Slack is a messaging and collaboration app that connects people to the information they need
Slack is designed for businesses, organizational communications, and as a community platform. Users can communicate with voice and video calls, text, and multimedia messaging in private chats or discussion forums called channels or workspace communities.
Slack operates a combination of freemium and premium business models. Its main premium features are the ability to search more than 10,000 archived messages and add unlimited apps and integrations. Slack integrates with many third-party services and supports community-built integrations, including Google Drive, Dropbox, GitHub, Zendesk, Zapier, and a host of others. Slack provides mobile apps for iOS and Android in addition to their web browser client and desktop clients for macOS, Windows, and Linux.
By bringing people together to work as one unified team, Slack has transformed the way organizations communicate since its launch to the public in 2013. According to recent statistics from its website, Slack now boasts over 200k paid customers, and 77 of the Fortune 100 companies use the service. This huge number of users and the trove of sensitive business and private information that resides on the platform makes it attractive for cybercriminals. So, how secure is the Slack platform for your business?
Is Slack Secure?
The primary objective of information security efforts is to protect the confidentiality, integrity, and availability of data. Confidentiality means that data is protected from unauthorized viewing or access. Integrity means that information is protected from unauthorized modification to ensure that it is reliable and accurate. And availability means that authorized users have access to the systems and the resources they need at all times.
Slack states that the operation of its services “requires that some Slack employees may have access to the systems which store and process customer data”. Although Slack claims it has technical controls and audit policies in place to ensure that any access to customer data is logged, the whole thing appears to be shrouded in mystery. So in essence, Slack is indirectly saying to its customers, “trust us, we know what we’re doing”. In the last few years, Slack has suffered various cyberattacks that affected data confidentiality and availability of the service.
For instance, in March 2015, Slack announced it had been hacked, and that some data associated with user accounts had been compromised, including email addresses, usernames, hashed passwords, phone numbers, and Skype IDs. In response to the attacks, Slack added two-factor authentication to its service.
In May 2019, a remotely exploitable vulnerability in the Windows desktop app version of Slack was uncovered. The vulnerability could allow attackers to gain full remote control over the Slack desktop app, and thus access to private channels, conversations, passwords, and other confidential information. They could also alter where files from Slack are downloaded, and potentially infiltrate internal networks, depending on the Slack configuration. In response to the bug discovery, Slack provided a patch as part of its update for the Slack desktop app for Windows.
In January 2021, Slack suffered a denial of service attack that lasted several hours. During the outage, users could not log in, send or receive messages, place or answer calls, or use Slack connections. In 2022, Slack also suffered similar outages in February, March, and July.
In August 2022, Slack notified some of its users that their hashed passwords have been subject to exposure for the last five years. The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces. The bug affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022. In response to this incident, Slack immediately reset affected users’ Slack passwords, to enable them to set a new password before they can log in again.
Of course, the above incidents do not in any way prove that Slack is insecure (indeed no system is 100% secure), rather it opens our eyes to the inherent risk involved in using such cloud applications for sharing sensitive personal and business information so that we can approach it with the right security mindset.
How Does Slack Manage Security Threats?
Slack makes use of the infrastructure provided by Amazon Web Services to host and process customer data. It promises to provide appropriate technical and administrative measures to protect customer data against accidental or unlawful destruction or denial of access (availability), loss of data or unauthorized access and disclosure of data (confidentiality), and alteration of data (integrity) processed or transmitted through the Slack platform.
According to information available on its website, the following are some of the security measures put in place by Slack to protect the confidentiality, availability, and integrity of data on its platform:
- Security Controls Slack is loaded with lots of security controls to mitigate all kinds of security risks. Some of these controls include but are not limited to access logging, access management, data retention, host management, network protection, product security practices, two-factor authentication, session duration limits, session management, and more.
- Security Logs Slack maintains an extensive centralized logging system on its platform that contains information about security, monitoring, availability, access, and other metrics about the Slack services. These logs are analyzed for security events using automated tools such as SIEM software.
- Incident Management Slack maintains security incident management policies and procedures, and notifies affected customers of any unauthorized disclosure of their data as soon as they become aware of it to the extent permitted by law, such as breach disclosure law and others. Slack follows several best practices in standing up for users. including a warrant for content stored on its servers. In response to law enforcement requests, Slack says it will notify customers before making the disclosure. But according to EFF, Slack allows for a broad set of unexplained loopholes.
- Data Encryption By default, Slack encrypts data at rest and data in transit for all of its customers. It also offers other security features such as Enterprise Key Management (Slack EKM) and integrations with the best data loss prevention tools to safeguard sensitive data. Sadly, Slack does not support end-to-end encryption.
- Bug Bounty A bug bounty program is a deal that allows individuals to receive recognition and compensation for finding and reporting bugs, especially those of security exploits and vulnerabilities. The Slack bug bounty program allows it to stay ahead of attackers by allowing experts to find and report vulnerabilities before it gets exploited or leaked to the wild. Slack in turn works on patching the weaknesses and strengthening its software. Many of the vulnerabilities found on the application were identified through this program, and Slack fixed them right on time.
- Deletion and Return of Customer Data Slack provides the option for workspace Primary Owners to delete their data at any time during a subscription term. Within 24 hours of the workspace’s Primary Owner-initiated deletion, Slack hard deletes all information from currently running production systems. Also, within 30 days post-contract termination, customers may request the return of their respective data submitted to the Slack services and to the extent such data has not been deleted by the customer.
How to Stay Safe On Slack
Even with those security measures in place, there are several ways that attackers can gain unauthorized access to your Slack platform. Here are five ways you can minimize security risks and stay safe on the platform.
- Develop and enforce corporate Slack Policy A corporate Slack acceptable use policy is a management document that formally outlines guidelines for acceptable use of the company Slack platform. A Slack policy will help ensure that employees are aware of their responsibilities when using the platform, including what they can and cannot do and that these terms are agreed on. This means that an employee can be held accountable if there is a breach of the agreed terms. This minimizes the risk of cyberattacks and data breaches.
- Regular security awareness training A security awareness program aims to train users on the potential threats to an organization’s information and how to avoid situations that might put the organization’s data at risk. It is performed to modify employees’ behavior and attitude toward security. In information security, people are the weakest link. You may have the best technical controls in place, but if your people are not well-trained on how to spot and respond to potential security threats, all those controls will amount to little or nothing. Organizations that use Slack must ensure all employees understand the company’s Slack usage policies, and how to avoid behaviors that might put the organization’s data at risk, including sending confidential business and private information on the platform.
- Employee access management The goal of access rights management is to ensure that only authorized users gain access to the organization’s Slack platform. The admin should be responsible for granting and denying access to Slack the moment there’s a change in the workforce. You must keep track of employees that are authorized to use the platform to avoid a situation where former employees still maintain access to the platform. Enable two-factor authentication for an added layer of login security, and keep tight control on who has Slack access.
- Implement the Principle of Least Privilege Least privilege means users should be granted the minimum amount of access required to do their jobs, but no more. This protects your Slack platform by limiting the potential damage that can be caused by an unauthorized user gaining access to the whole platform and the information contained within it. If you’re collaborating with partners, vendors, or clients on Slack, limit broad access to the organization’s information by creating channels. You can use Slack Connect to invite them and control the information they can access. Make sure you know exactly which private and public channels these external users have access to, and delete them or revoke their access as soon as collaboration is over.
- Be cautious when linking Slack to third-party apps Slack supports integration with numerous third-party apps to power many automation features. With this convenience comes additional risk. With every third-party app connected to Slack, the potential for vulnerability increases. A wrong move can open the door to contaminated webhooks that expose valuable business data. While most integrations are generally safe, it’s wise to keep such connections to a minimum or if possible avoid them completely. But if you must integrate, then Workspace Owners must understand app permissions, control how apps are installed, and by whom, as well as control exactly which apps get installed by creating lists of approved and restricted apps. This minimizes your attack surface and the risk of exposure.
- Beware of phishing attacks As businesses move towards modern enterprise messaging and collaboration tools like Slack, phishing techniques are changing to target those tools. Most people know how to recognize and respond to email phishing scams, but are completely lost when it comes to newer technologies like Slack. Attackers capitalize on this weakness to trick unsuspecting users into divulging confidential information and granting rogue access requests. While this is not always easy, inexperienced employees may mistake a phishing attempt for genuine business communication, and once access has been compromised, the attacker can gain unauthorized access to channels and confidential chat archives.
8 Best Secure Alternatives to Slack
- Microsoft Teams One of the biggest competitors to Slack when it comes to enterprise messaging and collaboration. Teams comes with a highly interactive group chat, private chat features, video chat, and audio calling. All chat content in Teams is encrypted in transit and at rest. In December 2021, Microsoft added end-to-end encryption for one-on-one Teams calls.
- Google Meet Google’s alternative to Slack, specifically designed and optimized for businesses that depend highly on Google Workspace. Google offers Meet as a free service, but you gain additional features when you pay for Google Workspace subscriptions. In May 2022, Google announced that the Meet platform will include optional client-side encryption—a move that will give Google Meet users control over their encryption keys.
- Mattermost A popular open-source, self-hostable online messaging service designed as a secure open-source alternative to Slack. Mattermost’s central selling point is its privacy, unlimited message search, and over 700 third-party integration options.
- Wickr An instant messaging app that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments. The software is one of the most successful secure Slack alternatives, and it’s targeted at the enterprise market. Wickr is available for the iOS, Android, Mac, Windows, and Linux operating systems.
- Rocket.Chat An open-source communication and collaboration platform designed for businesses that want full ownership of their data. Unlike Slack, Rocket.Chat supports end-to-end encryption.
- Troop A messaging and collaboration app that offers chat, video, and audio calling features. Troop’s main selling point is its support for end-to-end encryption.
- Keybase Teams A secure alternative to Slack targeted at small to medium-sized teams. It is a relatively new entrant to the market and offers messaging and file-sharing services. Unlike Slack, key base features end-to-end encryption.
- Flowdock A budget-friendly alternative to Slack for those looking to avoid spending too much on a remote team collaboration app. Its premium package offers features such as data encryption, Flow-level administration, and SSO.