Spreadsheet Risk Management: Best Practices for 2025

Excel has long been a target for hackers; just one click on a malicious attachment can infect your entire network. Yet despite these dangers, spreadsheets remain a core component of many organisations’ documentation processes, supporting critical business functions. Their familiarity keeps them in use, even at the expense of security oversight.

So, how can you keep using spreadsheets while not sacrificing your safety? Continue below for a list of the most common risks associated with spreadsheets and ways to mitigate them.

What Causes Spreadsheet Risks?

Spreadsheet risks arise because they can be expanded indefinitely, making it difficult to track changes, especially when your budgeting process lives inside those very same worksheets. Most organisations administer good practices within their ERP environment, such as applying segregation, identity and access management layers, yet they lose that discipline when data is extracted and uploaded into a spreadsheet.

The vulnerability of spreadsheets has been well documented over the years. The European Spreadsheet Risk Interest Group (EuSPRIG), an independent organisation, publishes on its website examples of disasters and mishaps originating from spreadsheets.

Top Spreadsheet Risks to Look Out for

Here is a list of the most common risks associated with spreadsheets:

Human Error and Manual-Process Risks

Like most programs, using spreadsheet software is a manual process. This means calculations are susceptible to human error. The most common is keying the wrong numbers, deleting formulas, not linking new fields or a failure to update formulas. 

Formulas are unique and have specific tasks, as there is no automated process to check for worksheet errors; checking these files is an onerous but important task to prevent errors from happening. Regular auditing and checking of spreadsheets will prevent the need to rebuild the work from scratch.

Security Vulnerabilities and Malicious Threats

High-profile cases have made the headlines in recent years because of spreadsheet security risks. This has at least prompted organisations to develop proper procedures for spreadsheet development, and policies and guidelines do go some way to mitigating risks. 

However, threats posed by viruses, Trojans and unencrypted USB sticks are still prevalent, and organisations must be vigilant. Security features such as password protection, hiding or protecting sheets and other features are not actually designed to secure information and can be easily bypassed. 

Even with security measures, the threat of hacks is constant. Many organisations are not aware that software is readily available to crack passwords or open spreadsheets and remove all perceived protection features, such as hidden sheets.

 
Note: One of the best‑known spreadsheet viruses, Malissa, surfaced in March 1999. It spread via malicious macros in Office documents, emailing itself to every contact in an infected user’s Outlook list.

Unsecured Employee Devices

Personal devices that employees bring to work must also be considered for security protocols, or businesses should maintain all data on local servers and allow remote access only to approved employees. 

Viruses are also widely transmitted by spoofing methods that include file names like “unpaid invoice,” “overdue invoice,” and similar terms in an email. These phishing approaches try to manipulate unsuspecting users into opening the attachment.

Real-World Case Studies of Spreadsheet Failures 

  • In 2016, Lazard Ltd, the investment bank that advised SolarCity Corp on its $2.6 billion sale to Tesla Motors, made an error in its analysis that discounted the value of the solar energy company by $400 million. The error was the result of a computational error in SolarCity spreadsheets, which it used in its discounted cash flow valuation analysis. The error meant severe reputational risk for the company's advisers.

  • The high street retailer M&S fell victim in 2016 to a spreadsheet summing error, which forced the retailer to issue a correction to its quarterly trading statement. The original statement issued at 7 am reported group sales had grown 1.3%. But later the same day, the company reissued the financials with a correction showing that group sales had in fact fallen 0.4%. The error resulted in reputational risk and restatement.

 

Future Business Impact of Spreadsheet Risk

Spreadsheets start with a few formulas but grow and end up being core documents that support business-critical decisions. As the company grows, the worksheets become more complex and harder to manage, by which point it will be too difficult to move to a different reporting tool, so the business sticks with the risky spreadsheet. 

From human error to complex equations, formulas and macros, spreadsheets add risk to a company's reporting efforts. They should be replaced by tools that prevent employees from cutting and pasting critical information incorrectly, encourage collaboration and align with current business security protocols.

Now, let’s discuss how to manage spreadsheet risks.

Mitigation Strategies and Best Practices

The widespread use of spreadsheets across businesses of all sizes can make it easy to overlook the potential risks they can pose. Companies that follow these best practices will ensure they are less vulnerable to spreadsheet risks:

  • Formal development procedures: Treat spreadsheet creation like an IT project.

  • Access controls: Apply the same identity and segregation policies as ERP.

  • Regular audits: Schedule recurring checks to catch errors early.

  • Device management: Enforce security on personal and company devices.

  • Governance ownership: Finance leaders must champion the adoption of safer reporting solutions. Secure alternatives to spreadsheets can prevent a lot of financial and security problems down the line.

Download Mercur’s Free Risk Guide

Finance Managers, Directors and CFOs are responsible for risk identification and are also in charge of driving the adoption of more suitable IT solutions for reporting. If you would like to find out more about how to keep your organisation safe from spreadsheet risks, get a complimentary copy of Mercur’s e-book about the six critical risks of reporting in spreadsheets and how to stop them.

 

Frequently Asked Questions

 

What are the top disadvantages of spreadsheets?

Spreadsheets risk security due to manual errors, a lack of strong controls and scalability issues.

When not to use spreadsheets?

You should avoid spreadsheets for complex, collaborative or high‑security reporting.

How do I protect data in spreadsheets?

Protect spreadsheet data using strict access controls, version history, encryption and regular audits.

 
 

 

You may also be interested in

Mercur Solutions (UK) Limited - UK office

Mercur Solutions Limited
Lily Hill Court, Lily Hill Road, Bracknell, RG12 2SJ
United Kingdom
+44 (0) 1344 388 025

Mercur Solutions AB - head office in Sweden

Mercur Solutions AB
Vretenvägen 13
SE-171 54 Solna
 
+46 (0)-459 69 00

 

Malmo Office

Rundelsgatan 16
SE-211 36 Malmö
 

Gothenburg

Västra Hamngatan 21
SE-411 17 Göteborg 

Mercur Solutions

A Swedish company with 50 years of experience, delivering solutions for performance management and business intelligence.

 

 

 

Read Mercur Business Control Reviews on GetApp.com