In a little over a decade, the collaboration tool Slack has catapulted into popularity, becoming one of the most widely used SaaS collaboration tools globally. Nowadays, 43% of Fortune 100 businesses use Slack, and it is beloved by startups and small-to-medium sized businesses around the US.
But, while Slack may be great for collaboration and communication – particularly in remote working environments – the software is not without security risks.
Here’s what you need to know.
Security risks of using Slack and how to solve them
Risk: Like any business, Slack is vulnerable to data breaches
Last year’s Kaseya supply chain cyberattack highlights the potential for cybercriminals to breach a software provider and then crawl into its clients’ networks. No business or service provider is 100% safe from such a data breach – and Slack is as vulnerable as any other.
In fact, last year, Slack’s Securities and Exchange Commission S-1 filing showcased the number of attacks the company faced, including threats by nation-state groups. As well as this, we must remember that Slack experienced a data breach in 2015, which saw hackers gain access to its user profile database, including email addresses and encrypted passwords.
Then, last year, Slack’s developers unintentionally released a bug in an update, which caused its Android app to log clear text user credentials to their device. While only a subset of users was impacted, this error highlights again that Slack is not impenetrable. After all, the people behind the company are humans and humans, inherently, will make mistakes at some point.
Solution: Plan for the worst
This is not to put you off using Slack. These threats are outside your company’s control and are risks that come with using any third-party provider. However, it is essential to minimize such risks by putting in plans surrounding incident response, disaster recovery and supply chain risk management.
We recommend looking at NIST’s resources on supply chain security and incident response management as starting points.
Risk: The insider threat in the remote working world
The insider threat has many faces. It can be a disgruntled employee, an unwitting one or even a cybercriminal who has gained access to legitimate credentials. The tricky thing is, within the Slack-sphere, it can be hard to tell who is who – and what data they’re accessing.
According to Panda Security, insider incidents have increased by 47% over the last two years. As more employees work from home, away from the watchful eyes of IT, many have become more laid back about corporate security policies. They may send confidential data to the wrong person by accident or share passwords amongst teams for ease of use. These practices increase the risk of a data breach, resulting in a costly compliance fine.
As well as this, we must remember that it is harder to verify that users are who they say they are when they log in to Slack. We only need to look to the recent EA breach for an example. In this instance, the hackers got hold of an EA employee’s Slack credentials. They found their way to EA’s IT support on Slack and pretended to have lost their phone “at a party last night”. They requested a multi-factor authentication token and could get into EA’s corporate network.
Solution: Deploy a CASB 2.0 framework
While the insider threat is potent in Slack, there are steps you can take to reduce its success. First things first, we advise you to look beyond Slack’s native security capabilities. While these are good for the basics, they do not provide the granular visibility you need to get a handle on the insider threat.
Instead, it would be best if you opted for a cloud-native data loss prevention (DLP) tool – also known as CASB 2.0 – that integrates into Slack. These solutions enable you to create watertight data governance policies to ensure that only trusted and verified employees can access sensitive corporate data. The best-in-breed of these solutions will also offer real-time alert and redaction capabilities, ensuring that no sensitive data sneaks away in a chat or attachment.
We also advise you consider nudge training – a form of on-the-go eLearning that encourages users to make security-conscious choices as they go about their workday.
Nudge training tools can be integrated into the daily workflow, appearing like a prompt or reminder. These bite-sized, real-time alerts can go a long way to change employee behavior and tend to be more effective than security training away days.
Risk: You can’t find data you don’t know about
Without a robust data governance strategy, your collaboration tools are likely a minefield of sprawling, sensitive, unstructured data. You won’t have visibility into where sensitive data is, who has access to it and where it has been transferred to. This is a data breach – and compliance failure – waiting to happen.
We know from IBM that the cost of a data breach in 2021was an astonishing $4.24 million per incident. So, finding and securing this data is something to be taken seriously.
Solution: Unlock the power of data classification
The good news is that, no matter where you are in your data governance journey, tools like CASB 2.0 and cloud-based DLP can help you regain control of your SaaS environment. These solutions combine a variety of security services – including user authorization, data classification and cloud configuration audits – to enhance the IT team’s visibility and control over how data is being stored and where.
With data classification, they can detect PII, PHI and trade secrets, preventing them from being unlawfully shared, transported or accessed by unauthorized parties. Moreover, because next-generation DLP works in-app, it doesn’t hold up employee productivity or disrupt the workflow, meaning the end-user experience is unaffected.
