Bart Holzer

Bart Holzer

Tennessee is one of several states banning social media giant TikTok on government networks.

The Post recently spoke to Bart Holzer, fractional chief information security officer at Affinity Technology Partners, about the possible risks facing governments and businesses, especially related to TikTok.


Is TikTok actually a security risk for businesses? 

Any application or service outside the control or monitoring of an organization that is used by employees is a security risk. TikTok is just one of many social media apps that allow for tracking and recording of users. To allow the installation of such an app on a corporate device creates unnecessary exposure for the organization. The exposure is relative: Businesses with valuable intellectual property have a much higher risk to unmanaged apps.

An app as a security risk to a business highlights the need for organizations to decide on their BYOD policy. “Bring Your Own Device” is the concept that an employee uses a personal computer or, more commonly, a cell phone for work purposes. There are some security techniques that allow an organization to limit the exposure of BYOD — deleting a work profile from a cell phone when an employee retires is one example. But to have total control over a cell phone implies that the device is the property of the organization and is provided to an employee. Purchasing cell phones for employees involves hardware costs and subscription fees, but enterprise businesses need to assess the risk and make a business decision to elevate their security posture to that level. Small- and medium-size companies should consider developing a BYOD program and providing corporate cell phones to executives, as a start.

Compared to government entities, why would a business in Tennessee be a target for social media-related attacks? 

Social media is a threat to businesses because it provides a direct connection between employees and cyber criminals. As an effective tool in the cyber criminal’s toolkit, social media is used to prepare for social engineering fraud and business account compromise. Additional criminal activity occurs once a business account is hijacked, whether it is theft of intellectual property, redirection of funds or use of compromised accounts to target additional victims. Small-to-medium-size companies should recognize their value to criminals both monetarily and as part of a larger supply chain — sometimes the ultimate target is a customer of the initial victim.

How should individuals assess their own risks related to TikTok or other social media? 

Personal security should be considered when assessing social media apps and services, and it should include one’s own safety and the safety of one’s family — particularly underaged children. Social media can reveal personal information that can be collated into an extensive profile of an individual or family, including pattern of life, wealth status and security posture. Consider the information you post online. Does it reveal when you are on vacation? Do your posts show what your house looks like, which neighborhood you live in, where your kids go to school and more? Do the apps you use tend to protect or share this type of information by default?

Should other government entities (major cities like Nashville, for example) institute TikTok bans like those enacted by several states, or is that more of a PR move? 

Public announcements around banning TikTok for use at the state, county or city level are, simply put, a PR stunt. All organizations should have a social media usage policy that includes list of approved apps or, conversely, a list of excluded apps. Adding a social media app to an organization’s policy is not worthy of media attention. Given its popularity at one billion users and alleged ties to a Communist regime, banning TikTok became a way for some politicians to draw attention to themselves. In the state of Tennessee, TikTok was added to a list of restricted apps … none of which has received media coverage, until now. Should Nashville ban TikTok on city-owned devices? That’s a question for the city’s CIO and CISO to answer in their roles as heads of Metro’s Information security management program.