Millions of users exchange messages and files on Slack every year. Companies of all sizes rely on it to facilitate collaboration among colleagues, clients, and vendors.
Slack itself incorporates many enterprise-level security measures to ensure a secure environment, including ISO and SOC security certifications, HIPAA and FINRA compliance certifications, and a robust GDPR data management program.
Users at the corporate and individual level can do several things to further ensure the security of the data they send on Slack:
- Avoid sharing confidential information like passwords and confidential business practices.
- Use two-factor authentication (2FA).
- Develop solid employee onboarding and offboarding protocols.
- Train employees on best practices for Slack.
- Use channels to manage access from outside users.
- Be careful with third-party application integrations.
- Learn to recognize phishing attempts.
- Install a good antivirus program.
Read our full article below to learn more about Slack safety and security.
More than 8 million people exchange messages, files, and images on Slack every day. Especially small- to mid-sized companies have embraced Slack since its debut in 2014, mostly due to its ease of implementation and use.
It isn’t just small companies that love Slack. When IBM selected Slack as the official instant messaging and collaboration tool for their more than 350,000 employees, the move was widely seen as a big win in the Slack vs. Microsoft Teams war.
But how secure is Slack really? And what can you do to ensure the information you send is safe and remains private? Whether you’re an employer or an employee, we’ll tell you everything you need to know about Slack and its security.
Slack Security and Privacy Concerns
Online privacy and the security of the data sent across the platform are legitimate concerns, whether you’re using Slack desktop or the Slack app on a mobile device. Luckily, Slack has a few decent systems and policies in place to keep your private data secure.
How Slack manages data
Slack doesn’t slouch when it comes to securing data. The company uses enterprise-grade security to meet global compliance requirements and secure Slack information.
The company has earned a host of security-related certifications, including ISO/IEC 27001, 27017, 27018, and 27701, SOC 2, SOC 3, APEC for Processors, and APEC for Controllers. In addition, Slack is HIPAA and FINRA compliant. The company has also implemented a GDRP compliance program.
Slack encrypts data at rest and in transit. It also offers other security features to safeguard sensitive data, like two-factor authentication, session duration limits, and session management. However, it doesn’t use end-to-end encryption, since they want to give admins the ability to access communication for business purposes.
How Slack manages security threats
In addition to the robust Slack security measures noted above, the company combats the threat of cybercriminals through its Slack bug bounty program. This means that anyone can report on vulnerabilities they’ve found within Slack and get a bounty for it. Slack can then work on patching the weaknesses and strengthening their software. The bug bounty program encourages the identification of Slack security flaws before they’re exploited.
Many key vulnerabilities have been identified through the bounty program, and Slack fixed these before they were exploited. Since the program’s inception, Slack has awarded over $900,000 to security researchers who identified potential vulnerabilities in the Slack platform.
How Slack handles government demands
Slack’s privacy policy states they don’t voluntarily disclose information to governments. However, they will comply with requests arising from a valid legal process. This means that the company does store information and will disclose it if compelled to by law.
But who or what is included in a valid legal process? The phrase refers to anyone involved in litigation, which includes any of your competitors who sue you or your company. They may ask the court to compel Slack to turn over the information contained in your Slack channels. This could include critical information you don’t want your competitor to have. This nightmare scenario is very unlikely to happen, but not entirely impossible.
In general, the idea that your business’s internal communication could be read by others isn’t great, even if it might be necessary in some cases. Each year, Slack issues a transparency report that summarizes all disclosures related to valid legal process requests. While the number of disclosures is small, confidential data was shared.
Are your Slack chats private?
From an employee standpoint, you may be less concerned with how vulnerable your company’s sensitive data is, and more concerned with how private your personal information is on Slack.
As with most corporate tools, start with the assumption that anything you do is saved and reviewable by your boss, their boss, or the HR department. Slack is not exempt from this assumption.
You can, however, easily check how and what information your organization saves. Here’s how:
- From your Slack desktop, go to your profile, then click More > Account Settings. You are redirected to a Slack webpage.
- Click on About This Workspace on the left side of the screen (You might have to open up “Menu” first).
- Click on Retentions & Exports.
- Under What data can my admins access? is a description of the information that is retrievable.
- You can follow the Learn More link to see all the options available for data saving and retrieval.
The difference between public channels, private channels, and direct messages is especially important here. Admins might be able to export data from the open, public channels only, while your DMs and the locked, private channels can’t be shared outside the participants of those conversations. Even so, keep in mind that it’s always easy to take screenshots, even of private messages.
As a general rule of thumb, it’s good practice to avoid sending anything in writing that you wouldn’t want to be made public. It’s always best to save the snarky comments about your boss or complaints about a client for after-work drinks at the local pub.
How to Stay Safe On Slack
Even with the security measures used, Slack is still a cloud-based service. As such, it is vulnerable to determined cybercriminals. Here are eight ways you can maximize your safety and mitigate your Slack privacy concerns.
1. Don’t share confidential information
Never disclose passwords or other confidential or sensitive information on Slack. This includes sending files that contain private company or client information.
If you need to give a colleague password information, consider using a password management app. 1Password offers a useful option for teams to share passwords company-wide. Other confidential and sensitive information should be sent via more secure internal channels that are not easily discoverable by hackers or as a casualty of a court order.
2. Require two-factor authentication
It’s always a good idea to use two-factor authentication (2FA) for login. When you use 2FA, you can log into Slack using your password and a verification code you receive on your phone. This multi-factor authentication makes it very difficult to gain access to Slack with only login credentials.
You can set up 2FA on Slack through either an authentication app or SMS text message by following these steps:
- Go to your profile, then click “More” and go to “Account settings.”
- Click “Expand” next to “Two-Factor Authentication” and choose “Set Up Two-Factor Authentication.”
- Enter your password and click “Confirm Password.”
- Choose either “Use an app” or “SMS Text Message” depending on your preferred method.
- Follow the instructions to connect your app (through a QR code) or phone number.
- Enter the code you receive through text or the app, then press “Verify Code.” You can now log in using 2FA.
Keep in mind that this is the process to set up two-step verification on one user account only. If you’d like to do this throughout your business, make sure all your employees activate this option.
For companies that already use a Single Sign On protocol, 2FA can also be used for additional security.
3. Set up a system for managing employee onboarding and offboarding
For larger employers, one of the biggest challenges is keeping track of which employees gain access to Slack. To avoid unwanted access by workers who are no longer with the company and to ensure new employees do have timely data access, it’s important to have a documented process for Slack access.
Make sure someone in your organization is responsible for granting and denying access to Slack the moment there’s a change in the workforce.
By maintaining correct and current access to Slack, employers avoid the risk of having former employees access and use Slack in improper ways.
4. Train users on Slack best practices
Companies that use Slack for collaboration should take time to ensure all employees understand the company’s Slack usage policies. One way to streamline this process is to apply your corporate email security policies to Slack.
However, it takes more than just writing the policy down somewhere. Companies should build Slack training into the employee onboarding process. They should also offer refresher courses periodically to ensure the information stays front of mind.
5. Use channels to manage outside user access
If you’re collaborating with clients or vendors on Slack, limit broad access to company information by creating channels. You can use Slack Connect to invite them and control the information they can access.
Make sure you know exactly which private and public channels outsiders have access to. Delete the channel once the project is complete, and external access disappears.
6. Be careful with third-party app integrations
Slack offers numerous apps to integrate with, including Google Drive and Dropbox. With this convenience comes additional risk. With every third-party app connected to Slack, the potential for vulnerability increases. Slack is only as safe as the security of its weakest linked app.
While the most popular integrations are generally safe, it’s wise to keep such connections to a minimum. Admins should be the only ones approving such integrations. This eliminates the potential for employees to add risky third-party apps on their own.
7. Beware of phishing attempts
Much like email, Slack is not immune to phishing attacks. In 2017, hackers sent out fake Slackbot messages to a group of cryptocurrency enthusiasts on Slack. These messages directed them to a bogus website asking for financial information. Direct Slack messages are also a favorite phishing method to reach unwary Slack users.
Most people know how to recognize phishing attempts that land in their email inbox, but dangerous direct messages they receive on newer technologies like Slack leave them less suspicious. Hackers capitalize on this lower suspicion threshold to trick unsuspecting users into divulging confidential information. Being aware of the tricks often used in phishing can already lower the risk here.
8. Use a good antivirus program
Whenever you go online, there’s a risk of malware infecting your device. This is also the case for Slack. It’s far too easy to accidentally click on a sketchy link or for an employee to open a dubious attachment. When that happens, there’s a high chance that malicious content ends up on an individual computer or an organization-wide server. Solid antivirus protection identifies these threats quickly and moves to eradicate them before they create bigger problems.
To learn more about how an antivirus program can help you stay safer online and find one that works for you, check out our recommendations for the best antivirus software.
Final Thoughts
Slack is an enormously popular tool for instant communication and collaboration. However, the benefits of Slack also come with security risks.
For companies and individuals using Slack, it’s important to be vigilant to the security threats and take steps to minimize them. Refrain from sending confidential information on Slack. Use two-factor authentication for an added layer of login security. Keep a tight control on who has Slack access.
Basic security steps combined with Slack’s own rigorous security protocols, make Slack secure and an efficient means of collaboration and communication. Want to learn more? Here’s our comparison of Slack with Microsoft Teams. You can also read about how secure Microsoft Teams is and then decide.
Want to know more about Slack and its safety? Check out our FAQ below. If you have a question that hasn’t been answered below, leave a comment and we’ll get back to you as soon as possible.
Slack uses enterprise-level security measures to protect the integrity of data sent and saved. They are also FINRA and HIPAA compliant and have a robust GDPR compliance program in place. Still, any cloud-based software service is vulnerable to a cyberattack, and Slack is not exempt.
Users can take additional steps to protect their information, like using two-factor authentication, not sending confidential information via Slack messaging, and being wary of possible phishing attempts sent on Slack.
Whether your boss or the human resources department can view your direct Slack messages depends on how they have Slack set up. It is generally good practice to avoid putting anything in writing you wouldn’t want to be made public.
Read our full article for instructions on how to easily check what your company is monitoring on Slack.
No, Slack doesn’t use end-to-end encryption. Although it does encrypt your data while in transit and at rest, it only does so to protect the information from outside forces. Using end-to-end encryption would mean no one but the sender and receiver can access the content. On Slack, employers and admins can check on their employees. In other words, with Slack, you can’t be sure that your boss isn’t reading along with your messages.
As of July 2021, Salesforce owns Slack and has incorporated it into the Salesforce suite of enterprise software. Salesforce is a customer relationship management tool that also offers other complementary applications including customer service, marketing automation, analytics, and application development. Salesforce is headquartered in San Francisco, California.