What risks lurk in your Slack data, and how big a problem is Slack security really? Aware data scientists analyzed 6.6 billion real collaboration messages to bring you the numbers you need to know in 2024.
Since its release in 2013, Slack has proven enduringly popular with users and enterprises alike. Today, 77% of the Fortune 100 use Slack as part of their official tech stack. Some of the benefits of using Slack include reducing meeting and email volume, accelerating employee onboarding, decreasing project duration, and increasing output. With Slack, employees can work collaboratively from any location, making it an invaluable tool for remote, hybrid, and distributed teams.
The volume of messages shared within Slack has grown exponentially alongside its adoption by the modern workplace. Aware data shows that the average enterprise user sends 28 Slack messages each day—an increase of 33% compared with pre-pandemic days.
Slack is also far from alone in the digital workplace. A 2019 poll found 91% of businesses used at least two messaging apps, and today 85% of companies use six or more! Microsoft Teams has 270 million daily active users, and tools as varied as Google Drive, Zoom, and Workplace from Meta also provide new places where employees can send messages, share files, and work collaboratively.
With the proliferation of collaborative tools in regular use across the enterprise, it’s essential that businesses understand the risks that live in the unique datasets these tools create. Aware’s data scientists analyzed millions of real Slack messages to uncover the state of modern collaboration. Here’s what they found.
Every company handles some amount of sensitive data during the normal course of doing business. Traditional communication channels such as email have guardrails in place to protect that information. However, these guardrails can be an impediment to effective information-sharing and collaboration tools often explicitly circumvent the usual checks and balances—enabling employees to communicate in hidden chats, transfer files instantly between devices, and edit and delete messages at will.
This presents new challenges for leaders seeking to mitigate risk in digital datasets and is especially problematic for organizations in highly regulated industries.
Personal identifying information (PII)
Personal identifying information is a broad category of data held by every organization. From customer names and addresses to employee tax and social details, every business deals with PII on a daily basis. These details often appear in collaboration conversations on tools such as Slack as employees perform the regular functions of the jobs. Transmitting a customer file, giving a coworker the background information on a case, or updating HR records can all result in PII being shared. Aware research shows that 1 in 17 Slack messages contains at least three pieces of sensitive data, and 63% of it is PII.
Payment card industry data (PCI)
Whenever a business processes payment data—either receiving payments from new customers, updating payment details for existing clients, or making purchases on behalf of the company—there should be clear policies and procedures in place to handle and transmit that data. In the absence of such policies, Aware research shows that employees will share PCI in any work-sanctioned tool, including Slack, and at an alarming scale. On average, 5000 employees will share credit card numbers 271 times a month.
Protected health information (PHI)
HIPAA applies to healthcare providers and similar covered entities, who must consider that everyday employee communications will revolve around protected patient health information. If these messages are the subject of unauthorized access or exfiltration, they put the enterprise at risk of noncompliance. Even when not explicitly covered by HIPAA, businesses in all industries have a responsibility to safeguard employee PHI and should limit the discussion of employee healthcare within Slack or other collaboration tools.
Time and again, analysis indicates that employees view collaboration tools as an extension of the workplace and are happy to discuss restricted information in these digital conversations in ways they wouldn’t commit to in more formal types of communication, such as email.
The first challenge of Slack data is the incredible scale at which it grows. Just 5000 employees will send over 2.5 million messages each month—in a year, 20,000 employees create a dataset of almost 142 million messages, two-thirds of which are DMs only visible to the participants. Conducting any kind of compliance monitoring or eDiscovery at this scale is often slow, expensive, and incredibly complex, but the scope of these datasets makes it a statistical certainty that sensitive, restricted, and noncompliant information proliferates within them.
Another part of the challenge of securing sensitive data in Slack is convincing employees that it should be protected to begin with. For instance, employees might not think twice about sharing the password locking a document—even if that document is filled with confidential data. Each month, 5000 employees share approximately 500 passwords, access keys, and similar credentials in Slack. Most probably wouldn’t consider those passwords significant if challenged, but a data breach such as happened to Uber, where Slack content was deliberately targeted and exfiltrated, could have devastating consequences for the enterprise.
How to identify sensitive information-sharing in SlackMany types of regulated sensitive data follow specific patterns—SSNs are always nine numbers, credit cards have 16, and so on—making it possible to use regular expressions (regex) to detect potentially violating content. The addition of Boolean logic (and/or/not operators) can further enhance detection by reducing false positives.
However, Aware analysis shows that a significant percentage of password, code, and financial data shares in Slack happen via screenshot. While this indicates that employees do take some precautions to shield sensitive information from malicious actors, it also makes it harder for infosec leaders to detect and mitigate. The scale of this problem is significant, as we know that 5000 employees will send 61,000+ screenshots every month. Sifting between them to identify those that represent information security risks requires a compliance solution with file detection and OCR analysis capabilities to minimize false positives.
Despite the compliance challenges they represent, PII/PCI/PHI are also among the easiest types of sensitive information to detect in collaboration datasets. Far more nebulous and nuanced are intellectual property (IP) and corporate secrets. These types of information could be anything from financial forecasts to sales and marketing strategies, lines of code to product roadmaps. Identifying and mitigating this information within collaboration tools is extremely complex and must be managed on a case-by-case basis.
The repercussions of allowing this data to proliferate within Slack and similar tools can be catastrophic. Just imagine:
Any of these risks could impact the company’s market position, share value, brand reputation, and open the business up to legal jeopardy.
One of the simplest ways of keeping control of IP and corporate secrets within Slack is by limiting that data to specific, restricted channels and applying strict retention policies to the messages they contain. However, these measures must be reinforced by a compliance solution that can identify and mitigate IP sharing outside of sanctioned channels—especially in direct messages and Slack Connect.
Just over 1% of Slack messages in an average workplace are sent through Connect channels, where information is explicitly shared with users outside the enterprise. The accidental upload of the wrong spreadsheet or document into one of these channels could have severe repercussions. The average employee shares files around once every 200 messages, making mistakes an ever-present danger.
Identifying these risks involves establishing targeted keyword detection, file and attachment analysis, and regular employee training. To mitigate them, employers need a solution that can detect and remove unauthorized content in real time. In tools that can instantaneously sync data across devices within and beyond the company’s control, risk management must start at the point of violation to be effective.
It isn’t only your data that could be at risk in Slack. Your people can also become victims of workplace bullying, harassment, and toxicity. In fact, 24% of employees say workplace harassment worsened within collaboration tools like Slack.
Slack provides an ideal environment for bad actors to exploit. The restricted visibility of its channels makes it easier for a bully to act unseen, and users retain full control over their messages, meaning they can edit or delete them immediately, or even months later. This can present new challenges for internal investigators as the harassing content may no longer exist by the time anyone hears about it. Aware data scientists discovered that 1:53 messages are edited or deleted, indicating the scale of the problem organizations face.
Workplace bullying and harassment is a major problem that employers must address proactively to protect their company culture and shield the organization from liability. In the U.S., workplace harassment is regulated at state and federal level and failure to address a discriminatory culture can lead to steep penalties.
Even low-level harassment and bullying can have a widespread detrimental effect on company culture. Good people can leave, and replacing them becomes more difficult, time-consuming, and costly. Those who stay may mentally check out, leading to reduced morale, performance decline, and elevated risk from both mistakes and malicious actions.
Aware research shows that toxicity casts a long shadow across the enterprise, and it takes only a minority of toxic employees to poison a company’s culture. Overwhelmingly, the majority of messages within a workplace collaboration environment are neutral (95%) and healthy (99%) in tone and content. However, even small volumes of negative, inappropriate, toxic, and hateful speech can have a widespread effect when we’re talking about tens of millions of messages per year.
In a single month, a workplace with 5000 employees shares approximately 1500 instances of hate speech within Slack. This is content that is both detrimental to employee wellbeing and potentially actionable if the company does not address it.
Many workplaces use NSFW language filters in email documents to prevent inappropriate speech. The same technology, applied to collaboration tools like Slack, can flag or remove unwanted content or coach employees in real time about acceptable use policies.
However, each workplace has its own unique culture, and what is inappropriate for one company will be perfectly acceptable in another. Within Slack, companies also face the challenge of distinguishing between two friends speaking privately to each other, which may involve the use of profanity or other language inappropriate in a public setting, and an employee using DMs to harass a coworker. A compliance tool that cannot distinguish between the content of a message and its surrounding context and sentiment will generate an unmanageable amount of false positive results, rendering it useless, or restrict employee speech and drive shadow IT solutions.
To develop a contextual understanding of a workplace Slack requires a moderation solution with natural language processing (NLP) capabilities that has been trained exclusively for that environment. Only by determining what constitutes “normal” for an organization can leaders hope to accurately identify communications that are abnormal, harmful, and toxic.
Human interactions are varied and complex, and the line between a friendly or offensive message may come down to the slightest nuance of context. In an increasingly digital world, the challenge of parsing tone and intent in text-based communications is ever-present. Even people get it wrong.
Aware’s sentiment analysis AI models are tested against a “near-human” benchmark—meaning the results they produce should be comparable with a real person’s assessment. This limits false positive (and negative) results and provides business leaders with the most accurate overview of the current state of their company culture health.
Achieving near-human accuracy in machine learning and AI models requires training on closely curated datasets and refining the results using human feedback to continually improve outcomes. In real world tests, Aware’s sentiment analysis AI consistently performs at near-human levels, and significantly outperforms all leading competitors, whose intelligence is based on massive, nonspecific large language models (LLMs).
|
|
Aware |
Llama-2 |
|
Microsoft |
|
False Positives |
6% |
19% |
21% |
19% |
|
False Negatives |
13% |
37% |
41% |
38% |
The Aware platform for employee listening is the leading solution trusted by the Fortune 500 to identify and mitigate every kind of unauthorized content within Slack. Aware is powered by the most accurate NLP on the market, using hand-labeled models that deliver near-human results, normalized for every organization’s unique digital DNA.
Only the power of AI computing can ingest and analyze the huge volume of Slack messages in real time and take immediate, automated action to mitigate the risks they present. Aware uses a wide range of sophisticated machine learning models to detect regular expressions, analyze image attachments, hunt for keywords, and understand the context surrounding every Slack conversation, wherever it happens. Using Aware, employers can deploy smart automations that holistically preserve and protect company culture within Slack, giving employees the freedom to collaborate on their own terms with reduced risk.
Your organization faces unprecedented challenges when it comes to mitigating data risks in Slack. Learn more about the scale of the challenge you face and claim your free report now.