A CISO’s perspective on a TikTok ban and what it means for enterprises 

The federal government is considering pushing an outright ban on the video-sharing app TikTok across the U.S., just weeks after banning the app from all U.S. government devices. Citing data privacy concerns stemming from TikTok’s parent company, the Chinese firm ByteDance, officials have made it clear that they believe the app could be used to spy on Americans’ personal information and deliver that data directly to the Chinese government, which is known for cyber-theft of IR, trade secrets and other proprietary information from Western companies to advance its own national security priorities.

Considering what to do about TikTok

But for businesses that use TikTok for marketing or employ any of the 150 million Americans who have the app, what’s to be done? The answer, for now, lies in following basic security hygiene practices for all data-collecting apps, not just TikTok. 

The reality is that no matter what TikTok’s affiliation with the Chinese government is, it’s not the only app that’s capable of actively farming user data. Snapchat, Google and Meta all take advantage of user data to more granularly target ads and understand user behavior.

No company is immune to cyber-breaches and data theft, so much of that highly personal data can be potentially exposed by an adversary. TikTok does data collection on a large scale because of the size of its user base and current popularity, but generally, if you’re not paying for the app or service, it’s using your data to make money.

Of course, the reason we — and Congress — are having this discussion right now is that, unlike any of those social media companies, TikTok is owned by a foreign company affiliated with China. Although we should be cautious when using social media platforms, no matter who owns them, TikTok is collecting massive amounts of information from American consumers, and we don’t know what that data is being used for or if a foreign government has access to the data.

Is BYOD right for you?

This is why enterprises that allow employees to bring their own devices into the office or conduct work on them — “BYOD” — should immediately reevaluate their policies. More specifically, they should make sure that they’re aware of the types of company information employees have on their personal devices, and take the necessary measures to ensure that information is separated from the rest of the apps on those devices. 

There are controls that organizations can implement to ensure that sensitive company information isn’t being collected by any type of app, TikTok or not. But generally, employers cannot issue an outright ban on employees downloading whatever app they’d like onto a personal device. Organizations can have acceptable use policies (AUPs) that administratively require employees not to use social media, including TikTok, while on company time, but that is not a ban on having the app on the device. It also doesn’t prevent the app from collecting information, which it does all the time.

Technical solutions that can be installed on personal devices to prevent sensitive work information from being collected by apps, or, for example, downloading sensitive documents from email, have to be set up, maintained and monitored. That can be expensive and time-consuming, and it requires an organization to have good data handling practices in place already, including classifying information and assets and having visibility into how that information is processed and used on employees’ personal devices. Enterprise security leaders should understand exactly what information they need to protect to make better risk decisions about how that information is handled.

What about work phones?

The alternative route for enterprise concerned about TikTok’s data collection practices is to issue its own devices to employees, pre-loaded with security controls that prevent unknown or unauthorized applications from being downloaded. If the organization owns the device, they can control exactly what is allowed to be done and downloaded onto the device to ensure proper security protocols are being followed.

But issuing company devices can also be expensive, and enterprises considering the decision to purchase laptops or phones for employees have to take into account convenience, business imperatives and information security risk. 

The specific risks highlighted by the TikTok issue are not new but have reached a new level of visibility due to the app’s incredible popularity. While Congress deliberates on banning the app, enterprise security leaders know that the tricky issue of data privacy and employee property doesn’t end with TikTok, and finding new solutions will be imperative as other data-collecting apps rise in usage. There’s never been a better time for those leaders to bring security to the front and center of their organizations’ priorities.

Adam Marrè is Chief Information Security Officer at Arctic Wolf.