Employees who use the TikTok app on devices with direct access to corporate data pose a threat to your business.

That’s according to an International Association of IT Asset Managers (IAITAM) warning. Increasing use of the TikTok app is especially concerning with many employees still working from home due to COVID-19.

TikTok is a Chinese video-sharing social networking service owned by ByteDance, a Beijing-based internet tech company.

IATAM’s Barbara Rembiesa

“The TikTok app unnecessarily endangers data in a way that any government agency or corporation should be concerned about,” said Barbara Rembiesa, IAITAM’s president and CEO. “Combine that with the blending of corporate and personal assets due to work-from-home conditions for employees, and you have a perfect storm for sensitive data to be placed into the wrong hands. As things stand today, allowing TikTok in or near your organization’s environment is not consistent with maintaining data integrity.”

Gathering Data

The TikTok app gathers data. That includes the user’s clipboard history, location and GPS data, according to IATAM. That’s much like the Fitbit security breaches that the Department of Defense experienced in 2018. In that case, fitness trackers used location data to map military bases while soldiers exercised.

“Acceptable data risk needs to be ascertained prior to downloading software and such software should be managed by an IT asset manager,” Rembiesa said. “The risk posed by the data permissions of TikTok does not meet data security best practices. Diligence and education on IAITAM procedures are essential for businesses to implement smart digital policies and mitigate security risks.”

We couldn’t reach TikTok for comment. But in April, Roland Cloutier, TikTok’s CISO, addressed the issue in a blog:

“We will continue to drive our goal of limiting the number of employees who have access to user data and the scenarios where data access is enabled,” he wrote. “Although we already have controls in place to protect user data, we will continue to focus on adding new technologies and programs focused on global data residency, data movement and data storage access protections worldwide.”

Data Collection Warning

SiteLock’s Logan Kipp

Logan Kipp is director of sales engineering at SiteLock. He said businesses need to be wary of websites and apps employees use that collect data. These may make the company more vulnerable to an attack, he said.

“Because employees are working from home on their private networks, the cybersecurity measures in place are likely lower than what is installed in the office, making businesses more susceptible to a breach,” he said.

In an ideal world, employees have separate personal and work devices, Kipp said. As the lines between work and personal lives become increasingly blurred, this often isn’t the case, he said.

“It’s more common for employees to have a work computer but use a personal cellphone,” he said. “If this is the case, employers should think critically about whether employees need to be doing work on their personal mobile devices, and if they don’t, encourage employees to remove any work-related apps like email, Slack, etc., from their phones. If these lines cannot be drawn, at the bare minimum, employers must educate their employees to ensure they have strong passwords to secure their home network and use a VPN to secure all communications for work.”