With 8 million daily users, Slack is an undisputed industry leader in team collaboration. But, with convenience and accessibility comes an expanding attack surface that criminals and unscrupulous employees alike can exploit.
People often assume that direct messages, passwords, and private chat channels are enough to protect their data. Unfortunately, that often isn’t the case, not least because every service stores and transmits data in different ways. Some of these are more secure than others, but businesses cannot afford to rely on in-app security and privacy settings and protocols alone.
Business leaders shouldn’t take these risks as a warning to steer clear of platforms like Slack. After all, they’ve proven invaluable in today’s remote workforce. Rather, they must understand the risks and take steps on their ends to mitigate them. That way teams can enjoy all the benefits of using online platforms and messaging apps, without leaving themselves open to costly data breaches or IP theft.
What Makes Slack Vulnerable?
Unlike some instant-messaging apps, Slack doesn’t have end-to-end encryption. One of the main reasons for this is that enterprise executives often want to retain complete visibility into communications across different work groups and channels on the platform. At the same time, this also means that a data breach affecting Slack could have disastrous consequences for its users. It’s happened before, and there’s every possibility it could happen again. Furthermore, if confidential business data subject to compliance regulations is among the stolen information, the liability will fall on the organization that owns the data.
Since Slack is primarily a web app, it uses HTTPS encryption just like any legitimate website that collects potentially sensitive data. Though this means data is encrypted both en-route and while at rest on Slack’s servers, its safety is entirely at the mercy of the platform and its own security protocols. If a hacker were ever to obtain the decryption key, they could, in turn, gain access to the data. That might include every message you’ve ever sent. Given that companies routinely discuss trade secrets and share other confidential data on the platform, it’s a recipe for disaster. In fact, the huge volume of message-creation on Slack gives it an especially large attack surface, and one that you can’t reasonably expect to monitor manually.
There’s also the possibility of someone using Slack to post malicious content, either intentionally or accidentally. An example includes a link to a site that appears one way, but is actually a phishing portal. Similarly, a former employee who left the company on bad terms, yet still has access to the workspace, might deliberately post malicious content. Such scenarios can hardly be blamed on the platform, but the potential dangers are all much the same.
How to Secure Your Slack Communications
Organizations need to think carefully about implementing access rights and user provisioning and de-provisioning. There must be a documented process for implementing security controls and mitigating insider threats. To reduce your attack surface, it’s particularly important to avoid giving people access to your Slack workspaces and channels unless they actually need it. Revoking access rights to people who have left the company is merely the tip of the iceberg.
As with everything security- and compliance-related, a robust and regularly updated training program is a key element. Employees need to have a thorough understanding of what they can and cannot discuss on Slack and other channels, as well as the reasons why. However, factors such as accidental disclosure and malicious intent will always remain to some degree. To mitigate such risks, you need an automated solution that immediately alerts administrators to potential data leaks or security breaches and can cope with the creation of data on Slack and other platforms.
SafeGuard Cyber provides Slack users with a way to detect, analyze, and defend against data breaches in real-time. Request a demo today to see it in action.
July 3, 2020