In a recent Spiceworks survey, 59% of respondents said that “Sensitive files/information should not be shared via collaborate chat applications.”
So, 59% think chat rooms aren’t secure. A little more than half. Healthy caution; nothing wrong with that.
But you know it’s going to happen. Someone asks a co-worker for help, not realizing they’ve asked for some Intellectual Property. The co-worker pastes it into the chat window.
What then? Does everybody gasp at once? Scramble to delete it?
Or do they just shrug and keep chatting, believing the chat room itself has enough security to protect the IP?
Chances are, they do the latter. The question is, which business chat apps DO have the security to protect data shared within them?
That’s what we’re tackling in this post. A comparison of 6 popular business chat apps at the security level.
The Source: A 2017 Spiceworks Survey
The Spiceworks survey that started all this is here: Business Chat Apps in 2017: Top Players and Adoption Plans
I came across it in my daily reading. (Hey there Spiceheads!) A group of IT Pros gave their thoughts on 6 chat apps – Skype for Business, Slack, Google Hangouts, HipChat, Microsoft Teams, and Workplace by Facebook.
This section caught my eye, talking about chat room security:
“In terms of security, the results show less than one third of IT pros are concerned about business chat apps introducing security risks. For example, 32% said messaging apps put corporate data more at risk of being hacked, and 29% said they pose a security risk that is difficult to manage.
“However, that doesnâ€™t mean caution can be thrown to the wind. Nearly 60% of IT pros believe sensitive files/information should not be shared via group chat apps. In other words, IT pros arenâ€™t overly concerned about the security risks as long as their employees use chat services wisely.”
Using chat services wisely. Agreed! When it comes to IP, take care to keep it safe. So, which of those 6 is the most secure chat platform? Can we rank them? Let’s find out.
SLACK & MICROSOFT TEAMSâ€”The Bitglass Blog put together a review of Slack’s security vs. Microsoft Teams’.
Microsoft Teams vs Slack Security – The Bitglass Blog
They’ve done their homework; it’s definitely worth a read.
Slack and MS Teams are pretty much neck-and-neck in terms of their security. Teams has greater regulatory compliance, but Slack already delivers on at-rest and in-transit encryption. Adding external users is a risk on both services.
This of course makes me happy! I like seeing Slack and Teams in competition…like iron sharpening iron, they should continue to make each other better. That they both have good security on their chats is yet another benefit to users.
(I talked before about Slack and MS Teams – when it was called Skype Teams – back in October.)
Persistent Chat is a server within Skype for Business Server, and uses SQL Server for its database. Hardening the SQL Server and configuring security on the Windows Server on which Persistent Chat runs will provide high-grade security for the chats.
In addition, a Persistent Chat administrator controls memberships, file uploads, and the domains from which users can join. There’s a lot of granular control. It’s safe to say that if you’ve secured your Skype for Business Server, your Persistent Chat rooms are pretty darn private.
Now, what about the others?
The Other Three: HipChat, Google Hangouts, Workplace by Facebook
HIPCHATâ€”HipChat is run by Atlassian, makers of Jira and Confluence. Their Security of HipChat page indicates 256-bit SSL encryption on your chats & files. It even tells you where HipChat hosts its data – on Amazon Web Services, which employs its own security.
However, HipChat has had a couple issues. In 2015, hackers stole usernames & passwords from HipChat. Atlassian responded with fixes of course.
But in February 2016, a Redditor pointed out a HipChat flaw with downloading files if you have a link, without logging into HipChat. I haven’t used HipChat much, so I don’t want to disparage it, but I am left a little uncertain on its security after reading these accounts.
GOOGLE HANGOUTSâ€”Okay, let’s talk Google. The search giant is famous for collecting data on its users. But it tries to maintain their privacy, at the same time. Hangouts uses encryption to protect your chats and files.
A few things I note on this page:
- Direct peer-to-peer. Good; cuts down on overhead and helps keep the chat private.
- 128-bit encryption. Not 256-bit like HipChat. You’d think Google would go higher on its encryption level…
- No mention of end-to-end encryption like Slack and Microsoft Teams. In fact, Google avoided the question when asked in May 2015.
Verdict: Google Hangouts is convenient and fun to use. But it’s not the most secure business chat option.
The Workplace app does almost exactly the same things as Microsoft Teams and Slack: chat rooms, groups, external users, video, etc. It’s just made by the Facebook team. Pricing is cheaper than Slack, which makes sense if Workplace wants to grab users from other platforms.
Some good (and bad) points:
- Workplace accounts are different from Facebook accounts. That’s good; separating work and play means better privacy overall.
- Workplace has a Trust Center posted, like Office 365: Workplace Trust Principles. Good for you guys!
- Workplace debuts with a handicap thoughâ€”Facebook’s dubious privacy practices. It’s a separate system, but Workplace does run off Facebook’s servers. Some businesses will shy away on reputation alone (and I can’t honestly blame them).
It’s too soon to tell what kind of adoption Workplace gets. As such, I don’t want to say this is a good or bad choice in terms of security. It looks like they’re doing all the right things security-wise…but we’ll have to see how it unfolds.
The People Side of Chat: Use a Secure Business Chat App, but Exercise Caution All the Same
From all this, we can conclude that “the Big Three” are pretty secure chat apps. “The Other Three” do take some security steps, but using them may risk your business’ intellectual property. If security is a big concern, stick with the “Big Three.”
Even on secure chat apps though, prudence is called for. There’s the technical side of security, and the people side. As a good security practice, you should only share sensitive data over channels you know are secure. And only when it’s necessary.
Enjoy Business Chat Apps Responsibly!
Readers know I’m a big advocate for group chat. It’s fast, easy, nobody gets bothered by a phone ringing, no participant limit, and there’s a record for conversations.
So long as that record, and all files sent to colleagues within the chat app, are kept secure. It’s easy to presume security, and chat with everybody on the team as if it’s always there. It’s not so easy to verify security after-the-fact.
Which business chat app do you use? Why that one? Please comment or email your thoughts. I would hope that none of my readers have ever experienced a security breach due to a chat app…but if you have, I’d like to hear your account too.