In October of 2019, Slack’s user base was 12-million strong. Since the coronavirus outbreak, that number has shot up. Slack has recorded a net increase of 7,000 paying customers since the start of February; 40% more than it typically has in an entire quarter.
With Slack playing an unprecedentedly large role in the functioning of many organizations, security teams are wise to ask: What are the best practices for ensuring Slack security within an organization? How to secure Slack?
Here’s the key: Enterprises need to stop thinking of Slack as a glorified chat app, or a file-sharing tool.
In-app security and privacy settings and protocols alone won’t work. Slack has expanded so deeply into workflows that organizations’ attack surfaces have stretched. Effectively securing Slack means thinking of the platform as what it is: a virtual workspace. Think of all the interactions, water cooler chatter, gossip, and bullying that used to be visible in physical offices. That has been translated to a platform that operates faster, and invisibly. Furthermore, this virtual workspace is a sort of enormous network system. And all network systems need to be actively protected from cyberthreats like malware, IP theft, data loss, and compliance violations.
The Challenge of Securing Slack
A core issue with Slack security is that, unlike with WhatsApp, there is no such thing as Slack end to end encryption. Like most web apps, the only encryption it uses is HTTPS. With HTTPS, while data is encrypted en-route and at-rest on Slack’s servers, this data only has one layer of protection: Slack’s native security protocols. If an attacker gets hold of a decryption key, then all of the sensitive files and confidential information floating around in Slack are instantly vulnerable.
In July of 2019, Slack reset the passwords of 65,000 accounts. Why? Because back in 2015, hackers had gained access to Slack’s user profile database and compromised those accounts. Overall, Slack dealt with this breach fairly well. But the incident still shows that the platform is vulnerable to cyberattack, thanks to the absence of Slack end to end encryption. As well as a devastating data loss, this opens companies up to a compliance breach, as they will be liable for any stolen information.
And on top of external attackers, insiders can also present Slack security concerns. Aggrieved ex-employees with surviving access can post malicious or offensive content. Staff can bully one another. People can have discussions which break all kinds of company policy. Phishers can sneak in. People can accidentally share malicious links.
What links these external and internal threats? Organizations are vulnerable because they have no truly effective way to police what is happening within their Slack channels. They cannot purge sensitive sorts of data when they want to. They cannot ensure that internal communications aren’t breaching the rules.
Slack Security: The Bare Minimum
First, some basic guidelines for securing slack. These are fairly rudimentary things, but they’re better than nothing. If you can institute these practices, you should:
- Refrain from sharing passwords and other credentials on Slack.If and when employees need to share passwords and credentials, there are many password management solutions available in the IT space, with security protections often more robust than native systems.
- Only grant access to Slack channels when absolutely needed.As an organization, you need to reevaluate how you grant access rights on your Slack channels and workgroups. We suggest following a documented process to implement security controls and mitigate insider threats.
- Implement your company’s security policies on Slack.
Institute password strength and security standards; protocols on sharing sensitive or confidential information; and guides on sharing login credentials with coworkers.
- Include Slack training in onboarding and offboarding procedures.
A robust and regularly updated training program is key to security. When you onboard new employees, they need to thoroughly understand the rules.
The Three Principles of Real Slack Security
The basic practices listed above, if you can make them the norm, will help. However, what enterprises really need to ensure Slack security is a top-level view into the platform, and an ability to take action when needed. When it comes to the question of how to secure Slack, there are three core principles:
Visibility. Companies need to be able to scan everything that is happening within their Slack, including direct messages and larger channel conversations. They need to be able to instantly detect interactions or events that pose any sort of digital risk.
Prioritization. An active company Slack will contain thousands of events every day. Human oversight can’t cope. Companies need to leverage machine learning and AI to institute a sorting system that prioritizes threats, and can flexibly scale.
Proactivity. A notification alone isn’t enough. When an enterprise detects a threat, it needs the ability to take action. This could mean investigating, quarantining, or removing problematic interactions.
Real Slack security means establishing a security stance where visibility, prioritization, and proactivity are built-in and automated. Companies should be exploring tools and SaaS platforms that empower them to adopt this cybersecurity footing. That way, they can continue to use Slack, one of the best collaboration tools out there, with total peace of mind. If you would like to dive deeper into this topic, click here to download our Cybersecurity and Compliance Risks for Slack datasheet.
June 2, 2020
SafeGuard Cyber Team