Phishing email attempts that appear to be from trusted vendors are on the rise, so organizations are scrambling for ways to reduce exposure to these threats. One way that’s gaining traction is to focus less on email for corporate communication, turning to collaboration tools such as Microsoft Teams and Slack.
IT security firm Barracuda surveyed several hundred “high-level decision makers” in different industries and found that more than a third were introducing workplace chat applications, like Slack and Yammer, to reduce email traffic and the associated threats.
Out of 55.5 million emails that Avanan reviewed for a global phishing email report, the cloud security firm found that a quarter were phishing attempts that made it past Office 365, with more than half of those emails containing malware.
“Email will always be necessary for communication with customers and everyone who’s not an employee or trusted partner,” said Avanan co-founder and Chief Strategy Officer Michael Landewe. That said, he points out that virtual workspaces such as Slack and Teams, by design, only allow trusted users to communicate and uses data encryption in transit.
“Slack doesn’t suffer from spoofing because you can only communicate with other Slack users,” Landewe said. “There are no cross-vendor communications, for example, when an Outlook user sends a message to Gmail. And data transfer is over https—100% support for APIs and integrations—where emails are stuck with insecure, old-school SMTP.”
IM Not a Silver Bullet
In the Barracuda security report, the company warned that instant messaging is promising as a way to reduce threats but by no means is a silver bullet.
“In the short term, while a shift away from email to communications tools such as Slack might be tempting in order to temporarily ease the email burden,” the company wrote, “it might not work out in the long run, as we wouldn’t be surprised if cyber attackers just changed their tactics in response. In the longer term, the right combination of technology and security awareness training is the key to email attack protection.”
Plus, as Avanan’s Landewe points out, tools like Slack could expose companies to vulnerabilities that few may have considered.
“All communication is unfiltered, without even the most basic of protections,” he said. “The odds of getting a malicious link or file from another trusted user are small, but there are no tools in place to prevent it if it happens.”
If a malicious link did find its way into Slack, Landewe warns that it could spread more quickly than even by email: “It could cause internal wildfires; in other words, a hacker can easily send attacks to the general channel. And there are also no filters that prevent the sharing of confidential information outside a department or an organization. It is almost too easy to—accidentally or otherwise—share information with users that should not have access.”
Landewe recommends that Slack users in particular make use of their integration with third-party tools to offer layers of security.
“Data loss prevention [DLP], malware, phishing, URL scanning and breach detection can be added to Slack,” he said. “These things are considered the bare minimum requirement for email. They should also be considered vital for all communication and collaboration channels—Teams, Slack, etc.”