Rawpixel - Fotolia


We need to talk ... about team chat app security

Team collaboration applications such as Slack and Unify Circuit can make life easier for enterprises. But for some organizations, the risk might not be worth the reward.

At charity: water, a nonprofit that provides clean drinking water to developing communities around the world, the...

team chat app Slack has become instrumental in creating efficient workflows. But Slack's headline-grabbing security incidents prompted charity: water's head of IT, Ian Cook, to deploy extra precautions.

"One of my worries is that people get too comfortable communicating over chat and -- with hacking being a constant battle for these applications -- I needed to know the policies we set could be enforced," Cook said.

Slack, along with Unify Circuit, HipChat and a slew of others, is among a generation of persistent team workspaces -- platforms that preserve ongoing, topic-specific collaboration sessions -- that business units are adopting to boost collaboration. Many are doing so without involvement from IT, opening their organizations up to significant risk. In April 2016, for example, security expert and white hat hacker David Vieira-Kurz discovered a vulnerability in Slack that would allow hackers to hijack user accounts. Slack has since fixed the bug.

To minimize charity: water's risk, Cook decided to participate in Slack's beta of GreatHorn, a web-based security tool that "wraps around" the team chat app. Using GreatHorn, Cook matches acceptable use policies to filters that alert him when security rules might have been violated. For instance, if a user puts language related to tax forms or wire transfers into Slack, he receives an immediate notification and can contact the user.

"We've been lucky so far. We haven't had any serious threats via Slack," Cook said. "But I am staying vigilant to protect the organization and to make sure we stay in compliance."

Clear benefits

Although many enterprise-level unified communications vendors like Cisco and Microsoft have offerings in this space, stand-alone or freemium persistent workspace applications are still popular among businesses, according to Irwin Lazar, vice president and service director at Nemertes Research. A third of companies he recently surveyed officially allow the use of these kinds of applications.

Business units, which consider these tools a pathway to agility, tend to foot the bill, Lazar said, but IT ends up having to support the applications.

Lazar added that IT should be proactive and understand that people find a lot of value in this form of communication. Nemertes itself uses Slack, after the application won an internal bake-off against HipChat. In fact, the firm just launched a hook between its website and Slack that enables the Nemertes team to respond quickly to broken links and new logins.

I know people are trying to modernize email and make it more dynamic, ... but they also are giving up control.
David Kingsenior manager, UHY Advisors

Charity: water's Cook said the benefits of team-based messaging make the security and support tasks worthwhile. Usage at the nonprofit started with the engineering team, but today, all 80 staff members, as well as contractors and interns, have Slack access. Cook has vetted the application, making sure messages can be encrypted in transit and at rest and that it supports two-factor authentication. He hopes to soon use Slack's security assertion markup language support to tie the application into the organization's Okta single sign-on tool.

The company currently has more than 108 Slack channels or ongoing collaboration sessions. Users rely on them for everything from discussing potential new hires to recognizing co-workers for excellent work.

Cook aims to whittle the total number of channels down to 50 or 60 for tighter security. He and his team have begun an internal Slack audit, identifying orphaned sessions that they can archive or delete.

Cook said the most important team chat app channel is for the emergency response program. When a massive crane collapsed in February in front of the organization's New York City headquarters, employees knew exactly where to share their status on Slack.

"We heard back from all of our staff within two hours and knew they were safe," Cook said.

Risky business

Despite the benefits that many team chat app users cite, some experts say the rewards aren't necessarily worth the risk. David King, senior manager of the internal audit, risk and compliance practice at professional services firm UHY Advisors, said he probably would not have allowed Slack in his previous position as a CIO at a hedge fund.

"I know people are trying to modernize email and make it more dynamic, but they also are giving up control," King said.

He added that the new, stand-alone team messaging apps don't yet compare to traditional enterprise-level services in terms of maturity and security, and suggested that most organizations can use their existing products to meet internal communication needs.

"You have to know how the messages are being protected and retained," King said. "None of these team-based applications have focused on that as part of their service. It just doesn't feel like we are there yet."

He worries about scenarios like quarterly results being shared over an unsanctioned Slack channel ahead of a data breach, calling the likelihood of such a scenario unfolding "high."

If a CTO does decide to consider a team chat app, King recommended putting the platform through its paces on the risk management side -- building a use case and subjecting it to the regular channels of due diligence.

"Once it is deployed, IT should have a way to turn off access to the application when employees leave and to stop unauthorized use on the network," he said.

Lysa Myers, security researcher at security software company ESET, worries that as these messaging applications get more popular, they'll become a bigger target for hackers. And she added users themselves are the biggest problem.

"Are they talking about things that they shouldn't be talking about on an unencrypted channel? Most people will not go the extra step of turning on encryption," she said.

Myers encouraged IT to get specific about policies and what can and cannot be discussed over team chat app channels. For instance, hospital workers should never share any information protected under Health Insurance Portability and Accountability Act privacy rules, in case the platform is hacked.

"Users have to understand these are not the most secure venues, as well as the consequences if they break the rules," she said.

Like King, Myers urged IT managers to weigh a given messaging platform's approach to security, conducting a thorough risk assessment before adoption.

She hopes that team chat app vendors themselves will start to enact more secure coding practices, but until then, enterprise IT departments must stay attentive.

"You don't want to open the door and let all your company's information flow out," she said.

Next Steps

Are open source collaboration tools secure?

New vs. old: How team chat apps and established UC platforms overlap

Why you should consider the new team collaboration applications

Dig Deeper on Collaborative Applications