How secure is Slack for your business?

Slack has quickly skyrocketed in popularity, with more than 12 million daily active users (in 2020), and is expected to continue growing to 79 million by 2025 (BI). Unfortunately, with this increased usage and interest in Slack comes along an attraction of hackers. More people are using Slack, so there is an expansion of attack surface, more entry points into the web application, opportunities for hackers, high-value targets, etc.

So, how safe is Slack for your businesses? Can you trust it with all your business's sensitive data and devices? How secure are your files, conversations, and all the data that Slack has been moving around and storing? These are serious questions that need to be considered if your business is using Slack daily.

In this article, we will explore everything you need to know about Slack's security. How secure is it for business, and what features does it have to ensure that your conversations are kept safe and private? What are the risks, and what are the necessary steps to mitigate them? In the last section, we will discuss a few alternatives to Slack.

Table of Contents

1. Historic Vulnerabilities or Bugs in Slack
2. Risks Associated with Slack Security
3. What does Slack do to protect devices, users, and data?
4. What can you do to make Slack safer for your business?
5. Best alternatives to Slack for business communications
6. Final Thoughts

1. Historic vulnerabilities or bugs in Slack

Slack has become one of the most popular communication and collaboration platforms among organizations, businesses, industries, and individuals. But like any software, Slack is not immune to risks, bugs, and vulnerabilities. The following are three infamous and historic system flaws that have been reported in Slack:

• In 2016, employees at 18F shared documents from Google Drive via Slack, accidentally exposing over 100 GSA Google Drive accounts for nearly six months. The GSA used an authentication protocol known as “OAuth2.0” to connect the two apps, but neither Slack nor the GSA's IT standards had approved it.
• In 2017, Tenable Research's David Wells reported a hijack vulnerability in Slack's Desktop version 3.3.7 for Windows. The vulnerability allowed an attacker to perform corporate espionage, manipulation, or gain access to documents through any direct messaging or Slack channels to which an attacker was authenticated. With this vulnerability, attackers could drop a hyperlink into a Slack channel (phishing attempt) that changed the document download location path when clicked. Once the download path was altered, the attacker could steal and manipulate documents downloaded in the slack application.
• In 2020, according to AT&T cybersecurity intelligence, Slack's service was subject to a phishing attack vulnerability in which hackers could send malicious links to users. The links, which appeared to be coming from legitimate sources, would redirect users to a phishing website and steal their login credentials. The vulnerability came from Slack's Incoming Webhooks feature, which allowed posting messages to Slack channels by specifying a unique URL, a message body, and a destination channel.

And there have many similar threat attacks to the ones shown above. However, after identifying these vulnerabilities, Slack has been quick enough to remediate and update its software.

2. Risks associated with Slack security

The chat system on Slack is more than just an internal business communication tool. It also serves as a mentorship platform, a free help desk and customer support, and a digital water cooler for company gossip. Moreover, Slack is also used by employees to share confidential business information, including business plans, employee information, customer data, or sensitive login information. If an unauthorized user gains access to a Slack account, they could easily gain access to such sensitive information—leading to a data breach.

A data breach is the most significant risk when using Slack.

Data breaches can happen due to improper use of the platform, Slack’s own bugs and vulnerabilities, phishing scams, social engineering, or compromised “integrated” third-party apps. For example, without proper training, Slack users might fall for phishing messages or links that could lead to the installation of malware or the theft of personal information.

Another limitation for certain types of businesses while using Slack is the lack of a robust set of regulations and compliance. Some organizations may be subject to regulations requiring them to retain certain types of communications, such as financial transactions or health patient data. Although Slack adheres to GDPR and CCPA (and some other regulations), Slack’s retention policies and features may not meet a specific company’s compliance requirements.

Although these scenarios can’t be blamed on the security of Slack itself, they happen through it and should be kept in mind. So, it is essential to be aware of them and take the necessary steps to mitigate them.

3. What does Slack do to protect devices, users, and data?

Is Slack encrypted? Yes, by default, Slack provides encryption features to protect data at rest and in transit. According to Slack's website, the communication platform provides encryption to safeguard your data in transit and during transmission between your network and the Slack services. In addition, Slack also protects your data at rest— data being stored in Slack servers. Additionally, Slack provides other means to protect the network, devices, and users from the risks mentioned above. However, it is also worth noting that Slack does not provide end-to-end encryption.

a. How does Slack safeguard data in transit?

Slack utilizes robust encryption protocols for all data transfers between its clients and the service. When and if clients support it, Slack uses the most recent secure cipher suites, including TLS 1.2 (HTTPS), AES256, and SHA2 signatures.

b. How does it protect data at rest?

All data that is at rest within Slack's systems—relational databases, file stores, database backups, and so on—are encrypted using FIPS 140-2-compliant encryption standards. A secure server houses all encryption keys on a separate network with minimal access.

The Slack service is also hosted in secure data centers managed by industry leaders, which provides physical protection for the servers and infrastructure. All customers' data is separated and hosted in a shared infrastructure. Additionally, Slack provides data residency, allowing customers to select the location of where to store their data.

c. Are there additional built-in security features?

To further enhance security, Slack provides other means to protect its users and their data (especially for its enterprise users). From network security, identity, and access controls (2FA), device management, server hardening, system monitoring, logging and alerting, and more. Furthermore, Slack also provides other means to protect data with tools like Enterprise Key Management (EKM), Data Loss Prevention (DLP) integrations, and Audit logs API.

Note: Slack provides encryption methods to protect data at rest and in transit but does not provide end-to-end encryption by default. The communication and data shared on the platform are not encrypted so that only the sender and the intended recipient can access them (as E2EE). Not using E2EE allows enterprise executives to have complete visibility into communications across different work groups and channels. But unfortunately, this may also open the door to possible catastrophic consequences for all its users. 

4. What can you do to make Slack safer for your business?

The fact that Slack uses encryption by default to protect data in transit and data-at-rest already ensures that unauthorized parties can’t intercept and interpret data. But for most companies, having this level of encryption plus a few built-in security tools is not enough to protect their most sensitive business data from evolving risks, vulnerabilities, and human misuse. Plus, without end-to-end encrypted communications, businesses won’t feel secure. Leaving data’s safety and privacy at the hands of the communication platform is a pill hard to swallow for most companies.

Although Slack does everything in its capability to protect its users from known and unknown bugs and vulnerabilities, there are still numerous business risks from using the platform.

Consider the following best security practices when using Slack. 

• Establish security policies for managing Slack Accounts Slack can be risky when onboarding and offboarding user accounts. For instance, an employee leaving on bad terms with active access to Slack is a high risk. Similarly, security can be compromised when granting too much authority to users with “Owner” and “Admin” roles.
• Train employees to be secure-aware Social engineering targets the human link. For example, a disgruntled former employee could post phishing scams, or a low-privilege user may have access to business plans or financial documents. Whatever the case, it is always recommended to train Slack users to follow security best practices.
• Follow best practices when integrating apps Slack’s integrations provide more flexibility and customizability to the app. You can, for instance, integrate an existing service like Google Drive or Dropbox into Slack. However, always remember there are potential threats when integrating third-party apps into Slack. To avoid this, understand all apps permissions, assign an integrations manager, create approval policies, and know which apps have been approved by Slack App Directory.

5. Best alternatives to Slack for business communications

This section will explore some of the best alternative business communication platforms to Slack. We will look at tools with similar capabilities to Slack in terms of communication and collaboration but with a twist in how they deal with security. Although Slack is one of the most widespread communication platforms for businesses, it does have its limitations.

Note: Keep in mind that security is constantly evolving, so the tools shown in this list are not necessarily more secure than Slack; they simply target different types of businesses, and so they tackle security differently. 

Below are some alternative secure solutions for business communication.

1. Microsoft Teams

Microsoft Teams is regarded as one of the best alternatives to Slack in terms of features and functionality. As of 2023, it is used by 270 million daily active business users worldwide, making it one of Slack's biggest competitors. The app's most prominent feature includes its group chat, which has interactive options like editing or deleting messages at any time and starting new threads. Regarding security, Microsoft Teams is built on top of the Microsoft 365 platform, which provides a wide range of top-notch security features.

2. Google Meet

Google Meet (formerly Google Hangouts) is originally designed as a video conferencing service. It is part of G Suite and is built on Google’s secure infrastructure. It provides vital business tools like file sharing, meetings schedule, email exchanges, and presentations. A significant highlight difference between Slack and Google Meet is that the former provides end-to-end encryption for video and audio calls and advanced security features. In addition, Google Meet is also certified for several regulatory “compliance” standards, such as HIPAA and SOC2, while Slack is not.

3. Mattermost

Mattermost is a good choice if you’re looking for an open-source and self-hosted messaging alternative tool to Slack. It is similar to Slack and Microsoft Teams but can be deployed either on-premises or cloud. Mattermost’s main selling point is its privacy options, in contrast to other apps’ emphasis on project management and chat-based features. Rather than relying on a third-party service to protect your data in a “secure” location, Mattermost gives you complete control of your deployment. Mattermost also provides features like end-to-end encryption, secure file sharing, and compliance with various regulations and standards.

4. Rocket.Chat

Rocket.Chat is another open-source and self-hosted messaging platform similar to Mattermost and Slack. It includes features such as group and direct messaging, voice and video calls, screen sharing, file sharing, and many integrations. Rocket.chat is a highly suitable tool for communications and team collaborations. Similar to Mattermost, Rocket.chat can also be run on-premises, in the cloud, or on a virtual private server (VPS). Being also open-source and self-hosted allows Rocket.chat to give more control and view over the data and infrastructure of businesses – making it a potentially more secure option than Slack.

5. Discord

Discord is a versatile communication platform that allows for text, voice, and video communication. Although Discord was mainly created for gaming purposes, it has also worked well for team and business communications. It is still worth noting that Discord was designed for gaming communities, so it may not provide the same features that a more business-oriented Slack would, especially regarding data privacy. But still, many users consider Discord’s video calling and voice calling particular features more secure than Slack, and some others use it along a VPN. Plus, Discord also offers security tools like 2FA, spoofy link filters, safe direct messaging, and more.

Final Thoughts

Slack is the ultimate wingman for boosting communication and productivity in your team, but like any good friend, it's essential to keep an eye out for potential hazards. Don't worry; we're not suggesting ditching Slack altogether—just learning how to use it safely.

Think of it like learning self-defense for your digital life. Two-factor authentication and strong passwords are like your trusty pepper spray, training employees to spot phishing scams is like learning martial arts, and good file-sharing practices are like having a bodyguard. And just like any good squad, it's important to have a solid game plan in place for governance and compliance, as well as to keep tabs on everything with proper monitoring and account management.