For the first time, most workers now say they prefer real-time communications tools like Slack and Microsoft Teams over email, according to a recent survey by Ziff Davis. Slack customers include 77% of the Fortune 100, according to the company. Slack has even become a forum for job searches.
Yet like any other platform, Slack carries the risks of cyberattacks through misuse of its built-in features or risky behavior, notes Ofer Maor, CTO and co-founder of cybersecurity startup Mitiga.
Writing for Dark Reading, Maor points out that while users have learned to be on the lookout for phishing emails, the open culture of Slack means that most people probably aren’t on guard for suspicious messages from their colleagues. “Therefore,” Maor writes, “compromising a single account in Slack can easily be leveraged to deceive other users and gain additional access—not only to other users but to multiple channels.” As Maor observes, many organizations has sensitive information such as passwords available and preserved indefinitely in channels open to large numbers of users.
Slack users also have access to an array of apps. Maor warns that third-party apps are a serious risk for almost all software-as-a-service platforms, and Slack is no exception.
What’s more, Slack doesn’t preserve a record of messages that are erased. According to Maor, ransomware attackers could use the threat of deleting information as effective leverage for their demands.
To be sure, Maor notes, Slack is a “great platform” with significant investment in security. Still, one example of Slack being used in a cyberattack occurred last year, when scammers stole a trove of data from video game publisher Electronic Arts by duping an employee using the tool, as Motherboard reports.
For improving the security of an organization’s Slack workspace, Maor recommends setting clear policies around private versus public channels, minimizing permissions for third-party apps, backing up Slack content, enabling multi-factor authentication and other advanced security features and keeping Slack logs.