Public and would-be public companies are required to list the risks they face so investors are fully informed about what could happen to their money. Pre-IPO companies in particular offer lengthy recitations of what could go wrong that are usually restricted to things like “failing to attract customers” or “fluctuations in foreign currency exchange rates.”
Companies about to join the adult table may also list “government regulations” or “litigation” as threats to financial health, but it’s highly unusual to see companies list cybersecurity risks as something that could impact investors. In fact Slack may be the first to be so detailed in their April pre-IPO disclosure:
“A security incident may allow unauthorized access to our systems, networks, or data or the data of organizations on Slack, harm our reputation, create additional liability, and harm our financial results.”
That’s just the headline of one enumerated risk. It gets more interesting as you read the details:
“…we also face threats from sophisticated organized crime, nation-state, and nation-state supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risks to Slack, our internal systems and our partners’ systems, as well as the systems of organizations on Slack and the information that they store and process.”
In the same filing, Slack acknowledged what every InfoSec professional already knows: customers (and employees) are a risk, too.
“Users or organizations on Slack may also disclose or lose control of their API keys, secrets, or passwords, or use the same or similar secrets or passwords on third parties’ systems, which could lead to unauthorized access to their accounts and data within Slack…”
That is an extraordinary disclosure statement. Slack, which has become one of the leading collaboration tools used by teams, makes security one of the critical components of its brand and invests heavily in security.
But, it’s also a smart move on Slack’s part to acknowledge that they are a target for sophisticated attacks which may seek to use Slack as a gateway to their highly prized customer’s data. Slack is acknowledging that attacks come from highly advanced, well resourced, and organized groups.
Even the best security backed by leading practices does not eliminate the threat from determined attackers. For Slack to make such a bold statement, it ups the ante for all companies that face the same danger to varying degrees.