A CISO’s perspective on a TikTok ban and what it means for enterprises

The federal government is considering one outright ban on the video sharing app TikTok in the US, just weeks after the app was banned from all US government devices. Citing data privacy concerns stemming from TikTok’s parent company, Chinese company ByteDance, officials have made it clear they believe the app could be used to spy on Americans’ personal information and provide that data directly to the Chinese government , which is known for cyber-attacks. -theft of IR, trade secrets and other proprietary information from Western companies to further its own national security priorities.

Consider what to do with TikTok

But what about companies that use TikTok for marketing or employ one of the 150 million Americans who have the app? The answer, for now, lies in following basic security hygiene practices for all apps that collect data, not just TikTok.

The reality is that whatever TikTok’s affiliation with the Chinese government, it’s not the only app capable of actively manipulating user data. Snapchat, Google, and Meta all use user data to more accurately target ads and understand user behavior.

No company is immune to cyber breaches and data theft, so a lot of that highly private data could potentially be exposed by an adversary. TikTok collects data on a large scale due to its user base size and current popularity, but generally speaking, if you don’t pay for the app or service, it will use your data to make money.

Of course, the reason we – and Congress – are having this discussion now is that unlike all those social media companies, TikTok is owned by a foreign company affiliated with China. While we should be careful when using social media platforms regardless of who owns them, TikTok collects massive amounts of information from US consumers, and we don’t know what that data is used for or whether a foreign government has access to the data.

Is BYOD for you?

This is why companies that allow employees to bring or work with their own devices into the office – “BYOD” – should immediately reevaluate their policies. More specifically, they should make sure they are aware of the types of company information that employees have on their personal devices, and take the necessary steps to ensure that information is separated from the rest of the apps on those devices.

There are controls organizations can implement to ensure that sensitive business information is not being collected by any app, TikTok or not. But in general, employers can’t prohibit employees from downloading whatever app they want on a personal device. Organizations may have acceptable use policies (AUPs) that administratively require employees not to use social media, including TikTok, during work hours, but that is not a ban on having the app on the device. It also doesn’t prevent the app from collecting information, which it always does.

Technical solutions that can be installed on personal devices to prevent sensitive work information from being collected by apps or, for example, sensitive documents downloaded from email, must be set up, maintained and monitored. That can be expensive and time-consuming, and it requires an organization to already have good data handling practices in place, including classifying information and assets and understanding how that information is processed and used on employees’ personal devices. Security business leaders need to understand exactly what information they need to protect in order to make better risk decisions about how that information is handled.

What about work phones?

The alternative route for companies concerned about TikTok’s data collection practices is to issue their own devices to employees, preloaded with security controls that prevent unknown or unauthorized applications from being downloaded. If the organization owns the device, they can control exactly what is allowed to be done and downloaded on the device to ensure proper security protocols are followed.

But spending business equipment can also be expensive, and companies considering purchasing laptops or phones for employees must consider convenience, business requirements, and information security risks.

The specific risks highlighted by the TikTok issue are not new, but have reached a new level of visibility thanks to the incredible popularity of the app. While Congress considers banning the app, corporate security leaders know that the vexing issue of data privacy and employee ownership doesn’t stop at TikTok, and finding new solutions will be imperative as the use of other data-collecting apps increases. There has never been a better time for these leaders to put safety at the heart of their organization’s priorities.

Adam Marrè is Chief Information Security Officer at Arctic Wolf.