There\u2019s a gaping hole in your security infrastructure right now. The front door is open, the side window is ajar, and there\u2019s an open safe with a neon sign saying \u201csteal my data\u201d in flashing lights. While you might have locked down the network used for this software, instituted strict usage policies, and insist on having users stick to complex passwords, the data is leaking.\n\nCollaborative apps like Slack and Convo are like a sieve at some larger companies, but no one quite knows what to do about it. The apps let users share documents, business plans, financials, and many other files, but one reason it\u2019s such a security risk is that we tend to use these glorified chat tools all day, everyday.\n\nAs security experts explained to CSO, the file-sharing features in particular have created a gaping hole that few have plugged.\n\n\u201cThe convenience of file sharing could easily transform into a data breach if employees are not careful about what files they are dropping into private or public channels, especially if there is no security software in place to stop them from sharing sensitive data,\u201d says Roman Foeckl, CEO and founder of global endpoint security provider, CoSoSys.\n\nFoeckl says Slack, with more than 3 million daily users and total dominance in the market (77 percent of Fortune 500 companies now use it), is prone to leaks when employees don\u2019t think about taking secure files and sharing them in a way that could create a serious problem.\n\n\u201cThe insider threat is very real with Slack, whether it is in the form of an employee accidentally sharing customer database, intentional disclosure of company business plans, or Social Security numbers being shared to the public cloud,\u201d he says.\n\nMike McCamon, president of SpiderOak, a builder of online privacy tools, went several steps further in questioning collaborative software security. He compares these apps to the USB thumbdrive a user carries out of the building that contains company financials. And, he says he has heard of some companies starting to question the use of these apps.\n\nThe biggest issue, of course, is that few of the collaborative chat apps use end-to-end encryption for the user activity. Hackers could sniff out a file transfer from one of these Web-based apps that rely on the browser as the main security platform.\n\n\u201cThere is a long history of browser, plugins, and extension vulnerabilities,\u201d he says.\n\n\u201cCorporations are completely dependent on a patchwork of software from a variety of vendors. Malware such as the keyloggers installed through browsers provide hackers access to \u2018secure web apps\u2019 by recording -- and later impersonating -- user actions on public websites.\u201d\n\nWhat to do right now\n\nIt\u2019s a serious problem, but there are steps you can take.\n\nChris Gervais, vice president of engineering at cloud security and compliance company Threat Stack, told CSO that companies should take some immediate actions. Surprisingly, while Slack and Convo both offer two-factor authentication (users must verify their identity after receiving a code on their phone, for example), many companies don\u2019t use it. Enabling it creates a tighter circle of control over leaked information among registered users.\n\nGervais says companies can also set a custom retention period for files so that they are not available once they are shared within the collaborative environment. Many group chat tools like HipChat allow you to set how long a chat is available in history as well. It\u2019s also crucial to monitor (or even outright block) which bots can be added.\n\nIn Slack, he says there is a potential threat with third-party Slackbots sharing information from a company without your consent. He says you also need to audit registered users, restrict access (you might decide not to allow any contractors to access Slack, for example), and upgrade to the standard pricing plan so you can enable OAuth to control user provisioning.\n\n\u201cAs with enterprise cloud security, visibility is key to helping secure Slack and similar collaborative tools,\u201d he says. \u201cMake sure you know who you're giving access to and what rights you're giving to people outside your organization.\u201d\n\nAnother approach is more radical. Anurag Lal, CEO and president of Infinite Convergence Solutions, an enterprise chat tool, says larger companies really shouldn't be using these free and consumer-oriented chat apps. He says Slack in particular started as a gaming chat tool, and it doesn't scale well when used with thousands of users in terms of existing security infrastructure, file encryption, or even best business practices.\n\nThat\u2019s a major step, and one that could cause a user revolt. Slack, Convo, HipChat, and many others do provide an exceptional value in terms of business process and productivity. They trump the delays and overload caused by email. Yet, anyone who decides to deploy these apps, which are free to use initially, should mitigate against the threat they pose.