A Slack breach would be a nightmare in terms of exposed sensitive data. Here's how to lock down your Slack workspaces. Credit: Slack Slack, the popular enterprise workspace collaboration tool and IRC clone, does not offer end-to-end encryption, making any breach of Slack’s servers potentially catastrophic for users around the world. If you or your organization would suffer severe damage if internal Slack conversations leaked, then it’s time to either consider encrypted Slack alternatives or mitigate the risk by locking down your Slack workspaces. We caught up with Andrew Ford Lyons, a technologist working on digital security for at-risk groups at Internews in the UK, for his advice.While none of these tips can fully protect you from a breach at Slack, or any of the other threats to the confidentiality of your Slack workspaces, they can make the inevitable less catastrophic.1. Enable two-factor authentication (2FA)Slack offers 2FA. It’s good. It’s usable. Use it. It won’t protect you if Slack gets breached, but it will make it difficult for attackers to phish you or your organization.Slack supports Google Authenticator, Duo Mobile, Authy, 1Password and (in the unlikely event you’re using a Windows Phone) Microsoft Authenticator, depending on what mobile device you’re using. Slack also supports SMS 2FA, which you should not ever use unless you can’t avoid it. While any 2FA is better than nothing, SMS 2FA is far less secure than using a soft token. There’s no sign of hard token (think: Yubikey) support for Slack yet. Yubico, the leading hard token maker, announced in January its support for mobile devices. Larger organizations concerned about account security might drop Slack a friendly note asking when to expect Yubikey support.One 2FA gotcha: Be sure to turn on mandatory 2FA, as Slack ships with this setting turned off by default. Accidents happen even at organizations whose threat model doesn’t include phishing (which seems unlikely, but work with me here). “How many people are walking around with Slack without 2FA and they lose their phone?” Lyons asks2. Just say no to non-critical third-party integrationsSlack offers a ton of third-party app integrations. Although Slack reviews all third-party apps for appropriate permissions and data access, every additional integration increases the overall attack surface to your organization. Remove them unless you absolutely must have them.In 2016, more than 1500 Slack access tokens, hard-coded into open source projects, were discovered on GitHub. “Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members,” our colleague at PC World reported at the time.“If I’m talking to you and you have a bunch of crazy integrations, then that’s affecting my conversation with you,” Lyons says.The network effects of integrating multiple work tools means that a flaw in any of them affects the security of all of them. Assume breach and compartmentalize. Organizations that choose to accept the elevated risk to their Slack workspaces to gain a slight productivity advantange should do so with eyes open, aware of the risks.3. Turn off Slack email notificationsIf you’re worried about the confidentiality of your Slack workspaces, turn off Slack email notifications. Every mention of a user in a Slack channel goes to the user’s email inbox or appears as a push notification by default. Users can turn off this default, and admins can enforce this setting in higher paid tiers. “Even with full Slack email notifications turned off, email is a weak point in Slack security, as that’s where password resets and account recovery processes happen,” Lyons says, noting that 2FA should be deployed on both Slack and the corresponding users’ email accounts.One of the big advantages of Slack is that it’s far more usable than CC’ing dozens of people in an email. Keep Slack and email separate whenever possible.4. The human element: Choose Slack participants wiselyHumans are always the weakest link. Be selective about who you allow to join Slack channels. Do so on a need-to-know basis. Disenroll inactive members or employees after a set period of time. The fewer people who have access to sensitive information, the less likely it is to leak. Five hundred employees on an internal Slack channel might as well be writ large in the clouds for all the world to see.Setting automatic session logouts, instead of the infinite login sessions Slack allows, can help weed out inactive accounts. Don’t set the session to be too short, though, Lyons warns, as users will find this very annoying, especially on mobile. Use guest accounts for contractors or users who need limited access for a shorter period of time. “If you’re a client of mine,” Lyons says, “I can give you a guest account to one channel and you can’t see anything else, and it will expire in one month or two months or whatever I set it for.”Encryption is great for securing messages but it can’t fix human nature. Slack messages are not ephemeral. Think about what you’re typing, where you’re typing it, and the permanent nature of your words. After all, a breach at Slack, a phished co-worker, or a rogue insider can’t hurt you with words you never typed in the first place. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe