Read the Full Blog Post:
VCSP November Security Blog: The Risks of EUC (End User Computing)
Time to read: 3 minutes
What is EUC?
EUC or End User Computing applications are those applications that are developed, maintained, and utilized by end users. Those end users are typically non-programmers and non-IT specialists. End User Computing can range in complexity from users simply clicking a few buttons to writing scripts in a controlled scripting language. Examples of EUC applications are: spreadsheets, desktop databases, word processing documents, Business Objects, Crystal reports, MS Power Apps and other “visual programming” tools.
EUC applications are popular for a number of reasons:
FAST- no dependency on programmers or on an IT department
FLEXIBLE – easily changed to meet new needs
EASY TO USE – in theory, anyone can learn to use EUC apps like Excel
LOW COST – very affordable or even free
EUC applications are used in nearly every critical business process: financial reporting, inventory, employee data, IT consumer data, health information, environmental data, public safety, scientific analysis and more.
However, EUC apps come with an inherent set of set of security risks that many organizations fail to identify and address. One of the biggest issues is that the EUC business logic and the EUC data are not separate from the user. The user has the roles of programmer, tester, and user. The result is that an untrained user may place an undue amount of trust in the integrity of an “application” that has had little to no testing or peer review. This can lead to significant errors in the EUC application. Studies show that 90% of ALL spreadsheets with over 150 rows have serious errors that can affect the reliability of the information in the spreadsheet.
In addition, EUC applications are often implemented with very few controls. Without controls, it is very difficult to prevent errors, avoid poor decisions, prevent fraud, and protect against non-compliance with policies and regulatory mandates. By their very nature, most EUC applications have very poor system-specific controls. Most of the controls tend to be inherited from the organization’s support system of general and common controls. Any weaknesses in an organization’s general and common controls are going to be magnified when it comes to EUC application controls.
Another issue is that data used for EUC applications is very often imported from or linked to data contained in more sophisticated centralized ERP, CRM, human resources, and financial applications. The data within the centralized applications is usually highly managed and protected by numerous security controls, access controls, data protection, contingency controls, change controls, and threat management. However, estimates are that 40% of “centralized” data is funneled out and duplicated in EUC spreadsheets, word files and other utilities. Unfortunately, in the EUC environment, controls are very often either non-existent, circumvented or ignored even though the data is essentially the same data that is highly protected in the centralized system.
However, the greatest risk with EUC applications is in not knowing the size of the potential problem. EUC applications, like spreadsheets, are so widespread that it is extremely difficult to determine just how many exist, how many are used in critical business functions, how they may be linked together and where is the data extracted from and where does it go.
How can an organization mitigate the risks associated with EUC applications?
-
Inventory your EUC applications. You can’t determine what issues exist if you don’t know what you have. EUC applications are ubiquitous. Spend the time to identify what you have, where they are, what they do and who owns it.
-
Risk rank your EUC applications. How critical is the business function associated with the EUC application? How sensitive is the data processed by the EUC application?
-
Conduct a control assessment. Have your EUC application owners perform a self-assessment. Try to determine:
-
How are users granted access to the EUC application?
-
Does the EUC app send data upstream or downstream? What is the source and destination? How is it checked for accuracy?
-
Is the EUC app documented? What does it do? What is the purpose?
-
What is the process for making changes? Who can change it or modify it? How is it tested? Is there any version control?
-
Identify gaps. What controls are needed for this EUC application to function securely and accurately? Which controls are in place already and which ones are still needed?
-
Remediate! Once you’ve identified control gaps, establish a plan to remediate. Identify target dates and remediation owners.
Finally, ensure that your organization has a EUC policy. It should include the associated controls that must be in place depending on the criticality of the EUC application. EUC apps that handle sensitive data or are deemed mission-critical must have stricter requirements. The policy should outline a controlled process for acquisition of new EUC applications (vendor is trustworthy, app is well-documented, etc.). Organizations should also provide training for all employees so that they have a full understanding of EUC issues and what their responsibilities are in developing and using secure EUC applications.
EUC risks are often overlooked. Taking control of EUC applications is fundamental to the security of any organization.
If you have additional interests or questions on this topic, please contact me.
Ed Miller / VCSP Advisory Board (Edward.miller@vita.virginia.gov)