Is Slack Secure For Your Business?

Uploaded on 2020-10-01 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Slack is used as a communal discussion center for businesses and it has increased in popularity in the last few years. Slack now has 10 million daily active users, making it the leading platform for live discussions within organisations.   

Slack is used by 65 of the top Fortune 100 companies and over 85,000 businesses, from SMBs to large enterprises, are  using the paid tier of Slack within their business. Slack is a great place to have secure conversations, but that doesn't mean you should treat it like it's watertight.

Never use Slack to share secrets such as passwords, sensitive customer data, or valuable corporate IP. Anything highly confidential should be kept off the platform.

For Slack’s millions of daily users, the chat system represents more than just a communications tool. It also functions as a digital water cooler for company gossip, a channel for the airing grievances and a mentorship platform for junior employees can interact directly with senior counterparts. And in some cases, a platform that employees share sensitive and important login details and passwords.

The intimate nature of Slack leads most users to the assumption that their communications are confidential. However, there are a number of security blind spots on Slack that leave companies in a vulnerable position.

Slack does encrypt your messages. According to the company's security page, it secures your messages both when they are in transit between parties (i.e., when you send them) and when they are at rest.

This huge number of users represents an opportunity for hackers to utilize the platform to infiltrate networks and gain access to sensitive data. So, how secure is the Slack platform and should your organization be thinking of security solutions to protect this attack vector?

When Slack first launched in 2013, it was branded as a friendly alternative to Microsoft’s team tools. You could communicate instantly using this platform, with group messages and full conversation logs. However, in 2015 Slack was hacked, revealing the holes in its security. The company announced that over four days it’s systems had been hacked, compromising some of its users’ data. This included email addresses, usernames, encrypted passwords.

Recently, another security problem became clear as Slack allowed hackers to remotely exploit a vulnerability in Slack allowing them to input malware or alter information. The problem has been fixed by Slack, but the attack surface remains large. 

Slack has become a platform where users must be vigilant about looking out for phishing attacks and spam messages. Because Slack is invite-only, users assume that their workspace is secure, but this is not always the case. In 2017, a group of hackers used an account pretending to be a ‘Slackbot’, which sent out a phishing attack directing people to a fake site where their financial details were collected.

These types of phishing attacks through Slack could be potentially much more damaging than a similar campaign would be through email. 

It’s important to remember that even if your co-workers or your manager might not have easy access to your private Slack messages, there’s still a lot they can learn about you based on your profile, like your time zone, your contact information, phone number, location, and social media that you might have put on Slack. You could also find their member ID number, which might not be too revealing, and files that they’ve sent by clicking through on their individual profile, which would potentially be more revealing.

Like email, Slack is an incredibly useful and productive communications tool for businesses. Also, like email, businesses will not stop using Slack because of the security concerns. All businesses should be considering the security of Slack and the steps they can take to make sure their employees and sensitive data and financial information sent through Slack is safe. 

Expert Insights:        Threatstack:       Mic:      PasswordBoss:     Vox:      Image: Iconscout

You Might Also Read: 

Is There A Truly Secure Messaging App?:

 

 

« Improving SME Cyber Security
Foreign Hackers Threaten US Election Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Airbus Cybersecurity

Airbus Cybersecurity

Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military and critical national infrastructure enterprises from cyber threats.

Southwest Research Institute (SwRI)

Southwest Research Institute (SwRI)

Southwest Research Institute SwRI are R&D problem solvers providing independent services to government and industry clients. Areas of expertise include Cybersecurity, Intelligent Networks and IoT.

ICT Reverse

ICT Reverse

ICT Reverse is one of the UK’s leading, fully accredited providers of ICT asset disposal and secure data erasure.

The Legal 500

The Legal 500

The Legal 500 Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. Practice areas covered include Data Protection, Privacy and Cybersecurity.

Nokia

Nokia

Nokia is a proven leader in fixed, mobile and IoT security offering capabilities that range from systems design to integration and support.

Security Management Partners (SMP)

Security Management Partners (SMP)

Security Management Partners (SMP) is a trusted partner to financial services, healthcare and businesses that need to manage their information, securely.

ISTC Foundation

ISTC Foundation

ISTC Foundation is one of the leading innovation centers in Armenia, founded by joint initiative of IBM, USAID, Armenian Government and Enterprise Incubator Foundation.

CyberCyte

CyberCyte

CyberCyte provides a disruptive built-in integrated physical, network and perimeter security solution framework.

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

SEEDS conducts research and develops innovative cybersecurity technologies, tools, and methodologies that advance the energy sector’s ability to survive cyber incidents.

Soteria

Soteria

Soteria is a global leader in the development, integration and implementation of advanced cyber security, intelligence and IT solutions, delivering complete end-to-end solutions.

Lodestone

Lodestone

Lodestone partners with clients to help them mitigate business and reputational risk, through our human-based, approach to cyber security, digital forensics and incident response.

Darknone Global

Darknone Global

Darknone is a consortium of elite hackers and security leaders united by an unbridled passion for augmenting the security of the digital realm.

LaScala

LaScala

LaScala is an IT Managed Services provider delivering technical, security, and compliance solutions with dedication, compassion, and agility.

Mindsprint

Mindsprint

Mindsprint (formerly Olam Technology and Business Services - OTBS) are a leading edge technology and business services firm.

Capzul

Capzul

Capzul are transforming the network security landscape with a new approach; creating virtually impenetrable networks, precluding cybercriminal attacks on your network ecosystem.

Dial A Geek

Dial A Geek

Dial A Geek are a Bristol-based B Corp that provides Managed IT Services to companies of 20+ users. We help businesses with a smart use of tech, including compliance and cybersecurity solutions.