Is Slack Secure For Your Business?

Uploaded on 2020-10-01 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Slack is used as a communal discussion center for businesses and it has increased in popularity in the last few years. Slack now has 10 million daily active users, making it the leading platform for live discussions within organisations.   

Slack is used by 65 of the top Fortune 100 companies and over 85,000 businesses, from SMBs to large enterprises, are  using the paid tier of Slack within their business. Slack is a great place to have secure conversations, but that doesn't mean you should treat it like it's watertight.

Never use Slack to share secrets such as passwords, sensitive customer data, or valuable corporate IP. Anything highly confidential should be kept off the platform.

For Slack’s millions of daily users, the chat system represents more than just a communications tool. It also functions as a digital water cooler for company gossip, a channel for the airing grievances and a mentorship platform for junior employees can interact directly with senior counterparts. And in some cases, a platform that employees share sensitive and important login details and passwords.

The intimate nature of Slack leads most users to the assumption that their communications are confidential. However, there are a number of security blind spots on Slack that leave companies in a vulnerable position.

Slack does encrypt your messages. According to the company's security page, it secures your messages both when they are in transit between parties (i.e., when you send them) and when they are at rest.

This huge number of users represents an opportunity for hackers to utilize the platform to infiltrate networks and gain access to sensitive data. So, how secure is the Slack platform and should your organization be thinking of security solutions to protect this attack vector?

When Slack first launched in 2013, it was branded as a friendly alternative to Microsoft’s team tools. You could communicate instantly using this platform, with group messages and full conversation logs. However, in 2015 Slack was hacked, revealing the holes in its security. The company announced that over four days it’s systems had been hacked, compromising some of its users’ data. This included email addresses, usernames, encrypted passwords.

Recently, another security problem became clear as Slack allowed hackers to remotely exploit a vulnerability in Slack allowing them to input malware or alter information. The problem has been fixed by Slack, but the attack surface remains large. 

Slack has become a platform where users must be vigilant about looking out for phishing attacks and spam messages. Because Slack is invite-only, users assume that their workspace is secure, but this is not always the case. In 2017, a group of hackers used an account pretending to be a ‘Slackbot’, which sent out a phishing attack directing people to a fake site where their financial details were collected.

These types of phishing attacks through Slack could be potentially much more damaging than a similar campaign would be through email. 

It’s important to remember that even if your co-workers or your manager might not have easy access to your private Slack messages, there’s still a lot they can learn about you based on your profile, like your time zone, your contact information, phone number, location, and social media that you might have put on Slack. You could also find their member ID number, which might not be too revealing, and files that they’ve sent by clicking through on their individual profile, which would potentially be more revealing.

Like email, Slack is an incredibly useful and productive communications tool for businesses. Also, like email, businesses will not stop using Slack because of the security concerns. All businesses should be considering the security of Slack and the steps they can take to make sure their employees and sensitive data and financial information sent through Slack is safe. 

Expert Insights:        Threatstack:       Mic:      PasswordBoss:     Vox:      Image: Iconscout

You Might Also Read: 

Is There A Truly Secure Messaging App?:

 

 

« Improving SME Cyber Security
Foreign Hackers Threaten US Election Security »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Blue Solutions

Blue Solutions

Blue Solutions is a consultancy-led, accredited software distributor who provides IT solutions and support to small and medium enterprises.

Anomali

Anomali

Anomali delivers intelligence-driven cybersecurity solutions to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.

SynerComm

SynerComm

SynerComm is an IT solution provider specializing in network and security infrastructure, enterprise mobility, remote access, wireless solutions, audit, pentesting and information assurance.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Sandline Discovery

Sandline Discovery

Sandline Discovery provides digital forensics, eDiscovery solutions, managed review and litigation consulting services.

CyberTech Network

CyberTech Network

CyberTECH is a global cybersecurity, Internet of Things (IoT) and Smart City network ecosystem and incubator operator.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

SMESEC

SMESEC

SMESEC is a lightweight Cybersecurity framework for protecting small and medium-sized enterprises (SME) against Cyber threats.

River Loop Security

River Loop Security

River Loop Security specialize in solving complex cybersecurity challenges in the IoT and embedded devices space.

Trilateral Research

Trilateral Research

Trilateral Research provide regulatory and policy advice; develop new data-driven technologies and contribute to the latest standards in safeguarding privacy, ethics and human rights.

LGMS - LE Global Services

LGMS - LE Global Services

LGMS is a leading cyber security penetration testing and assessment firm in the Asia Pacific region.

VinCSS

VinCSS

VinCSS Internet Security Services JSC is a leading organization working in the field of researching, developing, producing products as well as providing cyber security services.

Cytek

Cytek

Cytek is a leading provider of cybersecurity and HIPAA compliance for dental practices and other industries.

Gilsbar

Gilsbar

For more than half a century, Gilsbar has offered insurance service solutions and support for businesses and their employees.

E-CQURITY (ECQ)

E-CQURITY (ECQ)

ECQ is a network security company offering offensive security services and solutions focused on active offensive and defensive positioning.