Slack has become one of the most integral platforms for businesses over the last decade, with more than 12 million users currently active. Despite its popularity, however, there are some Slack security concerns that linger from the platform’s 2015 security breach. In early 2020, hackers were able to access Twitter’s internal systems via Twitter's Slack account, where the perpetrator of the attack found "Twitter credentials" that "gave him access to the company servers." Twitter was forced to shut down temporarily to resolve the problem. And, in June 2021, hackers tricked an EA Games employee into providing a login token over Slack, and then used the account information to steal data.
Slack remains an appealing target for many hackers that use a combination of social engineering and old-fashioned malware to access user data. Here’s what you need to know about Slack security and how to protect your sensitive information on the platform.
Is Slack secure?
The answer is a bit complicated. Slack has many security features, but that doesn’t make it invulnerable to attacks.
Slack gives clients the ability to manage users and groups, streamline authentication, and assign roles and permissions. The platform’s security features are divided into three main categories:
- Identity and device management
- Data protection
- Information governance
The company states, “Our security approach focuses on security governance, risk management, and compliance. This includes encryption at rest and in transit, network security and server hardening, administrative access control, system monitoring, logging and alerting, and more.”
Slack is also certified by a host of compliance organizations, such as the Cloud Security Alliance and ISO/IEC. It’s also worth noting that the standard versions of Slack (Free, Standard, Plus) are not HIPAA compliant.
However, it is often incumbent on the business user to configure Slack’s security to its most rigorous standard.
As CNBC reported, “[A]ll of these tools only work if companies use them. In many organizations, cloud-based tools like Slack enter from the ‘bottom up,’ meaning that normal employees start using them for work productivity without drawing IT into the loop. As a result, the people administering Slack channels may have no idea that these tools are available or know how to use them — they may not even be aware of the risks.”
This lack of oversight leads to many Slack security concerns and vulnerabilities without the user’s awareness.
[Watch our on-demand webinar: How to Discover & Protect Sensitive Data in Slack]
Slack security concerns
On the platform side
Despite Slack’s many security features, data leaks and attacks are still possible. Often, leaks happen as a result of poor security protocols on the business side; however, there has recently been a rise in cyberattacks against Slack that should concern all users.
Organized crime and nation-state actors are increasingly targeting Slack, as well as traditional cybersecurity threats from rogue, unaffiliated hackers. Slack’s Securities and Exchange Commission S-1 filing offered information about a data breach the company experienced in March 2015, which exposed usernames, email addresses, encrypted passwords, and phone numbers stored by the company.
These types of threats are beyond your company’s control but are nevertheless essential to mapping the threat landscape of cloud applications. Your assessment of Slack security risks should take these attacks into account, given that no platform can guarantee that it will never be breached. Build a strong business continuity plan should a worst-case scenario emerge from a Slack security breach.
On the user side
Insider threat is one of the biggest risks to security, and Slack is no different. In 2019, Verizon’s Data Breach Investigations Report found that 34% of security incidents involved internal actors, with some industries, like education and health care, at higher risk for such attacks.
Many CEOs worry about the information employees share casually over Slack. CNBC’s report found that executives worry that sensitive information freely exchanged over Slack channels would easily be made public.
“‘I love my people, but they never shut up on Slack,’” one executive said to the news outlet. “‘It’s very good for productivity, but the problem is we’re working on security, so we have to be careful about what we say.’”
Like many SaaS programs, security is only as strong as the people using the platform. Organizations must take intentional steps to train employees, monitor for threats, and implement layered security protocols in addition to those built into Slack’s service offering.
Watch the following clip from one of our most recent Slack security webinars, where we talk with Bluecore CISO Brent Lassi about the types of security incidents that can occur in Slack. You can also download the entire webinar to watch on-demand.
How to improve Slack security
First and foremost, organizations must concentrate on minimizing the risk of insider threat. To maintain Slack privacy, Slack admins must take a proactive role in managing user permissions. This involves deciding who needs to have access to which channels, closing old accounts as needed, and sunsetting any channels that aren’t being used. Install 2FA or multifactor authentication to make it harder for hackers to penetrate your workspace.
It’s also worth noting that Slack supports integration with third-party data loss prevention tools like Nightfall to protect information from leaking to outsiders. Nightfall is an official Slack DLP partner and can be installed as a Slack bot, meaning it scans for data automatically at the application level.
Nightfall offers a way to prevent exfiltration, insider threat, accidental exposure, harassment, and more. Machine learning helps IT teams detect suspicious files and messages in real-time and take action directly within Slack to prevent the sharing of classified data. Granular detection logic and automated workflows make managing data security in Slack easier and faster than ever.
To get started with Nightfall, schedule a demo at the link below.