This is a transcript of episode 79 of the Let’s Get Data-Driven Podcast
I’m Lanie Lamarre and the last couple of years, instead of picking a word of year or something like that, I’ve let the theme pick me by pulling a Tarot card. And not any Tarot card but a lovely Rupaul’s Drag Race themed card. This has been the year of Raja Gemini as the Queen of Swords and 2022 certainly lived up to that theme for me; last year was some Ben deLaCreme action with the 10 of Pentacles and that was all gravy. At the time of recording this, I have yet to pull my theme for this year but by the time this airs, I will have done so and if this tickles your heart strings, I very much encourage you to DM me about it @omgrowth on Instagram to nerd out over this.
But today’s episode, we’re going to talk about Slack and whether using the platform means you’ve made a deal with the Devil… and oh heavens do I hope my card of the year isn’t the mother-loving Devil, amirite?! Ugh.
We’re talking Slack today. Not about cutting you some but rather, the messaging app for businesses that many fine online entrepreneurs such as yourself use to communicate with team members and any friends nerdy enough to use the platform.
The tracking and privacy issues with Slack are going to be very different from some of concerns we’ve discussed on the past for platforms like Google or Facebook, for instance, because Slack isn’t monetized through tracking and advertising. Instead, Slack makes its money through selling its premium tier subscriptions, though there are also free accounts that come with limits. Does this mean that because you pay for the service, you have no worries when it comes to your personal and business information and how it’s used? Of course not!
We’ve seen a great example of this recently with Elon Musk’s recent purchase of Twitter and exercised his right to access private messages exchanged between employees, the contents of which he didn’t care for an fired 3 employees as a direct result. Conversations and information that employees had every reason to believe would be private turned out not to be the case… but I’m already getting ahead of myself here.
Keep in mind that the more places you’re storing personal information – yours as well as your client’s – you’re complicating your ability to be compliant to data and privacy laws. Your lady here loves an example so let’s use one: you set it up so that when someone books an appointment with you, a Slack alert comes through with that person’s contact information. Two months later, that person asks to be removed from your contact list and although they’re unsubscribed from your email, you didn’t think to remove their contact information sent from the SlackBot automation you had set up. This could be problematic for laws like GDPR and CCPA because Slack’s unlimited data retention means you may still have KiKi The Client’s contact information stored without their consent. In case you’re curious about your own Slack data retention settings, it’s possible to see them by heading to [Slack channel name].slack.com/account/workspace-settings#retention.
Does this mean you can’t or shouldn’t use Slack for things like new client notifications? Of course not – part of its usefulness is that it does things like this. But I would encourage you to limit how much information you’re automating to have sent over to the minimum amount required. If you don’t need that person’s email in the notification alert, don’t push that information through just because you can. The way around this issue without having to give up your notification is to try anonymizing as much personal information as you can when you’re using any type of communication tool like Slack; this way, you don’t have to be as worried as you otherwise would be if a data breach was announced, for instance. Another option is to have links included in your notifications back to the original source where the information is stored. In the example of a new client alert, you can have the notification come through with a link to the client profile you have in your CRM. Only those who have access to your CRM will be able to access this information and you’re not duplicating the storage of personal data unnecessarily.
After all, data breaches are a real and legit concern, even though according to Wired magazine, “Slack has a pretty good record when it comes to data breaches”. That doesn’t mean they haven’t had them, though. For instance, American digital services agency 18F shared Google Drive documents through Slack and as a result, inadvertently exposed more than 100 governmental Google Drive accounts at the General Services Administration (GSA) for nearly six months. The breach occurred because the GSA had made the connection between the two apps using an authentication protocol known as “OAuth2.0,” which neither Slack nor the GSA’s IT standards had approved.
Keep in mind that the more apps you connect to a platform, the more risks you are allowing as each connection point provides a potential vulnerability for a hacker to target. “Lanie, are you telling us not to connect apps to Slack?” Of course not because part of what makes apps like Slack so useful ARE those connections and automations. Instead, I encourage you to confirm that the appropriate protocols are being used and that you review any 3rd party integrations on a regular basis to make sure they are still needed while removing those that are no longer needed.
Another thing you can do is make hackers lives harder by enabling two-factor authentication. This is when you are granted access to an account by providing two different logins – something like entering your password and then confirming via a pop-up on your smartphone that this was, in fact, you trying to sign in. Is it a pain in the peach to have these redundant login set-ups? Indeed it is…. and that’s the point. When a data breach exposed the holes in Slack’s security back in 2015, it enabled two-factor authentication as a means of limiting accessibility to ill-intended players. Keep in mind that if it’s inconvenient for you to have to login twice, it will be a downright challenge for anyone who isn’t you so I encourage you to reframe how you think about two-factor authentication as being like the locks to your digital door: just as it’s safer to use the dead bolt with the handle lock, it’s also safer for your accounts and information to have a password and a login prompt.
But here’s the truth of it: human error is far more likely to screw you over than a hacker is…. and humans are hella-prone to error.
If a hacker does get through to your data, it’ll probably be a human’s fault because humans gonna human, amirite?! If you’re using Slack as a chat room, it’s a good idea to be extra vigilant – and this applies whether you’re the host or just another chat room lounger – and be cautious about any links that could infect your own computer with malware or ransomware. In 2017, a group of hackers used an account pretending to be a ‘Slackbot’, which sent out a phishing attack directing people to a fake site where their financial details were collected.
If access requests to your Slack group are unvetted, it means you could have some sneaky players like these in there trying to take advantage of your humanity in all its errors. The way around this where you still engage and benefit from these types of groups while safeguarding yourself is any time anyone shares something via a link, try asking for the details so you can enter it into a search engine and find it yourself, without having to risk clicking on malicious links.
Finally, you want to take operational security seriously with how you’re using apps and services like these, especially if you’re the owner of the channel. Think about what you’re sharing and with whom because like our earlier example of the Elon takeover of Twitter providing him with access to messages, when you add a new person to a Slack channel, they are able to see past messages and files, including any gossip about them. This is why it’s a good idea to establish some boundaries around your personal vs professional use of the platform. Conversation data can also be exported and although it is harder to do with private messages and channels, know that it is still possible; for instance, should there be an investigation, a request under GPDR’s subject access rights, an audit or a court order, your Slack data is subject to these types of things.
Something else that is possible to access is information about how much a person uses Slack and there’s even an analytics page that will lay out how many messages have been sent to a workspace, which channels are most popular, how many messages individual members have sent, and more. To access this, go to [Slack channel name].slack.com/stats. I would encourage you to also understand and review what powers you’re granting people who have “admin” versus “owner” roles, and if those meet your requirements. This isn’t about whether you trust that person to access the information each role permits but rather, it’s about minimizing the risks you’re taking on. If someone with an all-access pass to your Slack channel gets hacked, then the hacker also has an all-access pass to your Slack channel when a lower access level may have incurred less damage for you.
Speaking of damage, don’t share passwords on Slack, OK? The brilliance about a platform like Slack is that you can have these quick updates and messages where everything is searchable and it keeps your inbox from getting any more cluttered than it already is for communicating developments. But some things should never be shared on Slack and for many of the reasons we’ve already spoken about, you never want your passwords to be laying about like a lizard in the sun. Leave the password management up to the password management software.
I realize this is a bit of a firehose I’m spewing at you so let’s recap some things we want to keep in mind with how we’re using Slack as responsible business owners:
- Be mindful about what information you’re storing in Slack. Don’t store passwords, avoid the automated duplication of personal information like client profile information whenever possible, and don’t write or post anything about other people that you would not want them to see.
- Review any integrations you have connected to your Slack account on a regular basis and disconnect any that you are not using.
- Enable two-factor authentication.
- Understand and grant access roles in accordance to what is necessary for them to perform their work on the platform, and not in accordance to the level of trust you have in them; remember that this not a question of trust but of minimizing risk; and finally,
- Consider creating some protocols or standard operating procedures as to how your organization uses (and doesn’t use!) Slack, and communicate these to your team.
The context of this conversation has been Slack but hopefully, you can see how these guidelines can apply to your other uses of apps and services. Believe me that I am fully aware of how inconvenient it can be to stay on top of these things, but the more thought you put into online safety, the more it becomes second-nature and the less you have to actually think of it. I’m like Pavlov’s dog salivating at the sound of the bell over here when I login to my password manager account because I put one hand on my keyboard to type the password and my other hand is already on my smartphone, ready and waiting to hit accept to authenticate my two-factor login. Like anything, these actions become habits, the same as hitting the “lock car door” button is a habit or looking both ways before crossing the street.
And if you’re feeling scroll-y with your egg nog and fireplace this holiday season, check out that Slack channel data I mentioned that is available to you by going to [Slack channel name].slack.com/stats and [Slack channel name].slack.com/account/workspace-settings#retention and see for yourself what channel analytics are being tracked and available.
Have a good, festive, restful time, boss, and we’ll talk soon – baiiiieeee!