Disney’s Slack breach tells an important story

Steve Loynes -

News of Disney’s alleged Slack breach shows what can happen when organisations trust centralised communications platforms that don’t use end-to-end encryption; if an attacker gets inside, they have access to everything. By contrast, in an end-to-end encrypted system, data is instead only accessible by specific cryptographically identified users and their devices.

Hopefully the master storyteller can help organisations learn that relying on popular but insecure platforms is a catastrophic risk. There’s an endemic flow of logic within corporate IT, stemming from the old cliché that no one ever got fired for buying IBM, that sees people trust Big Brand tech, even when it’s provenly outdated.

Let’s take the analyst house Forrester, for example. Slack and Microsoft Teams are not even considered for inclusion in The Forrester Wave: Secure Communications, Q3 2022 report as they fail to protect communications with end-to-end encryption.

Responsible organisations need to ensure that their communications platforms are as secure as possible, and that starts with addressing the weaknesses of the status quo.

Communications need a Cinderella transformation

Organisations are increasingly aware of the need to overhaul their communications platforms. Last year, Element commissioned a Forrester Consulting study looking at The Future of Secure Communications.  

It shows that end-to-end encryption, along with high availability, is the most highly valued capability for a new communications platform. Data sovereignty is also seen as critical - meaning the ability to self-host a communications platform - which is of course counter to the status quo of centralised vendor-controlled SaaS systems such as Slack and Teams

Data-hungry products like Slack and Teams have a fundamental problem if they try to retrospectively add in end-to-end encryption, given their products are built entirely around the assumption that the platform vendor can read all of your conversations - e.g. to train its AI on your direct messages. Instead, users have no choice but to look for Secure Communication Solutions which were built to be end-to-end encrypted from the outset.

As details of the attack on Disney emerge, there will doubtless be further learnings. But what’s already clear is that traditional collaboration tools are no longer fit for purpose.

Our advice would be to invest in decentralised, end-to-end encrypted communications to ensure there’s no sequel.