Secure Slack Adoption: What You Need to Know

The digital transformation of the modern workplace brought with it new ways of communicating and collaborating. Tools like Slack offer immeasurable benefits to the company that can harness them safely and securely. In this post, we review the top Slack adoption challenges holding businesses back, and the steps they can take to overcome them.

What are the benefits of Slack?

Collaboration tools like Slack have replaced email as the primary way that employees collaborate at work. Slack offers a robust and efficient platform for managing teams, group work, and one-to-one chats. Its real-time messaging enables remote and distributed teams to co-work effectively across time zones, eliminating the delays associated with traditional communication methods.

Slack also provides a repository where files and documents can be shared, either natively or through integrations with third-party apps and services like Google Drive, Dropbox, Trello, and more. This also creates a living repository of work history that supports new employee onboarding, knowledge preservation and transfer, and provides important context into past decisions.

Slack itself is available on a wide range of platforms, including desktop applications, web browsers, and mobile devices, offering increased flexibility to keep employees connected, and today Slack is also an important part of many company cultures. To support this, Slack enables social features such as emojis, gifs, and reactions, and encourages the blurring of personal and business communications.

Top Slack adoption challenges

Despite these benefits, Slack doesn’t come without risk. In democratizing access to company data, Slack can also introduce new dangers. How do companies handle legal holds, eDiscovery, or internal forensics in Slack data sets? The complexity of Slack’s messaging structure—not even admins may have complete visibility into all messages—can slow discovery, hide evidence, and provide cover for internal threat actors.

Compliance officers, too, may object to rolling out Slack. How do organizations comply with records retention policies in Slack, especially in highly regulated industries? And could they respond in time to a data subject access request (DSAR) under the GDPR or CCPA/CPRA?

The difficulty of finding data within Slack is a consequence of the way its channels and messages are structured. Simply, it’s a feature, not a bug, and that makes it harder to overcome. While legal and compliance teams may struggle to find the information they need in a timely manner, other users may stumble across proprietary and confidential data and exfiltrate it without leaving a trace. Retaining an indefinite record of all business communications, as Slack does for all paid plans by default, may result in sensitive data being compromised at a later date, but purging all Slack data can also create liabilities, as FTX discovered.

Company culture, too, can also be negatively impacted by Slack. While Slack provides an easy way for coworkers to collaborate, chat, and form groups based on common interests, it also provides cover for harassment, toxicity, and abuse. There is nothing stopping an employee from sending a coworker a harassing direct message and deleting the evidence, making it difficult for HR or legal teams to confirm an incident occurred. To protect the company culture and preserve psychological safety, safeguarding employees in Slack must be a top consideration and not an afterthought.

The current state of Slack security risks

Slack offers a number of security and privacy controls that workspace owners can implement to restrict access to their Slack instance. These include two-factor authentication (2FA), SAML-based single sign-on (SSO), enterprise key management (EKM), and IP whitelisting, although some of these features require the highest tier of Slack membership, Enterprise Grid. Additionally, Slack supports major compliance standards, including SOC 2 Type II and ISO/IEC 27001, and can be used in ways that comply with HIPAA and GDPR.

Despite this, there are gaps in Slack security that businesses must also address. When compared to traditional communications like email, Slack’s data structure is extremely complex and legacy solutions cannot keep up. Rather than one-to-one or transactional messages, delivered with surrounding context (senders, recipients, subject matter, timestamp), Slack messages flow seamlessly between public channels, private groups, and direct messages with very little context.

Simply uncovering who in the organization has seen a particular Slack message may be almost impossible, especially in public channels. That complicates data loss preservation effort if, for example, a restricted file is mistakenly uploaded in public. Given that Aware research shows 1 in 17 Slack messages contains 3+ pieces of sensitive or regulated information, the risk associated with unauthorized access to Slack messages is high.

Bespoke security solutions for Slack are often cost-prohibitive to build, and inevitably delay Slack rollouts. This can have a detrimental effect on businesses that need a real-time collaboration solution.

To solve these challenges, Slack partners with a number of third-party DLP, eDiscovery, and compliance solutions that augment Slack’s native data security features.

Slack controls that businesses need to secure collaboration

Managing Slack data is an essential part of holistic legal, compliance, security, and HR workflows. Achieving the goals of all business units without introducing additional complexity is the challenge facing IT teams and app owners rolling out Slack. Failure to meet these needs isn’t an option when auditors and regulators have made clear they are focusing on this data set.

Any solution introduced to manage Slack data must have some essential capabilities:

• Real-time compliance monitoring and mitigation
• Ability to identify and inspect attachments
• Scalable with the Slack environment

Solutions that batch ingest Slack messages aren’t effective at mitigating risk when employees can edit or delete messages within seconds of them being sent. The attachments uploaded within Slack also need to be discoverable for compliance and DLP tools to prevent employees from circumventing the controls designed to protect Slack data, and ideally links should also be checked to prevent phishing attacks from compromised users, such as recently happened in Microsoft Teams.

In addition to these essential components of a Slack security solution, consider vendors who offer Slack data management from a single platform that can address all GRC complexities in one place to reduce the cost and risk associated with a sprawling tech stack.

How Mimecast Aware secures and protects Slack data

As the only Slack vendor approved for DLP and eDiscovery and a GovSlack trusted partner, Mimecast Aware delivers on the requirements of security, legal, compliance, and HR teams, providing archiving, federated search, compliance monitoring, and people insights from a centralized platform that enables IT leaders to check the box on Slack data management.

Aware uses proprietary natural language processing (NLP) to analyze Slack messages in real time, identifying more instances of compliance violations with fewer false positives. Aware can also detect company-sensitive and restricted information-sharing and takes automated action to mitigate risk and coach employees on acceptable use policies.

Slack search from Mimecast Aware

• Federated search across Slack and all your connected collaboration tools
• Delivers contextualized results, along with any edits or deletions
• Search by author, date, message type, platform and more
• Quickly filter and refine results by multiple parameters for faster time-to-context

Slack compliance from Mimecast Aware

• Preserves an immutable archive of all messages, including private messages and DMs
• Bidirectionally purge content on a regular schedule, or one-click preserve content from regulated employees
• Accelerate DSAR responses and comply with employees’ Right to be Forgotten
• Configurable rules take automated action when potential compliance violations are detected

Slack DLP from Mimecast Aware

• Automate the review and remediation of messages, files, and links where data is at risk
• View the full context of messages to understand intent and improve investigations
• AI/ML analysis and real-time alerting reduce exposure when violations occur
• Toxicity and sentiment detection highlight areas of enhanced risk

Slack people analytics from Aware

• Explore trending topics as they surface, complete with aggregate sentiment
• Identify anomalous behavior and increased toxicity to minimize insider risk
• Improve employee comms with real-time insights and reactions
• Analyze long-form survey responses in minutes and summarize results with public verbatims

With Mimecast Aware, businesses can meet the needs of multiple units from a holistic solution that enables the immediate rollout of Slack while mitigating risk and extracting value in the form of aggregate insights into the topics and themes impacting employees. Schedule a call today to learn how Mimecast Aware can help you enable Slack in your organization.