Slack is an incredibly popular app. It became a lifeline for so many companies during remote work in 2020 and it will remain an essential part of working life for years to come.
But just because it's a helpful business app does not mean it comes without issues. Like many apps, it is liable to be hacked; data can be stolen; havoc can be wreaked.
In order to use Slack effectively, companies have to also ask themselves: Is Slack Secure?
We'll run down the inherent issues in the app and some steps your company can take to secure Slack.
Slack Security Concerns
Slack does not provide any default security protections. That means that everything you share—files, company data and information—is ripe for hackers.
Because Slack is known to be invite-only, there is a common presumption that everything shared on Slack is private.
An employee on any plan can create an external link, which converts a file tethered to an organization into a publicly available URL. Any member of Slack has the potential to create and edit user groups, add apps and integrations, invite new members, and invite a multi-channel guest to a private channel.
And since anyone can create groups, add apps and invite members, it means that the potential for chaos is high.
Slack Data Security
Companies share everything on Slack: files, budgetary spreadsheets, company announcements, sensitive documents. They share funny GIFs and literally everything else:
But that share-ability can lead to the following bad outcomes:
- One-click forwarding of sensitive information outside the organization, either by mistake or deliberately,
- External members, who can easily join a company's channel, are free to access an entire repository of information
Any data or information shared on Slack can easily be passed on. This can happen maliciously or by mistake—many users consider Slack to be internal but forget that external partners might also have joined a channel.
On Slack, users can share malicious links or malware without realizing and there are no protections against it. And given the general trust employees have of the platform, anyone in your company could click on a malicious link or download malware.
It's fairly easy to join a Slack channel. Any user, at almost any permission level, can invite others to join whether inside or outside the company. The approval process is often loose and casually enforced.
With the sudden ramp-up of Slack usage, unfamiliar users are likely to trust what they see and permissions approved in bulk.
The first compromised account typically happens by email. Subsequent 'east-west' compromise typically avoid email in order to avoid detection. As companies move internal communication to Slack , the attackers will follow.
Slack Security Best Practices
The above seems daunting, but there are ways to protect your organization.
Here's how the Avanan solution works:
- Every file is sandboxed before downloading. When zero-day malware or ransomware is discovered, Avanan quarantines the file, performs threat extraction, and alerts the user, who has the option to request file restoration.
- DLP security tools detect leaks of PCI, HIPAA, FERPA, PII, and other sensitive information. When necessary, Avanan adds a -classified suffix to the end of confidential messages or files. Flexible workflows determine if the content is quarantined, the user is alerted, and/or the file is encrypted with IRM.
- The anomaly engine monitors all Slack logins and events for suspicious activity. Avanan alerts the Slack administrator, the affected accounts, and disables the compromised account to prevent the spread of sensitive data, malicious files, and phishing URLs.
- A detailed dashboard updates administrators on general usage in Slack. The Avanan Slackbot logs the total number of users, files, shares, links, logins, channels, and threat detections.
Securing Slack is possible and with Avanan it's easy. With a few simple clicks, all of the inherent issues can go away.
Learn more about Avanan's Slack protections and start a free trial today.