What is Shadow IT?

• Local branches or regions using their own CRMs or spreadsheets
• Staff storing member data in a personal Dropbox/Google Drive
• WhatsApp groups between reps and members (in unions)
• Emails being sent from a personal email address
• Teams adopting third party tools (e.g. SurveyMonkey) without approval or integration

Shadow IT is something that builds gradually overtime. It’s important to remember that Shadow IT isn’t done with malicious intent; people often don’t understand the associated risks. Staff look at additional systems, like a personal Dropbox or survey tool, when they don’t have a tool available, and they simply need to get their job done.

Many membership organisations often have small IT teams which put them under pressure. With limited resources and funding, people may look at free tools and are unaware of the risks they are creating. When users do request new tools, there are likely to be slow approval processes leaving people to find alternatives.

Particularly for Unions, Shadow IT is a particular risk as they work in a decentralised way. Branches, reps, and organisers often make their own decisions. IT teams are likely to have very little interaction with reps, and their use of tech will be harder to police as a result.

The main challenge of shadow IT is the element of the unknown. IT teams and leadership lose oversight of the tools being used. It’s often the case that once a data breach has occurred, they become aware of the unofficial tools being used.

If data is being kept in a 3rd party tool, it’s unlikely that the member has provided consent for their data to be stored in this location. The tool will also not be mentioned in the privacy policy which outlines data policies.

Data breaches occur when personal data is accessed. When this occurs, members are at risk of being scammed or the victim of phishing attacks. This can damage an organisations reputation, and members lose trust in its ability to keep their data safe; which can often result in a loss of members.

When separate tools are being used, a single source of truth is impossible. Changes made on one system will not be reflected on another, and it’s impossible to know which is most accurate. Members can become frustrated if their data is incorrect, and they are receiving the wrong communications.

The first step to tackling shadow IT is understanding how much of an issue it is for your organisation. Gather information from users and find out what tools are being used. It’s important that this is completed in a sensitive way and there’s no blame. Your finance team might also be able to support with invoices or expenses claimed for software tools.

Once there is an understanding of the tools being used, an official list of preferred tools can be created and shared. This will outline what resources people have available to use. Your internal policies and guidance might also need to be updated.

Training should be provided on cyber security, and staff should be made aware of the risks of shadow IT.

If additional systems must be used, or purchased, it’s important that they integrate with your CRM system. Only by having one system where data is centralised will you be able to have an accurate understanding of your members.

If you are having to rely on multiple systems or using a legacy system, then you should consider upgrading to a cloud-based system. These have enhanced security measures built in, like multi-factor authentication – where a user has to verify a login on another device.

Shadow IT isn’t something organisations can afford to ignore. It develops quietly over time but it carries serious risks if left unaddressed. By taking the time to understand what tools are being used, why people have turned to them, and where the gaps in your existing systems lie, you can start to regain oversight and protect your member data.

Clear guidance, better communication, and the right training all play an important role in reducing reliance on unapproved tools. Most importantly, investing in cloud-based systems will give users the resources they need to do their jobs safely.