A CISO’s perspective on the TikTok ban and what it means for businesses

The federal government is considering pushing for a Full ban on video-sharing app TikTok in the US, just weeks after banning the app on all US government devices. Citing data privacy concerns stemming from TikTok’s parent company, Chinese firm ByteDance, officials have made it clear that they believe the app could be used to snoop on the personal information of Americans and deliver that data directly to the Chinese government, which is known for cyber-theft of IR, trade secrets, and other proprietary information from Western companies to promote their own national security priorities.

Considering what to do with TikTok

But for companies using TikTok for marketing or employing any of the 150 million Americans who have the app, what is to be done? The answer, for now, lies in following basic security hygiene practices for all data-collection apps, not just TikTok.

The reality is that no matter what TikTok’s affiliation with the Chinese government, it’s not the only app capable of actively collecting user data. Snapchat, Google, and Meta leverage user data to target ads in more granular ways and understand user behavior.

No business is immune to cyber breaches and data theft, so an adversary can potentially expose much of that highly personal data. TikTok collects data on a large scale due to the size of its user base and its current popularity, but in general, if you’re not paying for the app or service, you’re using your data to make money.

Of course, the reason we, and Congress, are having this discussion right now is that unlike any of those social media companies, TikTok is owned by a foreign company affiliated with China. While we must be cautious when using social media platforms, regardless of who owns them, TikTok is collecting massive amounts of information from American consumers, and we don’t know what that data is used for or if a foreign government has access to it. data.

Is BYOD right for you?

This is why companies that allow employees to bring their own devices to the office or perform work on them—“BYOD”—should reevaluate their policies immediately. More specifically, they need to make sure they are aware of the types of company information employees have on their personal devices and take steps to ensure the information is separate from the rest of the apps on those devices.

There are controls that organizations can put in place to ensure that no type of app, TikTok or not, collects sensitive company information. But in general, employers can’t completely prohibit employees from downloading any app they want on a personal device. Organizations may have Acceptable Use Policies (AUPs) that administratively require employees not to use social media, including TikTok, during business hours, but that is not a ban on having the app on the device. It also doesn’t prevent the app from collecting information, which it does all the time.

Technical solutions that can be installed on personal devices to prevent apps from collecting sensitive work information or, for example, downloading sensitive documents from email, need to be configured, maintained, and monitored. That can be costly and time consuming, and requires an organization to already have good data management practices in place, including classifying information and assets and having visibility into how that information is processed and used on employees’ personal devices. Enterprise security leaders need to understand exactly what information they need to protect in order to make better risk decisions about how that information is handled.

What about work phones?

The alternative route for companies concerned about TikTok’s data collection practices is to hand out their own devices to employees, preloaded with security checks that prevent unknown or unauthorized apps from being downloaded. If your organization owns the device, you can control exactly what is allowed to be done and downloaded to the device to ensure proper security protocols are followed.

But issuing company devices can also be expensive, and companies considering the decision to purchase laptops or phones for employees must consider convenience, business imperatives, and information security risk.

The specific risks highlighted by the TikTok issue are not new, but they have reached a new level of visibility due to the incredible popularity of the app. While Congress deliberates on banning the app, enterprise security leaders know that the tricky issue of data privacy and employee ownership doesn’t end with TikTok, and finding new solutions will be imperative as security increases. use of other data collection applications. There has never been a better time for these leaders to put security front and center in their organizations’ priorities.

Adam Marrè is director of information security at Arctic Wolf.