At the start of April, the Australian government banned TikTok from all federal government-owned devices, citing security concerns.
Similar policies have already been adopted by the United States, Canada, New Zealand and many European nations, while India banned TikTok – and several other Chinese-owned apps – in 2020. Some private companies are already following suit, with Sky News Australia announcing that it would boycott the platform.
Many businesses are asking themselves a host of questions about TikTok usage, like:
-
If we have an official presence on TikTok, should it be shut down?
-
Should the app be limited on company-owned devices?
-
Can it continue to run on personal devices that are used for business?
-
Should we update our device and social media policies?
-
If our business sits outside the government sector, should we even be concerned?
Why governments are worried about TikTok
TikTok was launched in 2017 as an international version of the Chinese short-video sharing app Doujin. Its popularity surged like almost no app before it: by 2021 it was the most visited website in the world. It may no longer be the newest kid on the block, but its reach in Australia continues to rise, with users scrolling the app for an average of 23.4 hours per month in 2022 – a rise of 40% year on year.
Worries about the platform for most users may be limited to trying out tips that don’t work (chicken poached in flu medicine, anyone?) or a few wasted hours on their phone screen. More serious data concerns surround the fact that TikTok’s parent company, ByteDance, as well as most of its servers, are based in China. That means they’re governed by the 2017 Chinese National Intelligence Law, which states that “any organisation or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.”
China could be stealing your data and credentials
The law means any data held by TikTok is, in theory, accessible by the Chinese government. And TikTok collects a lot of data, including your name, date of birth, email, device details, IP address, browsing history, keystroke patterns, wireless connections and geolocation. That’s before you even get to data potentially collected through single-sign on (SSO) such as contacts and relationship status, and the posts individuals create and view. Some lawsuits claim that TikTok also collects biometric data, including facial geometry, iris scans and fingerprints.
That’s bad news for Australia, which has troubles of its own with China. The country has already been hit by Chinese cyberattacks, with health and defence agencies and media companies all targeted in 2022. TikTok could be used to harvest data for targeted social engineering attacks by state-linked gangs, to collect credentials and biometrics that might give hackers direct access to data or funds, to spy on individuals and to shape public opinion by pushing certain kinds of content.
But is TikTok really a threat to your business?
The risk posed by TikTok depends on who you ask. Announcing its boycott, Sky News took an apocalyptic tone, warning of a “spy network masquerading as a social media platform”. In hearings with the US congress, TikTok CEO Shou Zi Chew denied the app was “an agent of China” and underlined a promise to move US user data to servers in Texas. Yet an outright ban of the app in several countries appears to be inching closer.
While the authorities consider their next move, it’s worth reviewing TikTok’s risks in context. Despite plenty of digging, there’s no evidence of any data transfer between ByteDance and the Chinese government. And TikTok is not the only app to collect large amounts of personal data (and be coy about how it is used).
Some argue that the biggest difference between it and Google, Amazon, Meta and Microsoft is that these four tech giants are US-owned. “The noise the Americans are making about TikTok,” says Australian researcher Asher Wolf, “must be seen less as a sincere desire to protect citizens from surveillance and influence operations, and more as an attempt to ring-fence and consolidate national control over social media.”
Protecting your data from TikTok – and the others
None of this means that US-owned apps represent the same risk to Australian companies as TikTok. The current geopolitical situation means that Chinese-linked groups should be considered a real threat, especially to organisations operating critical infrastructure.
But risk from key third-party platforms extends far beyond TikTok, and companies should assess their policies and strengthen their attack surface across the board. Key steps include:
-
Assess risks from TikTok and other third-party apps, ideally as part of a wider analysis of your assets and the threat landscape.
-
Choose which apps to blacklist (ban) or whitelist (blocking all unapproved apps by default).
-
Apps can be blocked by category or by infrastructure attributes such as IP addresses and domain names.
-
Set up multi-factor authentication (MFA) for every social media platform to reduce the risk of spoofed accounts.
-
Monitor official accounts and set up a clear process for revoking access and recovering hijacked accounts.
TikTok may be a threat - but it’s just one of many for organisations to prepare for
Is TikTok a unique cyber risk to your organisation? CISOs should look to their own processes and defences, but the answer will often be “no”, and the bans on TikTok may or may not prove to be justified. Yet any data-hungry third-party app used by your business or your employees represents a risk – and one running out of China doubly so. Device policies and social media guidelines are key tools to manage this danger – as well as whatever viral platform comes for our attention spans next.
Comments:0
Add comment