Slack for Security - How to Make Security Announcements in Slack

Travis Good
June 15, 2022

Slack is great for announcements. Announcements are used so frequently that Slack built features specifically to make announcements better for admins and for users.

The way the Slack feature works is that you can limit who can post to a channel. This means you reduce the message noise in the channel by having all posts sent by admins. It’s a cool feature that works as intended. But there are features that could make security announcements in Slack even better.

Why are security announcements important?

Cybersecurity is dynamic. There are new threats, vulnerabilities, and scams every week. It’s hard for security professionals to keep up with everything. It’s impossible for employees at your company to keep up. Security announcements is a good and easy first step towards security engagement.

Security teams should communicate new cybersecurity issues to employees on a regular basis. Slack is a great place for this since employees work in Slack all the time and the deliverability is 100%, unlike email.

Consistent communication builds a bridge between employees and your security team. This connection builds a security mindset into your culture. And a security mindset reduces the risk of employees falling victim to cyber attacks and scams.

What are some examples of security announcements?

For certain threats and vulnerabilities, tools can automate away the risk. Email software can block new known threats before they reach inboxes and anti-virus software can detect new viruses before they are installed and spread.

But, you can’t automate away the social engineering attacks that prey on human nature. Social engineering attacks are increasingly common and result in the vast majority of security incidents and breaches.

For social engineering attacks, announcements are a means to engage and educate employees, reducing the risk of them becoming a victim.

Below are some examples of security announcements:

  • New social media scams (think LinkedIn)
  • Innovations in malicious data collections (using chatbots instead of webforms)
  • Recently discovered vishing or smishing subjects (Google adwords scams)
  • Smartphone vulnerabilities (especially when employees control their smartphone software)

What makes a good security announcement?

Security announcements are important. The way they are crafted matters. A good security announcement has the following characteristics:

  • Context. If you want a message to be memorable, it has to be delivered in the context of the employee's work. Slack goes a long way to solving this challenge.
  • Brevity. Every employee is inundated with more messages and information than they can process. For better or worse, we are all competing for our employees' attention. Don’t waste words. Use the minimum necessary amount of content to get the message across.
  • Focus. Just cover one thing. Don’t bloat a security announcement with any fluff or unrelated material.
  • Engagement. Ideally, announcements are not 100% one way in nature. Slack’s announcement feature allows for emoji reactions and threaded comments so this helps engage and cement the message. Asking questions, even simple ones, that reiterate the announcement material are a great way to engage employees.
  • Measurement. Measuring the results, however you define them, for security announcements is the single best way to improve them over time.

How to leverage Slack for security announcements

Using the built in Slack announcements functionality, simply create a #security-announcements (or whatever name) channel and add users that can post to the channel. Once you’ve crafted your first security announcement using some of the techniques above, simply tag @all or whatever specific Slack members or groups you want to see the message.

The challenge of announcements in Slack is the signal to noise ratio. Specifically, it’s the Slack channel signal to noise ratio. Each group, including security, can create a dedicated announcement channel per the Slack link above. The issue is the limited value of these dedicated announcement channels if the only purpose is announcements and those announcements are not frequent enough to be a part of weekly work. Oftentimes these announcements don’t get read or don’t get any engagement, defeating the goal of creating them.

The Haekka approach to security announcements in Slack

We believe that employees need to connect to security teams and that security teams need to connect to employees. Haekka creates this connection, acting as an employee security HQ in Slack. Annual security awareness training, weekly Streams of curated content, ad hoc announcements, employee security surveys, games and more have one home in Slack with Haekka

With Haekka, announcements are simple to craft, flexible in how they are assigned, and instant to deliver. Adding formatting, emojis, and videos is a breeze. Create and save drafts. Schedule for later or on a recurring basis. And you can add as many questions as you want to each announcement.

Below is an example announcement delivered in Slack via Haekka. These announcements are called Engagement in Haekka.

A Security Engagement using Haekka

Haekka measures engagement and results so you have the metrics you need to assess the effectiveness of your security announcements and integrate with your existing security tooling..

—-

This is the first post of a series about all the things security teams can do with Slack. Slack is a great home for security information, announcements, training, and feedback.

Our mission at Haekka is to make Slack even better by creating a security HQ in Slack that centralizes information and provides a direct connection between employees, security teams, and security knowledge. Schedule a demo if you want to see Haekka in action.