Is Slack Secure? How to Detect PII & Prevent Data Exfiltration in Slack
Slack is a powerful business collaboration tool that can be used as a standalone solution or as part of a wider collaboration ecosystem in tandem with other tools like Microsoft Teams or Yammer and Google Drive. Slack includes many security features to protect its users’ data and secure its user accounts. However, data breaches from Slack have occurred and Slack security risks and vulnerabilities still exist. Here’s everything that business, IT and infosec leaders need to know about protecting sensitive information and preventing data exfiltration with security policies for Slack.
Enterprise collaboration tools like Slack have revolutionized the way companies do business. Released in 2013, with over 12 million daily active users, Slack is one of the most established and trusted collaboration tools on the market. But how secure is Slack?
Aware insights from analyzing millions of real Slack messages paints a worrying picture. Our research shows that the average Slack environment is a tangled mess of blind spots, hidden risks and sensitive data.
Aware research shows that 1:166 Slack messages contains sensitive information.
Here’s what modern business, security and IT leaders need to know to secure their company’s data in Slack.
Is Slack Secure — Table of Contents
- Is Slack secure?
- How Slack encrypts data
- Slack enterprise key management
- Slack audit logs
- Other Slack data security features
- The limitations of Slack security
- Slack security concerns for businesses
- Slack platform security threats
- Slack insider threats
- Improving Slack security for businesses at scale
Is Slack Secure?
As an enterprise collaboration tool, employees can be forgiven for assuming anything they type into Slack is protected and secure. Slack does provide a number of data security measures that shield user information from exfiltration. However, these measures may not be as comprehensive as users first assume, and many require Slack admins to proactively set them up.
How Slack encrypts data
By default, Slack encrypts data in transit and at rest. That means Slack information held in databases or being transmitted is protected from easy exfiltration. However, unlike some other messaging apps, Slack does not offer end-to-end encryption of its data. That means any threat actor with access to the Slack server can access or exfiltrate all the information it holds. This could also increase Slack’s vulnerability to malware and other forms of attack.
End-to-end encryption is considered the gold standard of data security protocols because the only people who can access the data are the sender and intended recipient(s), usually by storing the encryption keys on individual devices rather than at server-level.
✅ Data in transit encryption (aka data in motion encryption)
✅ Data at rest encryption (DARE)
❌ End-to-end encryption
Slack Enterprise Key Management
As well as data encryption, Slack also provides other data security tools. Slack Enterprise Key Management (Slack EKM) enables businesses to bring their own encryption keys to their Slack environment. This gives companies more control over how their data is encrypted, and who can access it through granular permission controls. These additional verification features can help combat common external attacks, such as phishing scams, and lock out a hacker the moment they are detected.
Slack audit logs
If a business needs to perform forensic investigations in Slack, Audit Logs provide a useful starting point. These logs record all the actions users take within Slack and create custom monitoring tools using the Audit Logs API. However, businesses cannot see the messages employees send in Slack and audit logs don’t enable proactive threat hunting. That functionality requires the addition of a third-party Slack app for data loss prevention (DLP) and/or eDiscovery.
Other Slack data security features
Slack can give users more control over who gains access to the environment, and for how long, through security tools like session limits, two-factor authentication, multi-factor authentication and single sign-on (SSO). These settings can make it harder for threat actors to gain access to a corporate Slack account and reduce the time a hacker has to act.
In summary, Slack provides a secure workspace for businesses using industry-standard data encryption in transit and at rest. However, to gain a full picture of what is happening within an enterprise Slack environment companies must pair native Slack security capabilities with more powerful cybersecurity platforms.
The Limitations of Slack Security
Collaboration messages contain a significant amount of sensitive data that companies need to protect. This includes regulated information like PII/PHI/PCI and unregulated — but valuable — intellectual property and other confidential communications.
- Personal Identifying Information (PII)
- Personal Health Information (PHI)
- Payment Card Industry data (PCI)
- Intellectual Property (IP)
- Mergers and Acquisitions
- Toxic, bullying and hate speech
The proliferation of this information throughout the Slack environment could lead to intense regulatory scrutiny and costly fines and penalties. Threat actors can also use confidential information to embarrass the company or cost it a business advantage. The latest research shows that 12% of employees take IP with them when they leave for another job.
The reason so much sensitive data is stored in Slack is simple: employees mistakenly believe that an enterprise-sanctioned tool is a secure repository for any work-related data. The first failure point of Slack security is in failing to coach employees on what constitutes appropriate and inappropriate information-sharing in Slack.
Aware research backs this up. One Aware customer discovered 32,000 instances of PCI/PII data being stored in Slack channels by employees who were simply trying to do their jobs.
Read the case study about detecting PII in Slack
Simply coaching employees isn’t enough. To protect company data from exfiltration in Slack, businesses need to take a proactive approach to threat management. Unfortunately, Slack does not deploy proactive data security tools as standard. Instead, businesses must implement their own security controls through the use of enterprise-grade data security integrations and third-party apps.
Slack Security Concerns for Businesses
When it comes to protecting enterprise Slack environments from data exfiltration, there are two primary types of threat to consider: platform security threats and insider risks. Each requires a nuanced proactive management strategy.
Download the quick checklist to start preventing data exfiltration in Slack
Slack platform security threats
Security weaknesses within Slack itself can threaten enterprise data security by allowing hackers to breach the workplace Slack environment. Slack data exfiltration by hackers made headlines thanks to the Uber breach, where Slack messages were explicitly targeted and stolen by the hacker.
Why would hackers steal Slack data? As Aware research has uncovered, Slack ecosystems can be packed with confidential information and company secrets. Even if the hacker never uses that information, it can still cost the business a significant amount in fines and penalties.
The average cost of a breached record was $164 according to research by IBM in 2022. When 1:166 messages in Slack contain confidential information, that means every new message typed into your Slack environment adds another dollar to the total cost of your risk exposure — and just 5,000 employees will send 30 million Slack messages each year.
Slack insider threats
The other concern for modern businesses when using Slack, or any other collaboration tool, is insider threats. The Ponemon Institute found that insider threats continue to increase, with the cost to businesses at an all-time high. It takes the average organization 85 days to identify and contain an insider threat, at a cost of $15.38 million per incident.
Insider threats occur through negligence or malice. The majority of threats aren’t intentional. Carelessness accounts for 56% of all insider threat incidents, usually because employees have shared sensitive information in the wrong channels. Compliance violations via sharing of PII/PCI information within Slack channels is a prime example of an insider threat caused by carelessness.
Malicious insiders are rarer but do much more harm to the enterprise. Because they have been invited into the workspace, they can be harder to detect and know where to look for valuable information. And because Slack enables private channels and direct messages and syncs across multiple devices, a malicious insider can also use Slack to send confidential information to themselves and gain access to it later from a private device, circumventing firewalls and other data security controls.
- The average malicious insider exfiltrates 80,000 business records
- Attacks by malicious insiders take an average of 284 days to identify and contain
- The average cost of a malicious data breach is $4.18 million
Download the whitepaper to get more insights and discover how businesses can mitigate top risks using compliance adherence, DLP and federated search to prevent data exfiltration in Slack.
Improving Slack Security for Businesses at Scale
So what can businesses to do protect themselves against Slack platform security threats and insider risk? To detect and contain PII and prevent data exfiltration from Slack, businesses should:
- Follow best practices to take control of who can access the Slack workspace by instituting safeguards such as SSO or Slack EKM.
- Institute proactive retention strategies to identify and remove compromising information from Slack so it’s never available for a hacker to exfiltrate.
- Establish rules-based policies that search for RegEx and keywords in near real time for around-the-clock compliance.
- Frequently train employees on what is and isn’t appropriate information to share in Slack and reinforce training with automated real-time coaching when policy violations are detected.
- Maintain an immutable archive of Slack user conversations, including revisions and deletions, so you always have oversight of the big picture.
- Deploy a federated search program that can quickly surface Slack messages and filter by multiple parameters to increase relevancy and accelerate eDiscovery.
- Use AI analysis with natural language processing to identify toxicity and negative sentiment that can indicate areas of enhanced risk.
How Aware Enables Enterprise Businesses to Protect PII in Slack
- Built-in privacy and compliance controls for Slack
- Powerful federated search of conversation data in context
- Granular control of data based on role, group, channel, location and more
- Real-time compliance adherence and behavioral analysis
Aware business intelligence platform is an industry-leading compliance and security solution for Slack and GovSlack. Aware enables enterprise businesses to protect sensitive and restricted data in Slack and mitigate top risks in collaboration datasets.
Learn more about how to get data retention, eDiscovery, and DLP for Slack with Aware
Using the Aware integration for Slack, organizations can avoid costly fines and penalties by implementing real-time compliance adherence and moderation that protects data across the Slack environment. Use AI and machine learning-infused insights, teamed with best-in-class natural language processing, to detect policy violations in near real time. Tackle security issues from every angle by automating the removal of unauthorized information sharing, notifying stakeholders and coaching employees the moment a violation is detected. And become proactive about threat detection and data compliance by deploying groundbreaking sentiment insights that identify pockets of negativity or toxicity within the enterprise.