Why You Might Need to Protect an Excel File
Information in today’s corporate environment is as important as raw materials are to a manufacturer or labor is to the service industry. Organizations collect data from consumers, vendors, employees and even competitors every day. When that data contains sensitive information, then it is in the organization’s best interests to protect it.
But what is “sensitive” information?
Anyone who has been to a doctor’s office is likely familiar with HIPAA (Health Insurance Portability and Accountability Act) Privacy Rules. This 1996 legislation codified the use and disclosure of personal health information and protects individuals’ “individually identifiable health information.” Medical organizations must be extremely careful about revealing health information.
Lawyers are similarly constrained by client-confidentiality agreements that prohibit them from revealing information acquired while representing their clients.
For organizations that aren’t law firms and clinics, the following categories are considered sensitive by most businesses:
- Health Information
- Financial Information
- Educational Information
- Trade or Business Secrets
- Biological Information (things like facial recognition or fingerprint recognition)
- Personal Information
The need to keep Health and Financial information secure is fairly obvious. Human Resources departments are going to keep salary information confidential; charity organizations will keep their donor information private unless publicity is carefully negotiated. Few companies collect biological information but the need for privacy is clear to those who do.
It is #6 that gets tricky. Personal Information is a rather broad and vague term. Whether welcome or not, new privacy legislation (such as the California Consumer Privacy Act (CCPA) and the EU’s (GDPR) General Data Protection Regulation) is helping to define which personal data is to be considered sensitive and protected. Even if your organization does not fall under these regulatory rules, they provide language that is helpful for understanding what is becoming assumed to be considered “private.”
The CCPA describes personal information in four categories:
- Information that identifies. This can include data like names, photographs, social security numbers, addresses, passport numbers and other data that specifically reveals someone’s identity or household.
- Information that relates. This is a more subtle category of data such as website cookies and digital tracking methods and is considered private by virtue of the data’s ability to relate an individual to a purpose (sell you a product).
- Information that describes. This includes data such as demographics such as age, ethnicity, gender, orientation, physical descriptions, education, religious and political affiliation.
- Information that can be reasonably linked. Similar to the relate category, reasonably linked protects a person’s information even if it was not gathered specifically for the purpose of tracking them. A website might log IP addresses, for example, to understand geographically where customers are coming from. The organization, however, must still protect that data as it could be used to identify an individual user.
Most of these big data privacy issues of the day involve massive databases and deliberate, malicious attacks. For the everyday organization, it may seem like those issues are irrelevant. Sadly, that is not the case. Even a cursory web search reveals anecdotes of company spreadsheets being accidentally or inappropriately shared with expensive consequences. The Verizon 2021 Data Breach Investigations Report (DBIR)  in fact, reports that around 25% of reported data breaches resulted from Miscellaneous human errors, 25% of which were “mis-delivery” errors such as data being sent to the wrong distribution list or person.
While these figures do NOT represent the sharing of Excel files specifically, it does illustrate the need for every organization to think carefully about how their files are protected.
How Secure is a Password Protected Excel File?
The method you use to secure your workbook will depend upon how sensitive your data is and how you plan for the data to be used. If you merely wish to prevent changes to your information but do not mind if others can open and view the workbook, you can use the Protect Sheet or Protect Workbook commands located on the Review tab. This is useful if you want to share information without inviting accidental changes to the data or revealing proprietary formulas. It also does not prevent viewers from copying your data into their own spreadsheets. These features should only be used for convenience, not to secure important or sensitive data.
When you need to prevent unwanted users from viewing or even opening your workbook, you will instead need to Encrypt your entire file with a password.
Older versions of Excel employed weak encryption that was easily overcome. Microsoft Office now uses the AES-256 encryption algorithm which is generally regarded as statistically unbreakable in a reasonable amount of time. This refers to the ability of someone to break the encryption and read the file without entering the correct password.
However, there is a weak link in this system: The password itself. While malicious actors are unlikely to break a file’s encryption, software that simply tries hundreds of passwords over and over until it finds the correct one is widely available. Password crackers are very clever at trying common words and phrases, first. The best encryption in the world won’t protect your file if the password is “password”.
The quality of your password can be key to protecting your data. Here is a quick guide to creating a secure one:
- Avoid words you can find in a dictionary
- Never include personal information such as birthdays or anniversaries
- Include a mix of upper- and lower-case letters as well as numbers and symbols (*!>/ etc.
- Longer is always better!
And don’t forget to manage how the password is shared. If you send the password in the same email as the attachment, it’s not particularly secure. (Remember the statistic about mis-directed files?!) Some industry experts recommend distributing passwords through different channels, such as text or instant message apps, instead of email.
How to Password Protect an Excel File
Here are the steps to encrypt an Excel workbook:
- Open the workbook you wish to protect, then click the File Tab.
- On the Info tab, click Protect Workbook.
- Choose Encrypt with Password from the dropdown menu to open the Encrypt Document dialog box.
- Type a password. Click
- Type the password again in the Confirm password dialog box. Click OK. Protect Workbook will change color and a notice that a password is required will be displayed.
- Save and close the workbook. The next time it is accessed, you will be prompted to enter the password before it will open.
- To remove password protection:
- Open the workbook and follow steps 1-3 above.
- Erase the password in the Encrypt Document dialog box and click
- Save and close the workbook. A password will no longer be required.
When to Password Protect Your Excel Files
It is important to pay close attention to how and when data that your organization collects is used and distributed. But this doesn’t mean you must be paranoid and encrypt every file ever created. Careful consideration and well-communicated privacy practices should be enough to ensure that your data is used correctly. And if you are concerned about legal liability for certain kinds of information, reach out to your own legal council to put your mind at ease.
At the end of the day, your best defense against data theft or privacy breach is education and good policy. And perhaps, AES-256 encryption now and then.