Protecting Corporate Data in the Age of Third-Party Apps: Lessons from the TikTok Ban

Face-to-face Training

We provided training for many large organisations and professional risk bodies, up to the most senior levels.

These trainings give more opportunities to have deeper levels of discussion and interaction.

Find out more →

Protecting Corporate Data in the Age of Third-Party Apps: Lessons from the TikTok Ban

The increasing use of social media and mobile apps has raised concerns over data security and gathering practices. This blog post focuses on the implications for businesses that use third-party apps, especially those that have a bring-your-own-device system.

The Geopolitics of TikTok: How the Popular App Became a National Security Issue

TikTok, a widely used social media app, has been under scrutiny over the past few years due to concerns about its security and data-gathering practices. The US government launched an investigation into the app in 2018, citing concerns that the Chinese government could potentially access user data and use the app for espionage or influence campaigns. This led to an official ban on the use of TikTok on government devices by August 2020, and similar measures have since been taken by the European Commission and the UK, the latter only coming to effect on the 16th of March 2023.

However, the concerns over TikTok’s security and privacy policies extend beyond just government devices. As businesses increasingly rely on third-party apps for their daily operations, the risks associated with these apps become more apparent.

Implications for Businesses: Third-Party Apps and Bring-Your-Own-Device Policies

The recent TikTok bans highlight the importance of thoroughly vetting any third-party apps used by employees, particularly those that have access to sensitive corporate data. Companies must balance the potential benefits of using these apps, such as increased productivity and cost savings, with the risks associated with data breaches and security breaches.

Additionally, as the use of personal devices in the workplace continues to rise, businesses must also consider the potential risks associated with employees using their own devices for work purposes. This poses another major question that businesses will need to focus on: how can we protect company data from third-party apps with questionable security and data-gathering practices without infringing on our employees’ rights? Balancing the need for corporate security with employee privacy is a complex challenge that requires careful consideration.

The Challenge of Balancing Employee Privacy and Corporate Security on Personal Devices

The use of personal devices in the workplace, or BYOD (bring-your-own-device), has become increasingly popular as it allows employees to work remotely and increases their productivity. However, finding a middle ground between safeguarding employee privacy and upholding corporate security poses a significant challenge for businesses with a BYOD policy. The difficulty arises from the need to safeguard sensitive corporate data while also upholding employees’ privacy on their personal devices.

If businesses start to put restrictions on employees’ private phones, it becomes a difficult matter to govern. It is challenging to enforce policies regarding app usage and privacy settings on personal devices as employees may feel that their privacy is being infringed upon. Even if businesses are letting users manage privacy settings in relation to corporate data, there is no guarantee that employees are properly safeguarding sensitive information. Moreover, employees may not be aware of the potential security risks associated with their personal devices and may inadvertently expose corporate data to security breaches.

While businesses might be saving money by allowing employees to use their own devices, they are still leaving themselves open to major risks. To mitigate this risk, businesses would need to implement ways to firewall off company data and ensure that employees are using secure apps and devices. One solution to this problem is providing employees with a corporate phone. While this may seem like an additional expense, it can be more cost-effective in the long run by protecting sensitive corporate data from security breaches. Good risk assessment would establish whether the benefits of a BYOD system outweigh the potential risks and whether providing employees with a second phone is a more appropriate solution.

Practical Steps for Improving Cybersecurity

Other more practical steps that businesses should consider would be implementing effective risk management strategies that focus on identifying, assessing, and mitigating potential cybersecurity threats. Let’s go over the main five:

  1. Conduct a risk assessment to identify potential cybersecurity risks.
  2. Implement security controls based on the risk assessment, such as firewalls, antivirus software, encryption, and access controls.
  3. Educate employees: Employees are often the weakest link in a company’s cybersecurity defence. Businesses need to train employees to identify and respond to cyber threats, such as phishing emails and social engineering tactics. Have your current training efforts been effective enough to trust employees to recognize and respond to potential cybersecurity threats, or is there room for improvement? 
  4. Have a comprehensive incident response plan in place to quickly detect, contain, and recover from cybersecurity incidents.
  5. Continually monitor potential cybersecurity threats to their systems and networks to ensure their controls are efficient.

Conclusion

In conclusion, the TikTok ban serves as a wake-up call for businesses to take the security of their corporate data seriously, especially in a world where personal devices are being increasingly used for work purposes. Ensuring both employee privacy and corporate security can be a challenging task, but it is necessary for the protection of sensitive information.

With Senscia’s help, you’ll be able to provide tailor-made cybersecurity training courses that can effectively and creatively educate your employees on potential threats and improve their overall security posture. Remember, investing in cybersecurity is an investment in the future of your business.

Don’t rely on luck - rely on Senscia

The new ERM training model designed for risk professionals BY risk professionals.

Strengthen my risk culture →

Now you know a bit about us, why not tell us something about who you are and what kind of business/risk issues you are having to deal with

Contact Senscia today