In April, just over half of Americans started to work from home, largely driven by the disruption of the COVID-19 pandemic. The situation continues to evolve day-to-day, but remote work is here to stay: 42% of the U.S. labor force is now working from home full-time, as tools like Slack, Microsoft Teams, and Google Drive make it possible to be productive from anywhere.
Slack started as a popular team-building and communication tool meant for collaboration and project management. It has since escalated into the primary mode of communication for newly remote businesses. Wired reports that between March 10 and March 25, 2020, Slack’s concurrent users rose from ten million to 12.5 million who now use the platform as an end-to-end virtual office.
Even before this pandemic moved more people to work virtually, we predicted that Slack and other SaaS products posed a point of vulnerability for IT professionals. Slack can become a hydra of risk as more users, integrations, and files are added to this platform quickly: the pandemic has escalated sharing data over Slack without giving security teams the opportunity to implement meaningful protocols and protections.
Slack security is achievable: take these steps to protect your company’s PII and data while using Slack.
Proactively manage user permissions
There are a few different types of user permissions you can set up within Slack. Understanding these types of accounts – and restricting access accordingly – can help mitigate many Slack privacy concerns.
There are three types of administrative roles in Slack: Primary Owner, Owner, and Admin. Then, there are three types of non-administrative roles: members, guests, and invited members. It’s likely the majority of users on your company’s Slack channel will be non-administrative. Here’s how these permissions work:
- Members: people on your team that join your Slack workspace and can collaborate and communicate with other members. This is the basic role that most employees at your company likely have.
- Guests: you can set guest access for people outside your company for whom you wish to limit access. Guests can be classified as “multi-channel” (with access to specific channels) or “single-channel” (with access to only one channel). Guests are able to communicate with members in the channels they are part of.
- Invited members: these users have been invited to the workspace, but have notha not accepted the invitation. They will receive Slack notifications via email and can reply to those messages (and private Slack messages) using their email address.
Slack admins are those in charge of managing members, channels, and other administrative tasks. We highly recommend that to maintain Slack privacy, Slack admins take a proactive role in managing user permissions. Decide who needs to have access to which channels, close-out old accounts as needed, and sunset any channels that aren’t being used. Check out our guide on managing guest accounts for comprehensive steps you can take to use guest accounts and shared channels – and keep your data secure.
Implement Slack Connect
Slack Connect is Slack’s newest product offering that launched in June 2020. Slack Connect takes the concept of shared channels – channels where companies that interact frequently can collaborate – to the next level, offering a way for up to 20 organizations to work together over chat, and more. If you’re a business that needs to share data frequently with those outside your organization, Slack Connect might be a good option.
Slack Connect uses Slack’s enterprise security features to protect the sharing of PII, including Enterprise Key Management, support for DLP, data retention settings, and e-discovery, and more. Here are a few key data security features your team can use in Slack Connect:
- Retention settings: Workspace Owners can decide what data will be retained or deleted based on a set amount of time. Whatever retention settings you chose will apply to all files sent by members of your organization in shared channels.
- Message management: an owner or admin can delete messages sent by members of their workspace in a shared channel.
- Enterprise Key Management: paid Enterprise members can use your own encryption keys to encrypt messages and files.
Unlike email, your company’s Slack admins oversee and control your organization’s data, restrict external access, and only work with verified partners and members. Note, however, that Slack Connect is only available for paid users at this time.
Increase security protocols
One common Slack security concern is the risk of hacking or phishing attacks. Whether your company is on a free or paid plan, there are some hard security protocols you can add to protect your data.
Start by adding two-factor authentication (2FA) for all members of your workspace. This simple change can protect your workspace in case there’s any account compromised or if a device gets stolen. Slack offers organizations that sign up for Plus or Enterprise plans to manage Slack user provisioning and authentication through a service like Okta or other identity management service.
In addition, it’s always a good idea to restrict what apps your members can add to the platform. Implement application approval, a step that gives Workspace Admins the ability to approve what apps Slack members can install. You can also restrict who can be invited to a workspace: permit signup only for those emails from a specific email domain, for instance. This can lock down your data from unauthorized individuals trying to enter your workspace.
Add a Slack security integration
Finally, and perhaps most importantly, find a third-party data loss prevention service like Nightfall. Nightfall can alert your team when sensitive data is being shared or used inappropriately. While Slack offers many restrictions and settings that your team can use, it does not monitor message content – which is where most security threats originate.
Nightfall integrates with Slack to identify, classify, and protect the data you need to keep secure. Our tool is equipped to detect 100+ types of sensitive data: everything from addresses, names, and passwords to credit card numbers and other PII. We send up a flare if this information is being shared in the wrong Slack channels. Build out automated workflows that can alert admins as well as users to these incidents and provide remediation options like deleting or quarantining the detected data.
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.