It’s almost a guarantee that we all use some type of messaging platform or app in our day-to-day lives at work. Slack, Teams, Google, and the list goes on. But have you ever stopped to think about the security of these platforms (or lack thereof)? Or about what happens to the documents you share via these platforms? We’re going to look at the security of the top three business messaging platforms so you can feel prepared and make the best decision for your business about how to communicate in-house! Let’s chat.

Platform 1: Slack

Fun facts:

  • Slack has 65 million monthly active users
  • Slack has 38.8 million daily active users
  • More than 750,000 organizations use Slack
  • More than 1.5 billion messages are sent in Slack daily.

Slack is one of the leading business messaging platforms on the market. In a recent white paper, Slack’s security team said “the focus of Slack’s security program is to prevent unauthorized access to customer data.” In addition to their security development lifecycle, they created a public bug bounty program called HackerOne to help with the disclosure of vulnerabilities.

As far as data is concerned, each customer’s data is located in the shared infrastructure, logically separated from other customer data. As an organization, you can also choose the country/region you want to store your data at rest through Slack’s data residency. 

You may be wondering who owns the data you share in a Slack workspace. And according to Slack’s privacy agreement, as the customer, you do! This agreement states that as the customer, you own and control all data shared to a workspace, and Slack processes that data on your behalf. This can pose a risk—it’s unknown which staff members at Slack have access to what data, when, and how. As far as hosting goes, Slack is hosted in the Amazon Web Services, so the default location for where your data is stored is AWS US.

Slack also gives you the option and ability to link third-party apps like your Google Calendar, Google Drive, your CRM, and more. While this is convenient, it comes with risk, too. In 2016, employees at 18F (a digital services agency in the Department of General Services) shared Google Drive documents through Slack, and in turn, exposed over 100 governmental Google Drive accounts for nearly six months. So be mindful of what you share when you link third-party apps to your Slack platform, and perhaps integrate more authentication protocols to keep the information safe.

Platform 2: Microsoft Teams

Microsoft Teams is the leading platform in business messaging, and it has some security measures already built into it. Those built-ins include:

  • End-to-End Encryption (E2EE)
    • This helps third parties from accessing any of your organization’s voice, video, and screen-sharing data. 
  • Azure Active Directory (Azure AD)
    • This is a repository that lets admin manage the identities in the platform, including who has what permissions. It also provides single sign-on and multi-factor authentication.
  • Transport Layer Security (TLS)
    • This is used to prevent eavesdropping, and helps keep your data encrypted. 
  • Compliance Standards
    • These help your business stay compliant with certain standards, including HIPAA 
  • Communication Monitoring
    • This feature allows administrators to keep tabs on the conversations happening within the software. With this, administrators are able to make certain keywords trigger alerts to keep certain topics of conversation at bay.
  • Activity Reports
    • This feature allows administrators to gain insight into the activities people in their company are engaging in within the platform. Some of the insights available are meeting times and schedules, and how much time team members spend in the chat functions.
  • Supervised Chats
    • This can help mitigate the risk of private conversations within the software. It restricts private messaging 
  • Microsoft Defender 
    • This feature targets malicious activity as it relates to sharing files that could lead to a security incident. 

While Microsoft Teams has all these security measures in place, it’s still wise to evaluate all the pros, cons, and security risks involved. For example, by default, everyone in a Teams account can create a team. This opens the door for guests and employees to upload malicious files or software to any channel, compromising the security of your company. Therefore, it’s for you and/or your security team to do the necessary research to mitigate risk.

Platform 3: Google Meet

This is a messaging platform where people can instant message one another, on either a personal basis or professional one. While Google Chat encrypts your messages upon sending, it does not offer end-to-end encryption, so if someone were to hack your account or the Google Chat platform, they could theoretically read your messages. Another security risk posed by Google Chat is in the security measures taken (or not taken) by Google itself. While there are no explicit terms that say your information will be used by Google, its privacy policy does say your data could be used to “maintain and improve [their] services.” Given the vague nature of this statement, it’s not clear if your data is truly safe when it’s being shared via Google Chat.

Another risk to consider is the cloud and integrative nature of the entire Google system. While having all of your documents, emails, contacts, etc., in one place could be convenient, it also means that if cyber criminals gain access to one of these systems, they would potentially get access to all of your Google information, systems, documents, and information.

Staying Secure With Your Team

Messaging at work is convenient and sometimes necessary. Even with the convenience, it’s important to mitigate the risk these platforms perform. So whether it’s multi-factor authentication, using a VPN, ensuring your data is backed up remotely, or something different, keeping your information secure is the most important part of communicating with your team. Regardless of the platform you use, take the time to truly comb through the privacy policies of that company and the security measures taken in and for the individual platforms. Happy messaging!