Shadow Spreadsheets: The Security Gap Your Tools Can’t See 2025

Your IT team just wrapped an exhaustive security test. The network is locked down. Your organization’s tech stack has MFA enforced across the board. Employees just finished anti-phishing training.

And yesterday, Bob from Finance shared Q3 revenue projections with a Google Sheets link set to "anyone with the link can edit." Bob was just doing his job in a way that works for him. Still, that doesn’t stop Bob’s Google Sheets link from becoming your entire system’s weak link.

Insider threats typically mean disgruntled employees stealing data. But well-meaning people like Bob reaching for spreadsheets because their approved tools can't do everything they need is much more common.

Maybe that beefy ERP software does 90% of the work people need to do, but that last 10% – whether it's tweaking charts or exporting PDF reports – just doesn't quite get projects across the finish line.

So people export. They pull data into spreadsheets, do that last 10%, and then maybe — maybe — update or reconcile the official system later. That spreadsheet is still out there, floating around for anyone who has the link. Let’s call this a ‘shadow spreadsheet’.

Here at Grist Labs we see IT teams dealing with shadow spreadsheets on a daily basis. We’ve built an open-source spreadsheet-database to kill these shadows, but more on that later. First, let’s look at why shadow spreadsheets are a real problem.

When teams move critical data to spreadsheets, we usually see one of two scenarios, both less-than-ideal:

Someone creates a master spreadsheet for collaboration. They set sharing to “anyone in the organization with this link” and send it en masse to everyone in a Slack channel.

Now your entire company can access salary data, customer payment terms, strategic expansion plans, or whatever else this spreadsheet ends up containing. Most won't, but you've already lost control of who can, likely without even the possibility of being notified.

Security aside, maybe this spreadsheet starts pushing the limits of Sheets or Excel? Employees build apps in spreadsheets all the time, they just don’t always call them apps. Fragile formulas in these spreadsheets-turned-apps might turn a typo into a 3-hour working troubleshoot.

Source: BleepingComputer