Collaboration Security

CTO Confessions: I love Slack and it scares me

Posted by

You wake up. What do you check first, your email or your Slack?

For me, it is Slack.

Surprised? It was not always the case!

My Slack journey began 4 years ago. I was setting up JIRA and desperately needed some advice - web forums had failed me.

By chance, I found a list of Slack communities for product people. In those communities, I saw the real power of Slack: speed.

In less than 10 minutes, I could get real-time answers to questions that took 3 days to resolve online.

We set up a Slack workspace. Our team picked it up quickly without training or persuasion.

What took it to the next level: the JIRA, Bitbucket, and Confluence integrations. No more hopping between Outlook, Eclipse, and Chrome - we could stay in Slack and do it all from one location. They were so easy and useful for our team that within a few months, our organization was using 72 Slack integrations.

Finally: the slash commands. Just like Gmail shortcuts, slash commands let me work faster and boost my productivity. They have certainly saved me from getting carpal tunnel syndrome!

The productivity magic of Slack. (Source: Slack)

Then, I heard about the GeneralService Administration data breach.

Using Slack exposed more than 100 GSA Google Drive accounts -- essentially, storage files -- to outsiders for at least five months...Vulnerable information included personally identifiable information and proprietary information belonging to contractors, the report said.

My security instincts kicked in. I realized that I too had no visibility into data access and sharing by third-party apps. I had to slam the brakes and reassess. We've since put in place a monthly review of all third-party integrations.

So far, security in Slack has been manageable.

Slack Connect, the new email killer, has complicated things.

Slack Connect lets you connect with third parties – vendors, customers, and partners – directly from your existing workspace. It makes collaboration between organizations significantly faster. We can confirm – we use it ourselves.

When I put my product and security hats on, I see this playing out at Slack organizations worldwide:

  1. Employees independently sending out SlackConnect requests to vendors, customers, and partners
  2. Outsiders spamming employees with SlackConnect requests over email
  3. Classic spoofing and phishing tactics. Which is the real IBM slack workspace, ibm1.slack.com or ibm2.slack.com? Will employees know? Will they check before they click?

Those types of threats demand visibility and protection.

Slack starts off as your instant messenger. With third-party integrations, it becomes your browser. With slack commands, it became a Command Line Interface (CLI) for your integrations.

Slack = Chat + Chrome + PowerShell.

I love it, and it scares me.

Related Posts

Get Clearedin

Stop targeted attacks on email, Slack, Zoom, and Box with Clearedin’s active defense technology.
Schedule a Demo