4 tips to mitigate Slack security risks

Slack, the popular enterprise workspace collaboration tool and IRC clone, does not offer end-to-end encryption, making any breach of Slack’s servers potentially catastrophic for users around the world. If you or your organization would suffer severe damage if internal Slack conversations leaked, then it’s time to either consider encrypted Slack alternatives or mitigate the risk by locking down your Slack workspaces. We caught up with Andrew Ford Lyons, a technologist working on digital security for at-risk groups at Internews in the UK, for his advice.

While none of these tips can fully protect you from a breach at Slack, or any of the other threats to the confidentiality of your Slack workspaces, they can make the inevitable less catastrophic.

1. Enable two-factor authentication (2FA)

Slack offers 2FA. It’s good. It’s usable. Use it. It won’t protect you if Slack gets breached, but it will make it difficult for attackers to phish you or your organization.

Slack supports Google Authenticator, Duo Mobile, Authy, 1Password and (in the unlikely event you’re using a Windows Phone) Microsoft Authenticator, depending on what mobile device you’re using. Slack also supports SMS 2FA, which you should not ever use unless you can’t avoid it. While any 2FA is better than nothing, SMS 2FA is far less secure than using a soft token.

There’s no sign of hard token (think: Yubikey) support for Slack yet. Yubico, the leading hard token maker, announced in January its support for mobile devices. Larger organizations concerned about account security might drop Slack a friendly note asking when to expect Yubikey support.

One 2FA gotcha: Be sure to turn on mandatory 2FA, as Slack ships with this setting turned off by default.

Accidents happen even at organizations whose threat model doesn’t include phishing (which seems unlikely, but work with me here). “How many people are walking around with Slack without 2FA and they lose their phone?” Lyons asks

2. Just say no to non-critical third-party integrations

Slack offers a ton of third-party app integrations. Although Slack reviews all third-party apps for appropriate permissions and data access, every additional integration increases the overall attack surface to your organization. Remove them unless you absolutely must have them.

In 2016, more than 1500 Slack access tokens, hard-coded into open source projects, were discovered on GitHub. “Such tokens can provide access to chats, files, private messages, and other sensitive data shared inside the Slack teams where those developers or bots are members,” our colleague at PC World reported at the time.

“If I’m talking to you and you have a bunch of crazy integrations, then that’s affecting my conversation with you,” Lyons says.

The network effects of integrating multiple work tools means that a flaw in any of them affects the security of all of them. Assume breach and compartmentalize. Organizations that choose to accept the elevated risk to their Slack workspaces to gain a slight productivity advantange should do so with eyes open, aware of the risks.

3. Turn off Slack email notifications

If you’re worried about the confidentiality of your Slack workspaces, turn off Slack email notifications. Every mention of a user in a Slack channel goes to the user’s email inbox or appears as a push notification by default. Users can turn off this default, and admins can enforce this setting in higher paid tiers.

“Even with full Slack email notifications turned off, email is a weak point in Slack security, as that’s where password resets and account recovery processes happen,” Lyons says, noting that 2FA should be deployed on both Slack and the corresponding users’ email accounts.

One of the big advantages of Slack is that it’s far more usable than CC’ing dozens of people in an email. Keep Slack and email separate whenever possible.

4. The human element: Choose Slack participants wisely

Humans are always the weakest link. Be selective about who you allow to join Slack channels. Do so on a need-to-know basis. Disenroll inactive members or employees after a set period of time. The fewer people who have access to sensitive information, the less likely it is to leak. Five hundred employees on an internal Slack channel might as well be writ large in the clouds for all the world to see.

Setting automatic session logouts, instead of the infinite login sessions Slack allows, can help weed out inactive accounts. Don’t set the session to be too short, though, Lyons warns, as users will find this very annoying, especially on mobile.

Use guest accounts for contractors or users who need limited access for a shorter period of time. “If you’re a client of mine,” Lyons says, “I can give you a guest account to one channel and you can’t see anything else, and it will expire in one month or two months or whatever I set it for.”

Encryption is great for securing messages but it can’t fix human nature. Slack messages are not ephemeral. Think about what you’re typing, where you’re typing it, and the permanent nature of your words. After all, a breach at Slack, a phished co-worker, or a rogue insider can’t hurt you with words you never typed in the first place.