TikTok, the viral social media app centered around short videos and owned by the Chinese company ByteDance, is coming under intense scrutiny. By now, many of us have seen a TikTok video filmed in someone’s workplace—those “day in the life” clips or rants about coworkers, supervisors, or customers. Or you may have seen a video of someone discussing an unrelated subject while sitting at their desk. It’s safe to say that TikTok has found its way into many workplaces, for better or for worse. But the issue goes deeper than catching unsanctioned glimpses into the workplace environment. Many organizations are worried about TikTok itself, the data it gathers, and which hands that data ends up in.

Does TikTok Pose a Security Risk to Corporate Networks?

TikTok, like any other social media app, can pose a potential security threat to a corporate network if used by employees. The app may collect personal information and usage data that could be exploited by cybercriminals, and the app’s security protocols could be compromised.

There have been concerns raised about TikTok’s data collection practices, which include tracking user behavior, location, and contacts. Additionally, TikTok’s parent company, ByteDance, is based in China, which has led to concerns about potential government access to user data.

If employees use TikTok on a corporate network, it could potentially compromise the network’s security. Hackers could exploit vulnerabilities in the app to gain access to sensitive corporate data or use the app as a vector to distribute malware to other devices on the network.

To mitigate these risks, companies may choose to restrict or ban the use of TikTok on their corporate networks. They could also implement security protocols and software to monitor and control access to social media apps and other potentially risky applications. Additionally, it’s essential to educate employees about the potential risks associated with using social media apps on company devices and networks.

TikTok Security Concerns Are Mounting

Many states have growing TikTok security concerns. These concerns have led 18 Republican-led states to ban the use of the app on government devices. Federal agencies also bar staffers from using TikTok on their government phones and devices, including the Pentagon, the State Department, and the Transportation Security Agency.

Moreover, Europe is taking a similar approach to TikTok risk, with the European Parliament banning the app on staff phones. This move came just one day after the White House gave federal agencies 30 days to remove TikTok from all government devices. Canada has also followed suit, banning TikTok from government devices over security concerns.

But what TikTok security concerns are at play here? More generally, officials believe that the app could collect sensitive data from users, which the Chinese government may then access. In addition, they’re equally worried that the app may pose a threat to network security and endpoint security. For example, could the app be used to access sensitive information on government devices or to infiltrate government networks (an attack vector)?

The concern here stems from a lack of trust in ByteDance and fears over how much access and control Beijing has over the company and, subsequently, the app. ByteDance denies allegations that the Chinese government is involved in its operations, but these denials are largely falling on deaf ears.

Assessing the Seriousness of the Risk

There have been some reports of cybersecurity incidents involving TikTok, but it’s not clear if any companies have specifically experienced a cyber attack involving the app.

For example, in 2020, TikTok was found to be accessing users’ clipboards on iOS devices, which raised concerns about the app’s data collection practices. However, there have been no reports of TikTok being used as a vector for a cyber attack specifically targeting a corporate network.

That being said, it’s important to note that the threat landscape is constantly evolving, and new threats can emerge at any time. Companies should remain vigilant and take steps to mitigate potential risks associated with the use of social media apps on their networks, including TikTok.

TikTok Security Strategies Are Evolving

Government agencies banning TikTok is noteworthy, but what does it mean for everyone else? Some argue that governments are being a little paranoid, especially in assessing TikTok’s risk to endpoint security and network security. Still, others argue that governments have a duty to take stringent security measures regarding government data and systems.

But what should private companies do? First, it’s important to note that TikTok poses other significant concerns. For example, employees may unintentionally share confidential company information by filming a video with visible employee screens. They may also give the company a bad reputation by sharing negative stories about the workplace on the platform.

The less popular app BeReal is also coming under scrutiny for similar reasons. BeReal takes a less sensationalist approach than TikTok (it has no filters, hashtags, or followers) and is aimed at users showing an unfiltered view of their everyday life. Since this app requires you to be someone’s friend before you view their BeReal, it may create a false sense of security where users feel less inclined to censor confidential information.

Companies will have to determine their own risk tolerance, but it’s telling that organizations most focused on cybersecurity believe that TikTok is a significant security risk. More widely, companies should update their social media policies to define whether TikTok is allowed on company devices and how (and if) its use is sanctioned in the workplace – don’t leave your security up to chance!

Enterprise security attackers are growing in number and sophistication. Organizations are only one password away from it being their worst day. To that point, is it time to ditch all those annoying, hackable passwords and live in a passwordless society?

Passwords have been the primary method of authentication for decades. While they have served their purpose and served it well, there may be better alternatives for protecting your mission-critical data and digital resources. As technology advances, cybercriminals find new ways to steal corporate credentials, making password security less effective.

In fact, according to a recent study, 81% of company data breaches were due to poor passwords. Password reuse is of particular concern as it could lead to credential stuffing attacks where threat actors take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.

The same report revealed that 80% of hacking incidents were caused by stolen or reused login information.

These attacks weren’t on small companies with limited resources and weak cybersecurity protocols. They were on household name enterprises such as Ticketmaster, GoDaddy, Microsoft, SolarWinds, and even the New York City Law Department. In the case of SolarWinds, the hackers could get in with a weak password an intern had been using (“solarwinds123”), which was publicly accessible via a misconfigured GitHub repository.

Not only are passwords less secure, but they are also productivity inhibitors. In another recent report on passwordless security, 45% of respondents indicated that a passwordless approach to security would increase productivity.

In addition to weak passwords and credential reuse, passwords can be a hindrance to enterprise security in several ways:

1. Passwords can be easily compromised: Bad actors can steal or hack credentials using various methods, such as phishing, brute force attacks, or social engineering.
2. Password Sharing: Employees may share their passwords with others, which can put enterprise data at risk. Password sharing is especially problematic when employees leave the company or change positions, as they may be disgruntled or their old passwords remain active.
3. Human Error: Employees may inadvertently reveal passwords through phishing scams or other social engineering tactics, which gives attackers access to enterprise data even if they do not have the correct login credentials.
4. Lack of Two-Factor Authentication: Passwords alone may not be enough to secure enterprise accounts. Two-factor authentication can add an extra layer of security.
5. User frustration: Password policies can frustrate users who must remember multiple passwords, adhere to strict complexity rules, and change them frequently.
6. Cost of password management: Organizations need to invest in password management systems, such as password policies, training, and resets. These systems can be costly and time-consuming.

Given these reasons, enterprises should consider more secure alternatives to password security, such as Zero Trust, biometrics, multi-factor authentication, and certificate-based authentication. As compromised credentials continue to be a common attack vector, it only takes one nefarious login to bring a company to its knees. Of course, enterprises can’t just suddenly pull the plug on passwords altogether, but it is an option worthy of consideration.