Time’s Up On TikTok In Corporate Environments | ActZero

Several governments around the world have or are considering banning the Chinese-owned social media app TikTok from government mobile devices as it presents an “unacceptable level of risk to privacy and security.” Canada is the latest of a number of governments to take this action.  And the United States, UK, and the EU may not be far behind. This begs the big question: Is the TikTok app ‘really’ dangerous to businesses?  In short, Yes, it has the potential to be.  

Growth Of Mobile Apps On Corporate And BYO Devices

As the world becomes increasingly digital, businesses are turning to mobile apps to drive growth, streamline operations and make employees more productive. Sometimes these applications are installed on corporately-owned devices or loaded onto a user’s personal device that connects to the corporate network. Both device scenarios offer a similar risk level. To deliver their value, applications normally store, process, and transmit vast amounts of confidential information, and sometimes personal identifiable information (PII). They also access critical backend systems. This presents a large security and privacy risk should they gain unauthorized access or exfiltrate data. This not only affects individual users, but can impact businesses, organizations, and government agencies. 

What Are The Specific Risks With TikTok? 

In an article, the Center for Internet Security (CIS) outlined the key security risks of TikTok.  

Data Without Borders

TikTok collects sensitive data about users, even if they neither saved nor shared their content. The danger is how the data is collected and who has access.   

• TikTok is subject to the 2017 Chinese National Intelligence Law, which states that “any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.”  While TikTok claims all user data is stored in the U.S. and Singapore, TikTok’s parent company servers are all located in China on China-based infrastructure, making it subject to the Law. Any data collected becomes state intelligence.
• It’s already proven to be spyware. The data collection on foreign citizens enables a Trojan horse to a nation. They didn’t willingly expose this; investigations led us to this discovery. As proof, we don’t have to look much further than the recent case of ByteDance’s covert surveillance campaign, tracking multiple Forbes journalists by improperly gaining access to their IP addresses and user data in an attempt to identify whether they had been in the same locales as ByteDance employees, designed to unearth the source of leaks inside their company.

Collection Of PII And User Data

Users rarely read the terms and conditions of any application before use.  In the case of TikTok, that presents a more serious issue given its intrusiveness. 

• TikTok’s PII collection includes standard personal information. It also collects unneeded information about message content, like when and where they are sent, received, and/or read.
• TikTok also collects unneeded sensitive data from users, often without the user’s knowledge. This data includes device brand/model, operating system version, mobile carrier, browsing history, app and file names, keystroke patterns or rhythms, wireless connections, and geolocation.
• TikTok is well known for its unique filters, applied over user images. These require enabling the device’s microphone and camera, which has been noted to collect biometric data like facial geometry, iris scans, voice recognition, and fingerprints － all permanent identifiers of the user － making them of high intelligence value in the wrong hands.

Collection Of Corporate Data and Access to Systems

Not only are these devices scraping user data, they are scraping info from your company

• This data includes user and system usernames, passwords, workplace locations, corporate data that might be shared in company-related posts,

Feeding the Addiction: The Tale of Two Apps

Outside of China, users experience a different, more addictive app designed to engage users and collect more information. A recent UK study shows that the constant need to check, compare, and compete is a leading cause of raising mental health challenges. Users are being targeted by the app’s algorithms and fed a constant stream of new content, and ‘shaping’ their opinions.

Should Your Organization Ban TikTok?

Banning TikTok from corporate devices or those that contain company data, is up to you. Anytime an application has access to user and device data, it should be fully evaluated. Ultimately, for now, that choice depends on your corporate policies, goals, compliance requirements, and tolerance for risk.  

If your organization and employees use TikTok for promotion and content creation, stepping away from the application may be difficult. It’s important to have solid security protections in place, like data encryption, access control and management, and management detection and response. And, that you’re meeting any necessary compliance regulations pertaining to data privacy.  

Given these risks, companies have every right to request employees remove applications off their devices if that same device has corporate data. That’s part of the acceptance terms with most BYOD programs. For organizations that would like to ban TikTok, there are ways of enforcing the measure on your company-provided devices.

• Improve Security Awareness: Educate users on the risks of TikTok and ask them to remove TikTok from their devices.
• Refresh Your Acceptable Use Policies: AUP should be refreshed frequently. Take the time to craft clear expectations regarding the use of TikTok in the workplace.
• Invest in Website Blocking: Block by category or by specific infrastructure, such as Internet Protocol (IP) addresses and domain names.
• Step Up Your Internet Monitoring: Monitor for use of TikTok on corporate devices and set alerts to notify designated personnel if the application is accessed.
• Deploy Mobile Device Management (MDM): For company-provided cell phones, install a mobile device management solution to enforce the blocking of the TikTok app and monitor user activity for attempts to bypass application policies.
• Invest in a Mobile Threat Defense (MTD) solution: Mobile threat defense solutions can layer on top of MDM, providing continuous, on-device monitoring to detect known and unknown threats to the device, its user, and your network including device, network, phishing, and app attacks.

The Bottom Line

ActZero sees TikTok as a data harvesting application thinly disguised as a social media application. Our strong recommendation is that the application be prohibited on any corporately-issued devices and approved personal devices that have access to corporate data and systems.