We recently touched on the potential security threat of Customer Relationship Management (CRM) when used as ‘Shadow IT’. As one of the main culprits of Shadow IT within SMEs we feel it warrants more than a mere paragraph!
To recap, Shadow IT is any IT kit or software that is used within a business but that hasn’t been acquired by the business. So, think a personal Dropbox account, Alexa-enabled device or Hotmail account…
Shadow IT arises out of many scenarios but is rarely malicious. Imagine the extrovert employee installing Alexa to liven up the office, the remote-working Administrator using Hotmail as they can’t access their work email and the keen Marketing Executive taking the initiative to start using a new Customer Relationship Management tool. All of these scenarios pose a security threat but CRM is particularly alarming.
Those that are familiar with CRM will be aware of the vast quantities of customer data that can be held within it. From the name of a customer and their telephone number through to order history and even personality traits, the data is invaluable to a business, but also to potential hackers. And even if the cybercriminals have no need for the data, they can still use it to hold a business to ransom.
Imagine the mayhem caused if all customer data is stolen from a business:
- Sales order histories are lost, along with contact details. Marketing activities grind to a halt.
- Does a ransom need to be paid to get the data back? If payment is made this will make a significant impact to the bottom line. If payment isn’t made invaluable data is lost and may never be recovered.
- Will cybercriminals use the stolen data to contact customers? They could email an entire database posing as the organisation in order to scam customers.
- Fines could be issued by the Information Commissioner’s Office (ICO).
- Reputational damage will take a long time to repair.
- Recovering from a hack could take weeks or months, or even prove fatal to a business.
So, the impact of losing CRM data is significant, to say the least. Which begs the question, why install it as Shadow IT?
There could be many reasons why CRM is installed outside of the usual company parameters but frustration and enthusiasm are two of the biggies.
Frustration can arise when a member of staff (or a whole department) don’t feel listened to. They may have asked for a CRM system to be put in place but their request has fallen upon deaf ears, or at least that’s the impression they have. Management may be too busy to deal with Marketing’s request, it could be seen as too costly, or the IT department may be mulling over how it can be used. That’s when Marketing Departments go rogue and start using a CRM system without the knowledge of the management.
The enthusiasm of the new employee, wanting to impress with the advantages that CRM can bring, also poses the same threat. Communication with management may have been bypassed altogether in this instance.
How can management avoid unauthorised CRM being used?
Firstly, educate. Train your teams (from day one) why they mustn’t use Shadow IT, no matter how much they feel it would benefit the business.
Secondly, listening helps. If your marketing team is desperate for CRM, help them get it, or at least explain why they can’t have it.
Communication is key. Keep your team on board and informed, and they’ll be far less likely to use unauthorised CRM.
Worried that your Marketing Team are using a CRM that hasn’t been officially approved? Ask them. And ask us. We can help establish where any Shadow IT is being used within your business and how to eradicate it without damage.