EUC errors.

For instance, Cluster Seven highlights a 2018 case from the NHS in the UK, where a spreadsheet was used to collate data from job applicants, including test scores. These were  incorrectly copied into a new sheet with a different format, which meant incorrect rankings were given to candidates and several junior doctors were offered positions they didn’t qualify for.

Addressing the security situation

One of the most severe consequences of failing to adequately control EUC applications is data breaches. These can often occur because the end-users who are creating these solutions are unfamiliar with essential security best practices and don’t take the necessary steps to secure data that IT department-authored applications would.

In 2018, a local council in the UK was fined £120,000 by the country's data protection regulator after it inadvertently gave the names and addresses of almost 1,000 property owners to journalists. This happened because it sent data in the form of a pivot table - a spreadsheet that hides underlying source data from view. However, errors in how this was created meant anybody could uncover the hidden data simply by double-clicking.

The Information Commissioner's Office noted this was an easily-avoidable issue, having warned of the risks back in 2013, when two other companies were fined for a similar mistake. However, it found the organization hadn’t provided its employees with adequate training on the functionality of spreadsheets, or offered guidance on how to check for hidden data.

As well as not masking sensitive data, security risks for EUC include failing to effectively encrypt files, sharing them freely without validating the identity of the recipient, and allowing the unrestricted use of devices such as smartphones and tablets that are at risk of being lost or stolen, to name but a few.

Bringing EUC back under control

Many of these challenges will prove very tough to tackle, especially in an environment where the number of EUC applications is set to grow faster than they can realistically be manually reviewed. But when even one spreadsheet error could cost millions in lost business, fines or reputational damage, you need a plan in place.

Having a clear policy for the use of EUC is vital. This should start by defining what applications and file types will be covered by this, as many people may not realize the risks they’re exposing their firm to with the use of everyday tools like spreadsheets.

Such policies need to have rules for how your inventory of EUC applications are documented, tested and maintained, with stricter requirements in place for those that handle sensitive data and are deemed mission-critical. The use of automation is also important in reducing errors.

Strong training for anyone using these types of solutions is also a must, and it's hugely helpful to also have an ongoing scheme that ensures users can turn to the IT department for advice on anything they’re uncertain about - without worrying the suggestions they receive will be too complex, or the departments will shut down what they’re trying to do.

Taking control of EUCs will be fundamental to the success of every organization in the coming years, so ensuring all employees have a full understanding of what they are and what their responsibilities will be is essential.

Further reading:

 

Access the latest business knowledge in IT

Get Access

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.

Comments

Join the conversation...