The use of spreadsheets in accounting and finance departments has vastly improved data analysis and enabled fast and accurate reporting, computing and information storage. Life without them is almost unthinkable. However, danger lurks within and although the use of macros in Excel to automate processes can enhance efficiency, macro malware can put your entire business at risk says Ryan Mer, Managing Director of eftsure Africa, a Know Your Payee™ (KYP) platform provider.
Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. Microsoft has disabled macros by default in recent versions of Microsoft Office. However, Business Email Comprise (BEC) attacks are on the rise, adding an additional layer of risk of spreadsheets being manipulated or fictitious ones being used as a mechanism to inject malware into existing systems. Business Email Compromise remains a threat to any organisation and its clients. In South Africa there is case precedence for firms being held liable for payments that did not reach the intended recipient; a situation that demands email correspondence containing bank details and personal information on Excel spreadsheets be handled with caution.
Macros allows staff in finance and accounts payable teams to automatically run tasks that are executed repeatedly. It can record the steps you take when performing a particular task in an Excel file. When run, the macro automatically executes your key strokes and mouse clicks, and can repeat those steps as many times as you want.
Cybercriminals have been using macros as a vehicle to automatically and secretly execute malware whenever the macro runs. Unlike a traditional phishing attack, which requires someone to actively click on a dangerous link or open a dangerous attachment to run malware, macro malware do not require anyone to actively click or open anything. This makes them particularly difficult to detect and stop.
“Senior managers should be viewing cybersecurity as a business problem and not just a technology problem. In reality, cybersecurity is very much a business consideration”, notes Mer.
Understand the danger
Microsoft Office files that have a macro in them have a different file extension to indicate that they have an embedded macro. A normal modern Word document is a .DOCX file, but if a macro is added to the file it is saved as a .DOCM file. The same goes for a modern Excel workbook that is a .XLSX file, but if there are macros in them the Excel file becomes a .XLSM file. A macro virus could be stored in macros within a Microsoft Office file such as a document, presentation, workbook, or template. Hackers can create and attach macros to any of these files to run arbitrary commands.
In many cases, employees in accounts payable teams use spreadsheets for certain functions that are repeated every month, such as listing all the outstanding invoices the company must pay. In such situations, it makes sense to create macros to automate the process.
It is advisable to enable macros only to staff members who regularly use them. Given the efficiency benefits of macros for accounting teams, it is likely that many in accounts payable teams will opt to enable macros in their Excel spreadsheets. Mer says many organisations also still rely on manual processes, which in turn, have numerous gaps. This offers opportunities to cybercriminals to use macro malware to compromise certain payment functions.
“eftsure identifies errors, fraud and scam attempts before funds can be released. Our Know Your Payee technology ensures that the verification of payees and eft payment data is done on a continuous basis, protecting companies from fraudulently changed or maliciously altered payee information.” Mer believes that well-informed staff, sound business processes and the right technology are at the frontline of fighting fraud and mitigating risk, and, when combined, can put up a formidable defence.
Skills and tools
“Since employees are usually the target of cybercrime, especially those in finance and accounts payable, equip them with the skills and tools to spot threats and respond effectively,” says Mer.
“Make sure teams understand the vulnerabilities of macros. Continuously remind them not to open suspicious emails or attachments and to delete emails for unknown people,” he adds.
Important strategies to adopt in your business when using macros:
- Only enable macros for specific staff that rely on them on a regular basis.
- Make sure macros are disabled when they are not required.
- Ensure you are using the latest version of Microsoft Office and that it is always kept updated to reduce the risks of malware.
- Provide training to accounts payable staff on the risks of macros, so they understand they must act with extreme caution if they have not been disabled.