7 Valuable Lessons MSPs Can Learn From The Recent TikTok Ban In The US

Getting your Trinity Audio player ready...

While the recent ban of TikTok in the US appears to be short-lived, there is a lot for MSPs to learn in the events that unfolded. Despite hitting ‘Ctrl+Z’ on the decision just a few hours later, the impact was felt across a wide range of demographics, with Small-Business Owners being a significant cohort. While this was a matter of public discourse for months, it has become clear that most were not prepared for the knock-on effects that would occur if a ban was actually implemented.

The ability to anticipate, evaluate and mitigate risk in these events would have been quite useful, which is one the through-line that ultimately connects MSPs to the event. This is yet another example of the importance of origin when it comes to hardware and software. The trend began with a ban on Huawei components in 2019, continued with the Commerce Department’s ban of Kaspersky in 2024, and has now put major hardware brands such as TP-Link under the microscope. While TikTok may be a more consumer-centric attack vector that at first glance seems out-of-scope, it reinforces the idea that safe procurement of hardware and software is a problem for Small Businesses and therefore a legitimate opportunity for MSPs to demonstrate their value.

To help unpack all of these events and the lessons therein, I called on Jesse Miller, Founder of PowerPSA Consulting and the PowerGRYD vCISO community. He has spent the last few years helping MSPs take this very stance with their customers and is on the front-line of risk management when it comes to SMB technology. 

Supply Chain Redundancy

While security is at the forefront of this discussion, there is also the matter of redundancy. The widely popular video editing app CapCut is a prime example of this. Given that the app is also owned by TikTok parent, ByteDance, it was also blocked and removed from App stores when the ban went into effect. This led SMB creatives searching for alternatives, many of whom had no idea that the software they were using for commercial purposes was linked to foreign adversaries. As Jesse Miller explained, MSPs should ask themselves, “What are the critical business applications in the customer’s organization, what do those rely on, and what supply chain factors are contingent for those to operate? Can we identify weak points and create redundancy for those weak points?”

He went on to say, “If you want to be a strategic partner for your client, you’ve got to think like one of their executives. How would their executives approach this? How can I leverage technology to protect or provide redundancy for my supply chain? This is also part of the new security perimeter. The quicker you can address it with pragmatic solutions for your clients, the better.” Miller also offered a great example of how to handle the CapCut situation. Rather than continuing to use that product as soon as the ban is lifted, MSPs can recommend a more vetted solution (such as Adobe Premiere) and help them procure the licensing and training necessary to implement it. 

Procurement-as-a-Service

Whether it is to create redundancy or to mitigate security risks, procurement is the center of all of this. As MSPs, it’s easy to look at a client’s tech stack only through the lens of what you provide. In reality, there are many more digital products, services, apps, and websites that these customers interact with on a daily basis. If left unchecked, a company can quickly find themselves adopting solutions that they never intended, and therefore are met with consequences that they never anticipated. The reality is that most of these small businesses are not willing or capable to implement the controls necessary for a healthy procurement process. 

The viable conclusion here is that a third party is required and MSPs fit all the criteria. The problem is that with procurement comes responsibility. MSPs who deployed Kaspersky to their customers learned this the hard way, as they had to explain to their customers why they failed to foresee the ban or assumed that the products were safe to use. Now amplify this many apps over with tons of different use cases and you can see how much liability this procurement-as-a-service model creates. MSPs must establish clear boundaries as to what has been vetted to policy, and what solutions can be chalked up as shadow IT and risk-managed appropriately. 

Mobile Device Management

When it comes to apps and shadow IT, oversight often comes in the form of Mobile-Device Management using solutions such as Jamf or Intune. As a matter of fact, there are conversations happening at this very moment between MSPs and customers as they assess their exposure to apps like TikTok and CapCut. As for Miller, he encourages MSPs to take a step back when approaching these situations. As he states, “We can use our MDM to pull TikTok off of every device. But have you actually thought about this holistically? Are they using it for critical business functions? Do they have alternatives picked out if needed? Ask questions like: What are you using it for? How often? Is it critical to your business function?”

It is also important to understand the boundaries between what is MDM and what is compliance and risk advisory. Since the former is often bundled together with other services, this nuance can easily get lost and the customer may come to develop misaligned expectations. In an ideal situation, your MSP can offer both and be fairly compensated for it. Jesse Miller suggests that “If you’re bringing mobile device management as part of a program where you help with security strategy—setting policies, managing the right kinds of apps, and enforcing those policies as part of a broader value add—it becomes a tactical enablement and a rinse-and-repeat process that clients appreciate.” This is exactly the kind of leadership and guidance that proves useful in situations such as the TikTok ban. 

vCIO vs. vCISO 

This balance between basic technology best practice and security, compliance and risk advisory is really the difference between vCIO and vCISO service offerings. During our conversation, Jesse helped me better understand the nuance of these offerings and expressed why segmenting them is so critical. “In this case, what a true vCIO would actually do is align business strategy with solutions, while vCISO services would come in to address risks and ensure security aligns with those strategies.”

When it comes to the initial conversations that arise from the TikTok ban or similar situations, it’s important to understand how to best compartmentalize this. For example, if this suddenly exposes a company’s lack of oversight into employee mobile devices, then the implementation or review of MDM may be a logical next step (and an opportunity for the MSP). When asked what bucket this would fall under, Miller suggests, “that’s more of a vCIO function than a vCISO function. We always talk about how we’re not truly doing vCIO work; it’s account management. A true vCIO program involves taking business strategy, looking at the landscape, and finding the right solutions to help a client strategically improve.”

Doing The Research  

While the ban on TikTok was a matter of government intervention, this only occurs in a small number of the most severe cases. As MSPs and trusted advisors, it’s important to do the research and make independent risk decisions, whether it gets political or not. As Jesse puts it,”You can’t just rely on the government. You want to try and read the tea leaves about what’s going on. That means being plugged into different cyber threat feeds or industry conversations. There are so many out there, but even simple things like subscribing to the right ones can make a difference.”

I thought this was a very actionable recommendation and asked him to dig a little deeper. He went on to say, “I would get a Feedly subscription and aggregate feeds that help you better understand the landscape of the supply chain. CrowdStrike, Microsoft, and others have threat feeds, and their threat teams put out blogs and updates that you can subscribe to. You can search for resources like these and build a solid understanding of the current supply chain risks.”

Community Support 

While these resources can help tremendously, it’s just one part of the research puzzle. “It’s not just about journalists and feeds; it’s the community. You get a good idea of what’s actually going on through the community discourse. There are all sorts of Signal groups you can get into, too. Once you’re in that world, you start to get to know people. Reach out, follow people on LinkedIn and Twitter. You’ve got to immerse yourself, start making friends, and ask questions.” 

Community ensures that you don’t have to make these customer risk decisions in a vacuum. You can ask other vCIO / vCISO / Cybersecurity experts how they are handling any given situation or whether a particular link in the supply chain is truly vulnerable. As a matter of fact, recent questions about the exposure of TP Link has sparked some healthy debate that may help MSPs better gauge how to address it with customers. It also gives them the confidence to tackle the issues head on, knowing that they have the community at their back to echo their sentiment. 

Owning Your Audience

While most of the conversation to this point has been about risk, this also extends all the way to marketing as well. If you read my article on owned audiences last year, you know that I am a fanatic when it comes to list-building strategies. Having spent almost two decades in marketing, I have seen too many people fall victim to the risks of building an audience on someone else’s platform. The recent ban on TikTok was yet another example of this as millions of creators (many of whom are Small Business Owners) were shut out with no one left to influence. While not many MSPs that I know are marketing their business on TikTok, the lesson remains the same. 

In my talk at ScaleCon2024, I suggested what I call a “Rent-To-Own” strategy to mitigate the risks of rented audiences. This means using platforms that you rent (social networks, ad platforms, etc.) to build an audience that you own and can communicate with directly. While I’ve covered this extensively over the years it always bears repeating. While it was TikTok today, tomorrow it could be LinkedIn, Facebook, or X. Much like you would recommend supply chain redundancy to your customers, the same should apply to your marketing channels.