The inconvenient truth about TikTok

Nadir Izrael at Armis explains why business leaders shouldn’t ignore the dangers of TikTok

In the time it takes you to read this article, roughly another 10,000 people will download TikTok. Just how popular is the video sharing social media app? Consider:

TikTok is the fastest-growing social media platform to date, reaching the 1 billion user milestone in September 2021, just four years after its launch. By contrast, it took Facebook and Instagram twice as long to hit that landmark.

TikTok was the most downloaded app last year, and the average user — predominantly members of Generation Z — spends more than an hour and a half on it each day.

Best known for its viral dance videos, TikTok is growing as a marketing and e-commerce platform. Not only that, but in just two years, the share of US adults who say they regularly get news from TikTok has more than tripled, from 3 percent in 2020 to 10 percent in 2022, according to the Pew Research Center.

Of course, this runaway growth is only half of the TikTok story. The other half is TikTok’s emergence as a geopolitical hot button because of its connection to China. This is an unprecedented combination — a massively successful app that could pose national security threats from a foreign nation.

Unfortunately, however, few companies striving to protect their computer networks are paying enough attention to the TikTok risk.

So far, TikTok — owned by Beijing-based tech firm ByteDance — has mostly come under fire outside the private sector. The U.S. government told its federal agencies in February that they had 30 days to delete the service from government devices. Fourteen U.S. states have banned the app on government-issued devices, while the state of Montana has gone as far as to ban the app on personal devices.

Other countries and government bodies that have enacted similar prohibitions include Britain and its Parliament, Canada, France, and the executive arm of the European Union. India outlawed the app altogether in 2020. Some U.S. universities also have blocked TikTok from campus Wi-Fi networks or discouraged its use.

Despite all that action, my conversations with business leaders suggest that concerns about TikTok as a trojan horse for Chinese-led cyber-security threats and spying are barely registering on the corporate agenda. In their view, TikTok is a geopolitical issue for the government to tackle rather than something they need to worry much about.

I think this casual attitude is a mistake, for a few important reasons.

The threat is real and must be taken seriously

Fact: The Chinese government by law can force Chinese companies to provide user data, such as location information, for intelligence-gathering operations. As columnist Ezra Klein wrote in The New York Times, “Chinese companies are vulnerable to the whims and the will of the Chinese government. There is no possible ambiguity on this point.”

Fact: Hacker groups linked to China have been responsible for several of the most notorious cyber-attacks to hit the U.S. in recent years, including the Equifax breach in 2017, the 2021 assault on six state governments’ computer networks, an attack the same year on Microsoft Exchange servers that affected more than 30,000 organisations worldwide, and the theft of trillions in intellectual property from about 30 multinational companies in the manufacturing, energy, and pharmaceutical sectors.

“The Chinese government — officially known as the People’s Republic of China (PRC) — engages in malicious cyber activities to pursue its national interests,” the U.S. Cybersecurity and Infrastructure Security Agency has warned.

It seems a bit strange to single out TikTok for collecting user data when US tech giants like Facebook and Google have been castigated for their invasive practices in recent years. But if we’re really being honest with ourselves, it’s impossible to ignore the China factor. And it’s naïve to think China, if it saw reason to, wouldn’t exploit a tool that’s on millions of phones, and would be able to do easily.

The computing environment: ripe for exploitation

Given the app’s popularity, it’s a safe bet that a lot of people at work have TikTok on their phones or other devices. And there’s no doubt they’re using it — according to the careers site Zippia, 77 percent of workers use social media at work.

And in an age when most employees use the same devices for both work and personal tasks, corporate networks are exposed to attacks launched from these devices like never before.

Meanwhile, businesses are increasingly relying on a variety of connected devices, often linked to their vital data and infrastructure. According to Statista, for example, the number of Internet of Things devices worldwide is expected to reach 75.44 billion by 2025, up from 26.66 billion in 2019.

This explosion of connected assets in a range of industries from healthcare to financial services to manufacturing is adding a layer of complexity for business leaders already unsure of where TikTok is in their environment.

The bottom line is that cyber-attackers can use TikTok on someone’s phone as a jumping off point to many other areas within the organisation and create enormous damage. It would be reckless not to recognise this as a real business risk.

Awareness of the TikTok threat

Awareness of the Tik Tok cyber-threat can strengthen an organisation’s overall cyber-security posture.

Even before TikTok, organisations faced huge challenges seeing, securing, protecting and managing all the assets mushrooming across their enterprises, expanding the attack surface — not only keeping an accurate inventory but understanding context about these assets and any vulnerabilities potentially introducing risk to the organisation.

There are many questions they have to ask: Where are they? What are they doing and is this behaviour outside of any baseline norms? Are they running business critical applications or services? What other global networks are these connected assets potentially communicating with?

Obtaining the right amount of contextual intelligence is essential for companies to fully comprehend their attack surface and assess potential risks and vulnerabilities.

Where TikTok is concerned, this level of understanding can be invaluable in removing the app from key assets, monitoring for unusual activity, retaining network metadata related to TikTok for possible investigation, reporting device name, IP, and location, and planning for any necessary remediation.

This kind of real-time visibility and monitoring can help defend against attacks leveraging TikTok, enabling an organisation to quickly identify all kinds of potential risks to the attack surface and take action to mitigate them.

That’s a very good thing. In this way, TikTok shines a light on the need for asset intelligence cyber-security, presenting an opportunity for companies to shore up their cyber-security defences overall.

As these three points show, proactive risk management makes a ton of sense in the age of TikTok. Is TikTok a ticking time bomb? Only time will tell. But with cyber-warfare attacks on the rise, business leaders cannot ignore its potential risks and should act now to protect against them.

Nadir Izrael is co-founder and CTO of Armis, the asset intelligence cyber-security company

Main image courtesy of iStockPhoto.com and Goodboy Picture Company