Is Slack Secure For Your Business?

Slack is used as a communal discussion center for businesses and it has increased in popularity in the last few years. Slack now has 10 million daily active users, making it the leading platform for live discussions within organisations.   

Slack is used by 65 of the top Fortune 100 companies and over 85,000 businesses, from SMBs to large enterprises, are  using the paid tier of Slack within their business. Slack is a great place to have secure conversations, but that doesn't mean you should treat it like it's watertight.

Never use Slack to share secrets such as passwords, sensitive customer data, or valuable corporate IP. Anything highly confidential should be kept off the platform.

For Slack’s millions of daily users, the chat system represents more than just a communications tool. It also functions as a digital water cooler for company gossip, a channel for the airing grievances and a mentorship platform for junior employees can interact directly with senior counterparts. And in some cases, a platform that employees share sensitive and important login details and passwords.

The intimate nature of Slack leads most users to the assumption that their communications are confidential. However, there are a number of security blind spots on Slack that leave companies in a vulnerable position.

Slack does encrypt your messages. According to the company's security page, it secures your messages both when they are in transit between parties (i.e., when you send them) and when they are at rest.

This huge number of users represents an opportunity for hackers to utilize the platform to infiltrate networks and gain access to sensitive data. So, how secure is the Slack platform and should your organization be thinking of security solutions to protect this attack vector?

When Slack first launched in 2013, it was branded as a friendly alternative to Microsoft’s team tools. You could communicate instantly using this platform, with group messages and full conversation logs. However, in 2015 Slack was hacked, revealing the holes in its security. The company announced that over four days it’s systems had been hacked, compromising some of its users’ data. This included email addresses, usernames, encrypted passwords.

Recently, another security problem became clear as Slack allowed hackers to remotely exploit a vulnerability in Slack allowing them to input malware or alter information. The problem has been fixed by Slack, but the attack surface remains large. 

Slack has become a platform where users must be vigilant about looking out for phishing attacks and spam messages. Because Slack is invite-only, users assume that their workspace is secure, but this is not always the case. In 2017, a group of hackers used an account pretending to be a ‘Slackbot’, which sent out a phishing attack directing people to a fake site where their financial details were collected.

These types of phishing attacks through Slack could be potentially much more damaging than a similar campaign would be through email. 

It’s important to remember that even if your co-workers or your manager might not have easy access to your private Slack messages, there’s still a lot they can learn about you based on your profile, like your time zone, your contact information, phone number, location, and social media that you might have put on Slack. You could also find their member ID number, which might not be too revealing, and files that they’ve sent by clicking through on their individual profile, which would potentially be more revealing.

Like email, Slack is an incredibly useful and productive communications tool for businesses. Also, like email, businesses will not stop using Slack because of the security concerns. All businesses should be considering the security of Slack and the steps they can take to make sure their employees and sensitive data and financial information sent through Slack is safe. 

Expert Insights:        Threatstack:       Mic:      PasswordBoss:     Vox:      Image: Iconscout

You Might Also Read: 

Is There A Truly Secure Messaging App?:

 

 

« Improving SME Cyber Security
Foreign Hackers Threaten US Election Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

OEDIV SecuSys

OEDIV SecuSys

OEDIV SecuSys (formerly iSM Secu-Sys) develops high-quality IT software solutions, setting standards as a technology leader in the area of identity and access management.

Asvin

Asvin

Asvin provides secure update management and delivery for Internet of Things - IoT Edge devices.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

H3Secure

H3Secure

H3 Secure focuses on Secure Data Erasure Solutions, Mobile Device Diagnostics and Information Technology Security Consulting.

S2T

S2T

S2T builds cyber intelligence solutions based on deep expertise in diverse domains such as intelligence, machine learning and AI, big data processing, statistics and linguistics.

Hacken

Hacken

Hacken provide a range of cybersecurity services including security assessments, blockchain security audits, and secure software development.

AVANTEC

AVANTEC

AVANTEC is the leading Swiss provider of IT security solutions in the areas of cloud, content, network and endpoint security.

Jisc

Jisc

Jisc is a membership organisation working in partnership with the UK’s research and education communities to develop the digital technologies they need to teach, discover and thrive.

BlastWave

BlastWave

BlastWave deliver Operational Technology Cybersecurity solutions that minimize the available attack surface and protect against the rising tide of AI-powered cyber attacks.

Centroid

Centroid

Centroid is a cloud services and technology company that provides Oracle enterprise workload consulting and managed services across Oracle, Azure, Amazon, Google, and private cloud.

Policy Monitor

Policy Monitor

Policy Monitor is a cyber security company founded by experts with extensive experience in operational and risk management.

Togggle

Togggle

Togggle offers seamless identity verification solutions and distributed infrastructure, enabling organizations to combat fraud and ensure compliance with data protection regulations.

CIP Cyber

CIP Cyber

CIP Cyber is an online learning community with a mission of connecting, training, and certifying cybersecurity professionals to protect critical infrastructure.

InterSources

InterSources

InterSources is a trusted partner, leading the way in Cloud Security, Cybersecurity, PLG Consulting, Digital Transformation, and Professional Services.