Slack itself incorporates many enterprise-level security measures to ensure a secure environment, including ISO and SOC security certifications, HIPAA and FINRA compliance certifications, and a robust GDPR data management program. Users at the corporate and individual level can do several things to further ensure the security of the data they send on Slack: Read our full article below to learn more about Slack safety and security. It isn’t just small companies that love Slack. When IBM selected Slack as the official instant messaging and collaboration tool for their more than 350,000 employees, the move was widely seen as a big win in the Slack vs. Microsoft Teams war. But how secure is Slack really? And what can you do to ensure the information you send is safe and remains private? Whether you’re an employer or an employee, we’ll tell you everything you need to know about Slack and its security.
Slack Security and Privacy Concerns
Online privacy and the security of the data sent across the platform are legitimate concerns, whether you’re using Slack desktop or the Slack app on a mobile device. Luckily, Slack has a few decent systems and policies in place to keep your private data secure.
How Slack manages data
Slack doesn’t slouch when it comes to securing data. The company uses enterprise-grade security to meet global compliance requirements and secure Slack information. The company has earned a host of security-related certifications, including ISO/IEC 27001, 27017, 27018, and 27701, SOC 2, SOC 3, APEC for Processors, and APEC for Controllers. In addition, Slack is HIPAA and FINRA compliant. The company has also implemented a GDRP compliance program. Slack encrypts data at rest and in transit. It also offers other security features to safeguard sensitive data, like two-factor authentication, session duration limits, and session management. However, it doesn’t use end-to-end encryption, since they want to give admins the ability to access communication for business purposes.
How Slack manages security threats
In addition to the robust Slack security measures noted above, the company combats the threat of cybercriminals through its Slack bug bounty program. This means that anyone can report on vulnerabilities they’ve found within Slack and get a bounty for it. Slack can then work on patching the weaknesses and strengthening their software. The bug bounty program encourages the identification of Slack security flaws before they’re exploited. Many key vulnerabilities have been identified through the bounty program, and Slack fixed these before they were exploited. Since the program’s inception, Slack has awarded over $900,000 to security researchers who identified potential vulnerabilities in the Slack platform.
How Slack handles government demands
Slack’s privacy policy states they don’t voluntarily disclose information to governments. However, they will comply with requests arising from a valid legal process. This means that the company does store information and will disclose it if compelled to by law. But who or what is included in a valid legal process? The phrase refers to anyone involved in litigation, which includes any of your competitors who sue you or your company. They may ask the court to compel Slack to turn over the information contained in your Slack channels. This could include critical information you don’t want your competitor to have. This nightmare scenario is very unlikely to happen, but not entirely impossible. In general, the idea that your business’s internal communication could be read by others isn’t great, even if it might be necessary in some cases. Each year, Slack issues a transparency report that summarizes all disclosures related to valid legal process requests. While the number of disclosures is small, confidential data was shared.
Are your Slack chats private?
From an employee standpoint, you may be less concerned with how vulnerable your company’s sensitive data is, and more concerned with how private your personal information is on Slack. As with most corporate tools, start with the assumption that anything you do is saved and reviewable by your boss, their boss, or the HR department. Slack is not exempt from this assumption. You can, however, easily check how and what information your organization saves. Here’s how:
The difference between public channels, private channels, and direct messages is especially important here. Admins might be able to export data from the open, public channels only, while your DMs and the locked, private channels can’t be shared outside the participants of those conversations. Even so, keep in mind that it’s always easy to take screenshots, even of private messages. As a general rule of thumb, it’s good practice to avoid sending anything in writing that you wouldn’t want to be made public. It’s always best to save the snarky comments about your boss or complaints about a client for after-work drinks at the local pub.
How to Stay Safe On Slack
Even with the security measures used, Slack is still a cloud-based service. As such, it is vulnerable to determined cybercriminals. Here are eight ways you can maximize your safety and mitigate your Slack privacy concerns.
1. Don’t share confidential information
Never disclose passwords or other confidential or sensitive information on Slack. This includes sending files that contain private company or client information. If you need to give a colleague password information, consider using a password management app. 1Password offers a useful option for teams to share passwords company-wide. Other confidential and sensitive information should be sent via more secure internal channels that are not easily discoverable by hackers or as a casualty of a court order.
2. Require two-factor authentication
It’s always a good idea to use two-factor authentication (2FA) for login. When you use 2FA, you can log into Slack using your password and a verification code you receive on your phone. This multi-factor authentication makes it very difficult to gain access to Slack with only login credentials. You can set up 2FA on Slack through either an authentication app or SMS text message by following these steps: Keep in mind that this is the process to set up two-step verification on one user account only. If you’d like to do this throughout your business, make sure all your employees activate this option. For companies that already use a Single Sign On protocol, 2FA can also be used for additional security.
3. Set up a system for managing employee onboarding and offboarding
For larger employers, one of the biggest challenges is keeping track of which employees gain access to Slack. To avoid unwanted access by workers who are no longer with the company and to ensure new employees do have timely data access, it’s important to have a documented process for Slack access. Make sure someone in your organization is responsible for granting and denying access to Slack the moment there’s a change in the workforce. By maintaining correct and current access to Slack, employers avoid the risk of having former employees access and use Slack in improper ways.
4. Train users on Slack best practices
Companies that use Slack for collaboration should take time to ensure all employees understand the company’s Slack usage policies. One way to streamline this process is to apply your corporate email security policies to Slack. However, it takes more than just writing the policy down somewhere. Companies should build Slack training into the employee onboarding process. They should also offer refresher courses periodically to ensure the information stays front of mind.
5. Use channels to manage outside user access
If you’re collaborating with clients or vendors on Slack, limit broad access to company information by creating channels. You can use Slack Connect to invite them and control the information they can access. Make sure you know exactly which private and public channels outsiders have access to. Delete the channel once the project is complete, and external access disappears.
6. Be careful with third-party app integrations
Slack offers numerous apps to integrate with, including Google Drive and Dropbox. With this convenience comes additional risk. With every third-party app connected to Slack, the potential for vulnerability increases. Slack is only as safe as the security of its weakest linked app. While the most popular integrations are generally safe, it’s wise to keep such connections to a minimum. Admins should be the only ones approving such integrations. This eliminates the potential for employees to add risky third-party apps on their own.
7. Beware of phishing attempts
Much like email, Slack is not immune to phishing attacks. In 2017, hackers sent out fake Slackbot messages to a group of cryptocurrency enthusiasts on Slack. These messages directed them to a bogus website asking for financial information. Direct Slack messages are also a favorite phishing method to reach unwary Slack users. Most people know how to recognize phishing attempts that land in their email inbox, but dangerous direct messages they receive on newer technologies like Slack leave them less suspicious. Hackers capitalize on this lower suspicion threshold to trick unsuspecting users into divulging confidential information. Being aware of the tricks often used in phishing can already lower the risk here.
8. Use a good antivirus program
Whenever you go online, there’s a risk of malware infecting your device. This is also the case for Slack. It’s far too easy to accidentally click on a sketchy link or for an employee to open a dubious attachment. When that happens, there’s a high chance that malicious content ends up on an individual computer or an organization-wide server. Solid antivirus protection identifies these threats quickly and moves to eradicate them before they create bigger problems. To learn more about how an antivirus program can help you stay safer online and find one that works for you, check out our recommendations for the best antivirus software.
Final Thoughts
Slack is an enormously popular tool for instant communication and collaboration. However, the benefits of Slack also come with security risks. For companies and individuals using Slack, it’s important to be vigilant to the security threats and take steps to minimize them. Refrain from sending confidential information on Slack. Use two-factor authentication for an added layer of login security. Keep a tight control on who has Slack access. Basic security steps combined with Slack’s own rigorous security protocols, make Slack secure and an efficient means of collaboration and communication. Want to learn more? Here’s our comparison of Slack with Microsoft Teams. You can also read about how secure Microsoft Teams is and then decide. Users can take additional steps to protect their information, like using two-factor authentication, not sending confidential information via Slack messaging, and being wary of possible phishing attempts sent on Slack. Read our full article for instructions on how to easily check what your company is monitoring on Slack.