Slack seems like a no brainer. But as with any platform, it comes with risks. Most people using slack aren’t tech geniuses, but there are many aspects of Slack that managers need to be wary of. From users downloading messages to default settings that make links public, there are key security risks you’ll need to weigh. Read on to learn more.
Slack makes adding new employees quick and painless, but it’s important not to underestimate the power of adding someone new to a channel full of confidential information. This is particularly relevant when it comes to employee termination. If employees leave on bad terms, every minute that they’re still in a Slack channel is a minute that confidential company information could be at risk. To avoid security breaches, make sure removing former employees from Slack is a routine part of the exit process, every bit as important as changing passwords and deactivating their company email. Check out the Slack guide to adding and removing users here.
Make sure to also review any external people that my have access. Whether it’s a client or someone who comes to fix the computer, Slack users should be reviewed regularly to maintain a secure system.
Though it’s tempting to connect Slack with all the other apps you use regularly for maximum convenience, it’s important to think critically about who will have access to what as a result and what security breaches it may leave you vulnerable to. When you link third party apps, there’s always the risk that the log-in procedures will change and individuals will have access to the apps and information they normally wouldn’t have access to.
In 2016, a routine audit revealed that by integrating Google Docs with Slack and failing to adjust log-in procedures, the General Services Administration, (a government entity) left confidential information exposed for months. To be safe, avoid linking other apps. The small amount of extra work it will take will be worth the security it brings.
Because of Slack’s default settings, when a user creates a link to a file shared on Slack, it is automatically a public link. Anyone can click on it and have full access without any sort of password or log-in. Now imagine all the documents that get shared on Slack on a daily basis. Would you want all of them available to the public? It’s a good idea to disable this feature on the Settings and Permission page in Slack.
Assigning certain employees as Slack admins is a great way to delegate and create an efficient workflow. But don’t underestimate how much power admins have. They can create and delete channels, which may be full of key information, and create new admins, neither of which are reversible actions. They have access to settings which can allow any user to create and delete channels and add any new users they want. They can view any and all files that are shared in public channels in your workspace, and export much of it with ease.
As Slack has gained popularity among businesses everywhere, it has unsurprisingly become a target for hackers. Back in 2017, a security company discovered a glitch that could have allowed hackers to easily get into different accounts and access individuals’s messages and documents. It was the modern day equivalent of the old email scam: Click on a suspicious link and next thing you know your account is in the hands of a hacker. Slack has since fixed the bug, but hackers will no doubt search for other weaknesses.
According to MarketWatch, hackers are increasingly stealing data in order to blackmail users. That rant you went on to a coworker over private messages about your boss? In a blackmail hack, you may be forced to choose between paying up or being exposed.
Most recently, Slack reportedly closed a loophole in the Microsoft Windows version of the app which would have allowed hackers to download messages, according to Engadget.
When Slack went public in April 2019, it went so far as to warn investors that cyber security hacks posed a risk to the stock’s earnings. While many of the security breaches that have received publicity didn’t actually lead to data being shared inappropriately, the potential for grave consequences is ever present. There’s no simple answer as to whether Slack is uniquely vulnerable to attacks, but as of right now, there’s no question it’s a high value target.
According to the Slack website, employees only see messages when it’s absolutely necessary in order to fix a bug.
But even if Slack employees aren’t reading your messages, security concerns could arise from within. As of last year, certain users can download messages without others being notified. This means that even if you follow all of the best practices for removing former employees immediately, they may be able to hold onto confidential company information. Workplace owners can download all messages and files from public channels, and those with the Plus plan have the ability to do so with private channels and direct messages, according to NBC. Those with the free or standard plan are required to obtain consent from applicable employees.
Mashable outlined how to check whether others have the ability to download your private messages. “When logged into Slack, head on over to slack.com/account/team. Once you're on that page, scroll down to the bottom. Under "Exports," check and see what privileges are listed. If it only lists "PUBLIC DATA CAN BE EXPORTED," then the spokesperson assured us that your boss cannot pull your DMs. If it lists private data, well, then you're out of luck.”
On its website, Slack features a lengthy list of all the ways it complies with the GDPR, or General Data Protection Regulation, a law passed in Europe that went into effect in 2018. You can read it here. One of the ways Slack promises compliance is through “self-certification” under the E.U.-U.S. and Swiss-U.S. privacy shield. Any claims that are not independently verified arise a certain amount of suspicion.
Enterprise Ready breaks down how Slack has handled one of the biggest concerns of GDPR, exporting messages on public and private channels.