6 Steps to Better Digital Security with Slack

Moving your team away from email and into Slack has some real security advantages.

SlackGuide3.png

One of the biggest reasons to use Slack instead of email is security. Slack itself has top-notch industry-standard security. If you want to dig in, you can see their full security info here.

But digital security isn’t just about the practices of the companies who make the tools you use. It’s also about the practices and systems you set up for the folks on your team. Using Slack makes it easier to use some of the best-practices for keeping your information secure.

Getting important information out of email.

The biggest security win from Slack is getting your important campaign info out of your, and your volunteers’ email. When you send an email to someone, that email can hang out indefinitely in their email account, unless they decide to delete it. That means that anyone with access to that person’s email account any time in the future can get access to any info you ever sent them. That’s no good. This could mean someone who has hacked into your volunteer’s email account, or even just the volunteer themselves, even after they’ve left your team.

Keeping important information and announcements (and even sensitive discussions) out of folks’ email accounts, and inside of Slack can allow core organizers to maintain control over who has access to information. You can do this by 1) using private channels for posts and discussions that not everyone needs to have access to, 2) limiting how long information is retained in Slack, and 3) making sure that when volunteers or staff leave your team, you also remove them from your Slack workspace.

We’ll walk you through how to set these things up in a moment.

Enabling 2FA to keep access to your Slack workspace more secure.

Two factor authentication, or 2FA, is a must. 2FA limits the chances of someone getting access to your Slack account because it requires that you have two ways to prove that you should have access — your Slack password PLUS a time-limited secret code. The code is generated by a method far too complicated for this guide, but you can get the code you need either by using an “authenticator app” or via SMS to a phone number you’ve provided. Using an app is highly preferred, but if your volunteers don’t have access to a smartphone, SMS will do the trick.

Keep in mind that once someone is signed in to their Slack account on their phone or computer, it’s not going to make them re-sign in every time they fire up the Slack app. So, using 2FA can seem like it’s a pain, but you don’t have to do the whole dance every time, and trust me, the security boost is worth it.

Must: Set up mandatory workspace two-factor authentication

Now, right out of the box, 2FA is optional in Slack, but I cannot stress enough how important it is to change the settings for your Slack to require that all of your teammates use 2FA to log in to their accounts. Here are Slack’s instructions to turn on mandatory 2FA.

Setting expectations and norms for what to share in which channels.

Once you’ve got your channels and such set up, it’s important to make sure everyone knows what is and what is not ok to share in channels. For example, you wouldn’t want to post passwords in the #general channel, or the identity of your secret special speaker guest in #random. You can set these expectations as part of your new-volunteer or new-staff onboarding.

From time to time, people will post things in public (or even private) channels that shouldn’t be there. Don’t forget that you, as an admin, have the ability to delete other people’s posts in case of emergency. And if you yourself post things you didn’t mean to, or make an embarrassing typo, you can delete your posts, too. Bonus! Admins can also delete files shared in Slack. This is super helpful for when documents get shared accidentally, or when they get out of date. You don’t want someone finding old instructions or phone scripts because they’re just hanging out in Slack!

For more info on deleting messages, check out Slack’s own guide to deleting messages.

For info on deleting documents, Slack’s got a great guide here, too.

Private channels and DMs.

One of the cornerstones of a good digital security game plan is to make sure people on your team have access to the information they need, but not the information they don’t need. In Slack, you can achieve this by using private channels. Private channels can only be accessed by folks who have been explicitly invited. Public channels, on the other hand, are open for anyone to discover and join.

Some good ideas for channels to keep private are: #hiring, #security-issues, #leads, #data-captains, #phonebank-captains, #fellows, #interns, etc.

Pro Tip: Make all your channels private! Make sure that every person in every channel really needs to be there.

Another exciting feature of Slack is the ability to direct message, or DM, folks on your team. This is a great way to have a 1:1 conversations. If you need to have an ad-hoc discussion with a small group of folks, but don’t quite need to make a whole new channel, you can use group DMs. For more details, check out Slack’s full guide on DMs.

Single-channel and Multi-channel guests.

On paid Slack accounts, you have an added feature of being able to invite people to participate in your Slack team with limited access — Single- and Multi-channel guests! If you’ve got folks you want to be able to communicate with in Slack, but you aren’t quite ready for them to have full run of your workspace, they can be added to the workspace as guests! Guests have access ONLY to the channels in your Slack that you invite them to, plus DMs. Single-channel and multi-channel guests are a great way to include low-key volunteers in your Slack community, without giving them free-rein to poke around in your Slack. Single channel guests have fewer permissions in the workspace, and do not count as billed members.

Here’s an example of how you could use Slack’s guest features: Create a phonebank-chat channel for all your team’s at-home phonebankers and invite volunteers who are phonebanking as single channel guests to that room. They can talk with all the other phonebankers, get announcements from your phonebank captains, and maintain that sense of community, even when they’re away from the field office! And if you need to, you can always remove individuals from the channel (or even set an automatic expiration date for their membership!)

Learn more about the nuts and bolts of guest accounts on the Slack help site.

Retention policies.

Slack is a great way to communicate with your team, and your volunteers. But you definitely don’t want to keep all of your messages and conversations around forever. One of the great things about Slack is that you can set retention policies, and automatically delete chats after a period of time. You can also set different retention policies for different channels. You may want a one-week expiration for your phone-bank chit-chat channel, but a one month expiration for your phone bank captains’ channel. It’s up to you! The shorter your retention policies are, the lower your security risk if someone does gain access to your Slack team. They can’t see what’s already been auto-deleted.

Retention policies: 100% worth it.

Keep in mind, though, that the retention policies are only available on a paid Slack plan. It’s worth it, though. As always, Slack’s got a more detailed guide on how to set up retention policies here.


Slack is a great tool, and can be a game changer for a scrappy, grass-roots team. But as with everything, you need to make sure you have your security game on point. So, remember — 2FA is your friend, limit people’s access to sensitive info, and don’t keep things around any longer than you need to, and you’ll be well on your way to digital safety.

Catch up on the previous installment to this series, 5 Steps to Setting Up Your Slack for Organizing before moving on to the final guide, 3 Ways to Make the Most of Your Team’s Slack.

 
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.