SaaS App Security

How Secure Is Slack For Your Business?

Slack is quickly becoming the most popular tool for organizations to communicate – but does it pose security risks?

Last updated on Feb 28, 2024
Joel Witts Written by Joel Witts
how secure is slack for businesses

Slack is a collaboration hub for businesses that has exploded in popularity over the last five years. It now has 10 million daily active users, making it by far the leading platform for live chat within businesses.  Slack boasts that it’s being used by ‘65 of the top Fortune 100’ companies. Their internal statistics tell us that 85,000 businesses, from SMBs to large enterprises, are now using the paid tier of Slack within their organization.

This huge number of users represents an opportunity for hackers to utilize the platform to infiltrate networks and gain access to sensitive data. So, how secure is the Slack platform and should your organization be thinking of security solutions to protect this attack vector?

Is Slack Secure?

When Slack first launched in 2013, it was branded as a friendly alternative to Microsoft’s team tools. You could communicate instantly using this platform, with group messages and full conversation logs. This made it instantly attractive to businesses looking for an easy to way to instantly share messages, with integrations with other business apps.

However, in 2015 Slack was hacked, revealing the holes in its security. The company announced that over four days it’s systems had been hacked, compromising some of its users’ data. This included email addresses, usernames, encrypted passwords. Slack also noticed some suspicious actives on user accounts, suggesting at least some accounts became compromised.  A compromised Slack account from a CEO or executive level position could cause as many security issues as a compromised email account. This hack led Slack to implement two-factor authentication.

Just this week, another security vulnerability was uncovered in Slack that allowed hackers to remotely exploit a vulnerability in slack to alter where files sent though Slack are downloaded, allowing them to inject malware or alter information, as reported by Threatpost. This bug has now been patched, but the attack surface for Slack remains large.

Open Communities and Phishing attacks

Slack features ‘open communities,’ which allow large groups of people to communicate easily. Channels can be opened with any individuals, and a username is all a user has to verify the identity of the person they are speaking to.

This means that like email, Slack has become a platform where users must be vigilant about looking out for phishing attacks and spam messages. Because Slack is invite-only, users assume that their workspace is secure, but this is not always the case.

In 2017, a group of hackers used an account pretending to be a ‘Slackbot’, which sent out a phishing attack directing people to a fake site where their financial details were collected.

Slackbot

These types of phishing attacks through Slack could be potentially much more damaging than a similar campaign would be through email.

In an interview with Expert Insights, President and CTO of SafeGuard Cyber Otavio Freire argued that “people have learned to distrust what they see in an email. But with new technologies, they haven’t experienced that reason to distrust yet.”  

Slack themselves, while removing the infected accounts, have put the onus on security teams to protect themselves from phishing attacks telling Ethnews “we encourage team admins and members to be vigilant, and to review and enforce basic security measures.”

 So how can business protect themselves while using Slack?

Security solutions for Slack

Like email, Slack is an incredibly useful and productive communications tool for businesses. Also, like email, businesses will not stop using Slack because of the security concerns.

Slack has provided security vendors a way to create security solutions for Slack using their open source APIs. This has allowed vendors to create multiple security apps for Slack that can be easily be installed straight from the app browser menu within Slack itself. These solutions are an ideal way for businesses to protect themselves from security threats while using Slack.  

Avanan, a vendor known for their CASB solution, has created a security platform for Slack that provides URL filtering, protects businesses from malware, identifies and blocks accounts that have been hacked, and provides a full administration dashboard. This can effectively protect businesses from phishing links and compromised accounts on Slack.

Other companies, like SafeGuard Cyber, have established a platform for compliance, archiving and security on Slack. This provides businesses with cyber defence by evaluating all Slack messages, images, attachments and links for malicious content. It also provides them with real time compliance and archiving for Slack messages.

For more information, read our guide to the top Enterprise Security Tools For Slack And Microsoft Teams.

Summary

All businesses should be considering the security of Slack and the steps they can take to make sure their employees and sensitive data and financial information sent through Slack is safe.

Simple steps to enhance the security of Slack are to make sure that no employees share any sensitive business information or private account deatails through Slack. Everyone should also be using two-factor authentication, to minimize the risk of account compromise.

Businesses’ should also consider using one of the security solutions outlined earlier in this article. If Slack is replacing email for your internal business communications, having an established security solution in place will become vitally important in protecting your business data.

About Expert Insights:

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions.

 

Joel Witts

Content Director

LinkedIn Email
Joel Witts is the Content Director at Expert Insights, meaning he oversees all articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel is a co-host of the Expert Insights Podcast and conducts regular interviews with leading B2B tech industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.