When it comes to protecting your Slack messages, many companies are still flying blind. Slack has become the de facto corporate messaging app, with millions of users and a variety of third-party add-on bots and other apps that can extend its use. It has made inroads into replacing email, which makes sense because it is so immediate like other messaging apps. Its flexibility and ubiquity are precisely why it’s more compelling to protect its communications.
Slack hasn’t been sleeping about security–quite the contrary. Last January, the company posted an interview with its CSO about various concerns. Slack’s effort is mainly focused on making sure its own app is bug-free and tested regularly for vulnerabilities. When Slack opened up its API to third-party developers, the company put in place some basic rules to ensure that these apps were also developed with secure controls. Slack also has some good recommendations to keep its app more secure, such as making sure that all users implement two-factor authentication and setting up automatic provisioning and deprovisioning for users. All these efforts are noteworthy, but incomplete.
Slack lacks malware protection
Why? Because the app itself doesn’t have any anti-malware or URL filtering built-in. These risks seem obvious, but others are more subtle. For example, you can connect members from different organizations across a Slack channel, so that organizational security policies could differ while files and messages are freely exchanged. While each user has to be explicitly invited to join a channel, that doesn’t mean that they can be trusted.
Any Slack user can type in a malicious URL that can be immediately shared across your organization. Any user can add from a huge catalog of nearly a thousand different third-party apps, any one of which can broaden your attack surface area if not properly policed. That is where these third-party protection apps come into play.