Is your access management system staying current with emerging risks? For example, your current framework may permit employees to use tools like TikTok and WeChat. These social media platforms have recently exploded in popularity. However, they pose major security questions, especially in the United States.
Why Are There Security Questions Concerning TikTok and WeChat?
The U.S. government has caused many to question the security of these platforms. Specifically, recent Presidential executive orders have targeted these applications. In August 2020, the White House published an executive order which described TikTok in the following terms:
“At this time, action must be taken to address the threat posed by one mobile application, in particular, TikTok. TikTok, a video-sharing mobile application owned by the Chinese company ByteDance Ltd., has reportedly been downloaded over 175 million times in the United States… This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information..”
There are still questions about whether the statements in the executive order can be verified. Nonetheless, many companies have little desire to act against an executive order, especially if they do business with the government. After the executive orders, there has been discussion that American companies like Oracle may acquire the U.S. operation of TikTok. Government restrictions against WeChat have also recently started. In September 2020, the Justice Department asks judge to allow the U.S. to bar WeChat from U.S. app stores.
While legal proceedings continue, the outcome for WeChat and TikTok in the United States remains uncertain. Notwithstanding those developments, there are important lessons we can draw from TikTok and WeChat.
Access Management and IT Security Lessons To Draw From The Controversy
Most social media platforms are designed to collect large amounts of data on their users. By collecting a large volume of data, we need to question if these companies are maintaining adequate safeguards for such data. If your company uses or permits access through social media login (e.g., Facebook authentication), it may be time to question those arrangements. Fundamentally, these companies are structured to provide personal data to advertisers. Continued use of social media platforms inside your company, especially for authentication, pose unacceptable risks.
On a broader level, the WeChat and TikTok affair reminds us that the digital economy and tools still operate in the real world. Governments have the power to restrict, ban or otherwise exert influence on digital tools. Therefore, you may want to reassess whether or not your company’s policies align with the U.S. government’s position. Departures from government expectations on IT security are particularly important if your company has contracts with government entities.
You can also take an IT security risk assessment lesson from the WeChat and TikTok affair. When you update your access management system and supporting policies, those decisions need to be grounded in the facts. If you cannot get meaningful technical answers regarding how data is managed and protected, how can you develop a meaningful risk assessment? The U.S. government has made some troubling allegations that the Chinese government may attempt to leverage data on U.S. users to achieve goals such as corporate espionage.
Revisiting The Design of Your Access Management System Using The News
When you see a major IT security event in the media, it is a good reminder that the IT security environment is continuously evolving. If you are going to keep your company’s confidential data safe, use the following process.
1. Gather the IT security facts
When an IT security incident hits the news, it is natural to become alarmed right away. You might see scary numbers like millions of accounts suffering data loss. Indeed, those numbers are frightening. However, it is essential to read these reports with a critical attitude. Gather information from multiple sources and then review the facts available. You may find that the initial reports on the IT security scandal are light on the facts and heavy on speculation. To mitigate this tendency, give yourself a few days or weeks to complete this step.
2. Analyze the direct and indirect risks to your organization
Let’s assume you are analyzing the risk of WeChat and TikTok to your company. After a quick discussion with your network security department, you find that you already block these applications. In that case, the direct IT security risk to your company would be low. That said, you may still face indirect risks. To minimize it further, you could update your IT security policies and employee password training to point out the concerns specific to these applications.
3. Evaluate your access management system’s capabilities
Some departments of your company, like sales and marketing, may request an exemption to social media bans. If they are using these tools to grow the business, granting an exemption may be reasonable. To safeguard against any remaining risks, use access management system protections to reduce risk. For example, apply multi-factor authentication to protect essential systems. This might also be an excellent opportunity for crucial biometric authentication for certain sensitive parts of the company.
4. Obtain an independent perspective on your access management system
When you are deep in the details of managing passwords, user accounts and access, you may become accustomed to your company’s access flaws. There is a way to get an independent view of your IT security controls without signing up for a six-month IT security consulting project. Ask your IT compliance team to use Compliance Auditor to review your current configuration and report back on any gaps. If your company does not have an IT security compliance team or auditors, you may need external assistance.
5. Execute the improvement
By this point, you have extensively analyzed the new IT security threats and identified areas for improvement. Now, it is time to get down to work. Ask IT to implement the changes. If the changes are more complex, appoint a project manager to lead the work effort. Please help them create a business case for any new software that may be needed.