Newsletter Old site

Newsletter Jun 2005

News update 2005-06: June 2005

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor

Comments and feedback to Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe AT
Unsubscribe by sending an email to news-unsubscribe AT (Change ” AT ” to “@”). Newsletter archived at

In this issue:
1. Hidden text and meta-data
2. What is a spreadsheet?
3. Forthcoming events
4. Phishing
5. Newsletter information

1. Hidden text and meta-data

Every so often there is an article in the press about hidden text
being left in a file that is released to the public: it usually
involves a Word file, but it’s possible for the same sort of thing
to happen in Excel, or even PowerPoint, too. For instance, in April
the Pru managed to send out a version of their first-quarter new
business figures in which recipients could see many of the changes
that had been made during the preparation of the document. It’s not
only text from previous drafts that may be present for all to see,
but also other information, such as the original author of the

I am always slightly surprised that important documents are sent
out as Word or Excel files in the first place: surely a format that
is intended to be edited just isn’t suitable, unless you want the
recipients to edit it? Just think of the risks that may arise if
the recipient can either edit the file or see changes that were
made in the past. You may be misrepresented, fraudulent use made of
the modified documents, confidential information may leak, and so
on. Although there has as yet been no big scandal from this sort of
problem, I am sure that there are many more occurrences and many
more problems, some of them resulting in monetary losses, than we
hear about in the press.

There are some simple steps that can be taken to minimise the
risks. They are not foolproof, but add little extra burden on to
the user (so are at least practical to apply). Useful techniques

– Password protect the file to make it read-only. This doesn’t
provide a lot of protection (Microsoft Office passwords are
generally easy to break, and it’s possible simply to cut and
paste the contents into another document) but does at least stop
inadvertent changes.

– Use the options that Word and Excel have to “Remove personal
information from file properties on save”.

– Use the Word option to “Warn before printing, saving or sending a
file that contains tracked changes or comments”. To remove
tracked changes, accept them all and turn tracking off before

– Don’t allow fast saves in Word: if these are enabled, old text
may be saved even if you don’t track changes.

– In Excel, protect sheets and workbook structure so that users
can’t make unwanted changes.

– Use Microsoft’s “Remove Hidden Data” add-in, which lets you
remove hidden data from Word, Excel and PowerPoint files.

– Send out pdf files instead. Although it is possible to edit these
if you have the right software, most people can only read
them. There are various ways of producing pdf files, including
some commercial software packages, but the easiest is to install
a free package like pdf995, PrimoPDF, or CutePDF Writer. These
add an option to your list of printers, so that instead of
printing to paper you print to the pdf creator which makes a pdf
file. (Pru’s new business figures) (Microsoft’s add-in)

2. What is a spreadsheet?

How many spreadsheets do you have in your organisation? In your
department? On your machine? It’s a tricky question to answer: it
depends on what you mean by a spreadsheet.

You could simply count the files that have an extension of “.xls”
(assuming you use Excel). But then you may well be double counting,
especially if you are a careful person and save interim versions as
you develop a complex spreadsheet. It’s also possible (though
unlikely) that some other application creates files with the same
extension as .xls files. You may be under-counting, if some files
are zipped up to save disk space.

Then there are those half-worked out spreadsheets that were never
actually used for anything, and the others that simply served
instead of the back of an envelope.

And what about all those spreadsheets that are nearly but not quite
the same? Ones that do essentially the same calculations, but on
different data–perhaps for monthly reporting, or for pricing
potential contracts. In many cases these are derived from a central
template, or simply from last month’s version.

Another complication is raised by files that have the same name but
different contents. A naive way of counting might assume that they
are in fact the same spreadsheet, when in fact they might come into
the previous group (same calculations on different data) or might
simply have been given the same name by accident, and in fact
contain totally different calculations.

Of course, the actual count probably doesn’t matter too much in the
end. What does matter is that you know what spreadsheets there are,
what they are used for, and how they are related. It’s important to
have good processes in place both for developing them and keeping
track of them. For instance, if you use a template for pricing, you
should know for any given spreadsheet whether it was derived from
that template, and if so what version of the template, and if there
were any changes from the template. All this is important if you
want to be sure of the results coming out of the spreadsheets. You
must to be able to trace back from the results to the data and
assumptions, and to be able to trust the calculations that are
performed. If you can’t do this, you may run foul of Sarbanes-Oxley
(if it applies to you) or of the FSA, who consistently stress the
importance of systems and controls, especially in ICAS work.

There are a number of techniques you can use to do this, including
documentation inside the spreadsheets themselves, using
systematic naming conventions for both files and folders, and
having good backup and archiving processes. Poor naming conventions
can lead to big problems: natural gas prices in the USA were
significantly affected when a company submitted the wrong week’s
gas storage figures in November 2004. “One explanation for the
error was that the company had used the same computer file name for
each week’s storage balance report, making it easy for the wrong
one to be sent.” Not only easy, but positively likely, I should
have thought. Apparently the company in question has now changed
its naming conventions. (Thanks to Patrick O’Beirne for noticing
this report, and posting it on the EuSpRIG spreadsheet errors

3. Forthcoming events

The 2005 EuSpRIG conference is being held at the University of
Greenwich on 7th and 8th July. Details are at . The theme this year is “Managing
Spreadsheets in the light of Sarbanes-Oxley”, so it promises to be
both interesting and timely.

The FSA is holding a summer school from 21st-24th August at St
John’s College, Cambridge. Its aim is “To provide firms with a
unique insight into strategic thinking of senior levels within the
FSA.” There will be presentations from senior FSA staff, and some
case study work in small groups. Details are at .

There is a half day seminar on “The strategic management of risks”
at the Institute of Actuaries in London on 23rd November. Details
are at

The Actuarial profession will be holding a seminar on Operational
Risk in December; no details have yet been announced.

4. Phishing

There is so much phishing spam at the moment that sensible people
won’t reply to, or click on any link in, any email from a financial
institution. Many of them rely on people reading their email in
html: I read mine in plain text, and the links in the emails are
often perfectly genuine. It’s only in the html, in which the
highlighted text need have nothing to do with the actual link that
will be used, that the danger applies. Even then, some simple
observation will often indicate that something is wrong. When I
view email in html, and hover the cursor over a link (without
clicking) the link destination is displayed. If it is not the same
as the text of the link, smell fish!

Phishing isn’t limited to email, either. I recently received a
telephone call purporting to be from a bank with whom I have a
credit card, saying that they had noticed possible fraudulent
activity on my account. Would I give them the day and month of my
birthday in order that they could be sure they were speaking to the
correct person? Well, no, I wouldn’t. But it wasn’t my full birth
date, only the day and month. I still refused, and asked if there
was a number I could call them back on so that I could be sure I
really was talking to the bank. They gave me an 0845 number, but it
just got through to a recorded message. I later checked this out
with the real bank, and they confirmed that it was a scam, and that
the number was not one of theirs.

Apparently techniques similar to those used in phishing attacks are
now being used to gather commercially or economical valuable
information from companies. The National Infrastructure Security
Co-ordination Centre (NISCC) has recently issued an alert
describing these attacks. The alert says:

“The emails employ social engineering, including use of a spoofed
sender address and information relevant to the recipient’s job or
interests to entice them into opening the documents.

“Once installed on a user machine, trojans may be used to obtain
passwords, scan networks, exfiltrate information and launch further

Apparently the attacks, which appear to originate in the Far East,
normally focus on people who work with commercially or economically
sensitive data.

Just like phishing, these attacks rely on the unwitting cooperation
of the recipient of the email. As a reminder, NISCC confirms that
the following precautions are sensible:

– Don’t open attachments unless the email is consistent with
previous communications from the sender, and the attachment has
been scanned for viruses

– Don’t use the preview pane in your email program

– View emails in plain text, not html

These are all precautions that the home user should take, too. In
addition, you should make sure that you use a good virus and
malware detection program on your home machine, and have applied
all security updates to your operating system and other software.

As an aside, the phishing problem is the reason that I now use to abbreviate URLs. When you click on one
of their links, you will be shown the actual URL before you are
taken to the page.

5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
( Copyright (c) Louise Pryor 2005. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email news-subscribe AT To unsubscribe, email news-unsubscribe AT All comments, feedback and other queries to
news-admin AT (Change ” AT ” to “@”). Archives at