For Slack’s 8M+ daily users, the chat system represents more than just a communications tool. It also functions as a digital water cooler for company gossip, a channel for the airing grievances and a mentorship platform for junior employees can interact directly with senior counterparts. And in some cases — a platform that employees share sensitive and important login details and passwords.

Slack For Business Pricing

Slack brings team communication and collaboration into one place so you can get more work done, whether you belong to a large enterprise or a small business. Check off your to-do list and move your projects forward by bringing the right people, conversations, tools, and information you need together. Try Slack for free with your teammates. All it takes is an email address to get started.

The intimate nature of Slack leads most users to the assumption that their communications are confidential. However, there are a number of security blind spots on Slack that leave companies in a vulnerable position. Review them below, then take the suggested actions at the end of this article in order to stay as safe as possible.

The security risks of Slack

To be clear, we’re not recommending giving up Slack — the productivity benefits associated with its use are substantial. However, if you’re going to use Slack for any business purpose, you need to maintain a clear understanding of the risks involved, as well as the degree to which they can be mitigated.

Risk #1: The onboarding of employee and guest users

Some of the risks that come along with using Slack have to do with weaknesses in its code, discussed later in this article, which businesses need to be aware of but may be unable to change. In other cases, however, Slack’s security risks come from user error.

That’s the case with the proper on-boarding and off-boarding of Slack user accounts for both internal employees and external guests. If either is left in the workspace after their affiliation with the company has ended, the users may retain access to confidential or sensitive information.

To prevent this from occurring:

• Add the on-boarding and off-boarding of Slack accounts to your standard employee onboarding and termination procedures. Communication with HR is vital; IT (or whoever is responsible for creating and deleting Slack user accounts) must know exactly when to create and delete user accounts. This is especially important in the event of contentious terminations, when every minute the terminated employee remains in the system represents a liability.
• If your organization grants the ability for admins to add external guests, your organization also needs to have a regularly-reviewed and enforced policy to remove guests after their engagement is complete.

Risk #2: The power granted to “Owner” and “Admin” roles

Download atheros bluetooth driver. BetterCloud’s Christina Wang points out that Slack users with “Owner” and “Admin” roles have significant power within the system — often more than most administrators realize.

For example, Wang shares that “By default, only Slack Workspace Admins and Owners can create and manage user groups. But any admin can change those settings in a drop-down menu.” Effectively, any one of your organization’s admins can go in and make it possible for all of a workspace’s users to create, modify or disable user groups. Besides the obvious potential for abuse, doing so increases the odds of user error resulting in unintentional deletion of important groups.

Granting admin rights to a few users can be beneficial, as it prevents only one employee being responsible for creating, moderating and managing user groups. But at the same time, you have to balance the potential risks of data loss when doing so. Make sure you understand what rights Admin and Owner roles have, and that you’re comfortable assigning these privileges to employees chosen to be admins.

Risk #3: The threat posed by third-party app integrations

This one should come as no surprise: Be cautious when linking Slack to third-party apps, especially those that contain other types of sensitive information (such as your CRM, Google Drive, etc).

Consider that, in 2016, employees at 18F shared Google Drive documents through Slack, inadvertently exposing more than 100 governmental Google Drive accounts at the General Services Administration (GSA) for nearly six months. The breach occurred because the GSA had made the connection between the two apps using an authentication protocol known as “OAuth2.0,” which neither Slack nor the GSA’s IT standards had approved.

If connecting apps to your Slack instance is a “must”, confirm that the appropriate authentication protocols are being used. But as a general rule, avoiding third-party app integrations entirely is a safer approach.

Review any 3rd party integrations every quarter to make sure they are still needed and remove the integrations that are no longer needed.

Risk #4: Known and unknown system vulnerabilities

Slack’s popularity and the size of its active user base make it an appealing target for hackers looking to infiltrate organizations that use the communication tool. With breaches and cybercrime at all-time highs, no system is off-limits to hackers — especially not one in which so much valuable private information is shared.

Take a recently-discovered vulnerability, as reported by Wired’s Lily Hay Newman:

“Frans Rosén, a researcher at the web security company Detectify, submitted [the vulnerability] to Slack’s bug bounty program in mid-February. If exploited, the vulnerability would allow an attacker to log into a Slack account as if they were the legitimate user of the account. From there, the attacker would have full access to look at chat histories, shared files, and any other group chats/channels the user had access to.”

Rosen shares full documentation regarding the bug on the Detectify blog, but effectively, it arose from a flaw in the way Slack was configured to communicate with other domains. Slack has since repaired the vulnerability, but such quick fixes don’t exist in all cases.

As an example, security researcher Inti De Ceukelaire discovered faulty business logic on popular third-party online help desks that enabled him to spoof company email addresses and access team pages in Slack. Though Slack recommends specific steps that can be taken against this possibility, as reported by The Next Web contributor Matthew Hughes, iterations of the attack are still effective.

Don’t rule human error element out of Slack vulnerabilities either. In April 2016, Ars Technica reported that “A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites.” Despite Slack declaring that access tokens should be treated with the same level of care as passwords, Ars Technica’s search revealed “more than 7,400 pages containing ‘xoxp’” (the prefix contained in tokens that in many cases allow automated scripts to access a Slack account).

Joining publicly-accessible Slack groups may also present a data leakage risk. In February 2018, the Origin Report’s Josh Fraser shared that the 1,118 members of its open Slack community had their personal information — including their email addresses, usernames, real names, profile pictures, last updated timestamps and timezone settings — exposed by a hacker who manipulated API keys.

Risk #5: Data access by Slack team members

Finally, be aware that very little is known about which Slack team members can access user data, and when they can do it. Though Slack claims to have technical, audit and policy controls in place to prevent inappropriate access, they also acknowledge that they did not intentionally build an app that would prevent employees from accessing information without authorization.

Electronic Frontiers Foundation Senior Staff Attorney Nate Cardozo isn’t happy with this response. In an interview with Gizmodo, he states, “Slack could have built this system in a way that no one within the company had access into user data,” referencing zero-knowledge encryption, an end-to-end encryption method. “What it comes down to is, trust us.’”

Understandably, Slack’s shortcomings on this issue have prompted fears of an unknown, as-of-yet reported “God mode,” similar to the one that got Uber in so much trouble. Though Slack denies this possibility, it’s best to remember that you’re better safe than sorry when disclosing important information online.

How to keep slack as secure as possible

While you can’t guarantee security on someone else’s system, there are a few steps you can take to minimize the risk that the data your team shares on the platform will be accessed improperly.

#1. Never share passwords on Slack

Under no circumstances should employees ever share passwords on Slack. If they need to pass on access to different programs, password management solutions like Password Boss are a safer, more easily controlled choice.

#2. Turn on two-factor authentication

At a minimum, make two-factor authentication (2FA) mandatory for all users in a workspace. If your workspaces are also using SAML-based single-sign on (SSO), you can still use 2FA, but you’ll need to set it up with your identity provider, according to Slack’s instructions.

#3. Apply your company’s email security policies to Slack

Your company should have a defined email security policy in place. If so, apply these same requirements to Slack usage (and, if not, put that on your to-do list right away). A few specific requirements your policy should encompass include:

• Guidance around sharing login credentials with others
• How confidential or sensitive information should be shared
• Password strength and security standards

#4. Make Slack security training a part of employee onboarding

Slack For Business Review

Don’t rely on policies alone. Incorporate Slack security training into new employee onboarding programs, and run regular refresher courses periodically.

Teach employees they shouldn’t share anything on Slack that they wouldn’t put in an email. It may also be worth teaching them about specific risky behaviors that should be avoided on Slack (such as inadvertently creating public links to files when sharing assets).

Make Slack security screening a part of your ongoing security process as well. Follow news about Slack (setup Google alerts), paying particular attention to any bugs that are discovered or vulnerabilities that are identified. An ounce of prevention here may truly be worth a pound of cure.

Is Slack security on your radar? If so, what steps are you taking to keep your organization’s workspaces safe? Leave us a note below with your comments:

Introduction

If you’re sending instant messages at work, chances are you’re using Slack, the business-oriented analog of WhatsApp or Discord. Slack currently boasts over 12 million users worldwide, and as more businesses turn to remote or hybrid work environments, that number is only expected to grow. But Slack’s popularity raises a very important question: exactly how secure is Slack?

After all, most businesses have a trove of sensitive information that they would rather not see splashed across the dark web. But in the age of major hacks, your secrets are only as secure as your messaging platform. And, according to some cybersecurity experts, Slack has a few major vulnerabilities that every business should be aware of. Download asix port devices driver.

Is Slack secure?

It’s a fair question to ask, since Slack is one of the most widely used instant messaging systems for business. It’s also a question that yields some surprising answers.

Although Slack’s overall security has improved in the last couple of years, there are still some nagging issues yet to be resolved. Let’s take a look at some of Slack’s vulnerabilities.

Third-party apps

Third-party apps are the Achilles’ heel of the cybersecurity world. If a vulnerability arises in just one of the over 900 apps and bots that Slack users have to choose from, the issue can easily travel upstream to Slack. And since users at all levels have the power to install apps at will, this can be a difficult problem to manage.

User vulnerabilities

Among Slack users, there are some common misconceptions about the platform’s privacy. Since the platform is invite-only, many users mistakenly think that everything they share via Slack will be private. Black box port devices driver.

Unfortunately, it’s not that simple. Since Slack members have the power to invite new members, edit user groups and invite guests into private channels, the system is not as private as many users perceive it to be. Users also have the ability to turn private files into external links which can then easily become publicly available URLs. In just a few clicks, anyone on the web with the URL can access the file.

Is Slack encrypted?

Surprisingly, Slack does not have end-to-end encryption. This creates an enormous security risk for the mountains of sensitive data on Slack’s servers. Not only is this data vulnerable to outside hackers, but also malicious insiders who may wish to exploit it for personal gain. For that reason, it’s essential for businesses to seek out third-party security features to protect their users and data.

Are there security solutions for Slack?

Despite its security flaws, Slack is still an enormously popular communication tool and doesn’t appear to be going anywhere fast. Luckily, security vendors have stepped in to fill some of the gaps in Slack’s defenses. And since Slack uses open-source APIs, vendors have access to all the tools they need to make safe, effective security solutions for the platform’s millions of users worldwide.

To Slack’s credit, they’ve done a good job at making third-party security features accessible to users. Since they’re available in Slack’s app browser menu, installation is easy for users of all levels of tech proficiency. Once the feature is installed, the user will be protected from some of the major vulnerabilities native to Slack.

Among third-party security solutions for Slack, a few stand out as must-haves. SafeGuard Cyber is one of them. Their SaaS platform evaluates all incoming Slack communications, including messages, images, links and attachments, for malicious content. SafeGuard also offers compliance and archiving features.

Another standout solution was created by Avanan, a vendor specializing in CASB solutions. Avanan’s Slack security platform includes URL filtering, hacked account detection and malware protection. The full administration dashboard also enables businesses to protect themselves from security threats like phishing links and compromised accounts.

Conclusion: Third-party security integrations make it possible to monitor Slack for data infiltration risks

Slack does not natively enable message monitoring. And since most security threats arrive via message content in the form of infected links, attachments, and images, this is a huge security gap.

However, third-party security features are available to bridge this gap. Platforms like Avanan and SafeGuard Cyber enable businesses to monitor Slack for data infiltration and cyberthreats, making the communication tool safe and secure for their ever-expanding user base.

Sources

Slack For Business Use

Slack’s number of users from February 2014 to October 2019, by paid status (in 1,000s), Statista

Is Slack Secure? Slack Security Explained, Avanan

Are Slack messages really private? Here’s what to know, Mic

How Secure Is Slack for your Business?, Expert Insights

Slack For Business Communication

Using Slack? Make Sure You Cover These 5 Security Risks, Password Boss