Quick briefing: how to manage emerging risks associated with employees using TikTok

Risk managers have been told they need to ensure that staff do not load social media app TikTok onto company phones or laptops, amid ongoing concerns around the amount of data it seeks to access.

The warning comes from cyber security experts, Intersys, which cautioned the app had the potential to deliver real security risks to businesses especially those who are in sectors which are heavily regulated.

TikTok is a popular Chinese-owned video-sharing app that allows users to make and share short videos with other Tik-Tokers. It’s been around since 2016 and in 2025 had 955 million active users globally.

Video topics range from entertainment and dance to lifehacks and bite-sized learning. The typical TikTok user is under 24, although brands and businesses are quickly joining the bandwagon to appeal to a younger target audience.

It has long been a cause for concern in the US with both presidents Trump and Biden expressing security concerns over the app and its use.

Intersys explained many countries are particularly uncomfortable with TikTok because of its Chinese ownership - Beijing-based ByteDance - and the (currently) theoretical risk that the company could potentially share its customer data with the Chinese government. The platform has always insisted that it doesn’t share any data with those running the country.

What adds to the concerns is Article Seven of China’s National Intelligence Law which states that all Chinese organisations and citizens should “support, assist and co-operate” with Chinese intelligence efforts.

Many governments around the world – including the UK, US, Australia, Canada, Belgium and Denmark – have banned the app from government devices and networks due to concerns that it could harvest confidential data.

Why security concerns are growing

TikTok’s efforts to establish it credibility have not been helped by two significant events.

Since 2020, TikTok has tried to reassure governments regulators businesses and users that Chinese employees can’t access the data of non-Chinese users.

However, in December 2022, ByteDance admitted that its Beijing-based employees accessed the data of at least two US journalists, and a “small number” of others. They were tracking their locations to check if they were meeting TikTok employees suspected of leaking information to the media.

TikTok has since updated its privacy policy to say that European user data can be seen by its employees outside the continent including in China.

Meanwhile, the company was recently fined £12.7 million by the UK Information Commissioner’s Office for illegally processing the data of over a million children who were using the platform without the consent of their parents.

Intersys explained like most social media companies TikTok will collect the following type of information from users:

• personal details to (username, email, mobile number, DOB and password)
• payment information
• information included in content you create such as photos, videos and location information.
• IP addresses, your operating system and network data
• details on how you use the site, and who you talk to/message.
• your audio and video through your camera and microphone (common with most video sharing apps)

But there are permissions it requests that go above and beyond these that have raised eyebrows and for many amount to TikTok security risks. Most apps require permissions to a few data sets to function, but TikTok attests that it requires access to all of them.

It asks to:

• collect any content you create on the platform – even if you don’t publish it.
• share information with Facebook if you sign in that way.
• access all your phone contacts; connect to your Wi-Fi; know your exact location using GPS.
• keep the device turned on and automatically start the app when the device is powered on.
• access the contents of your clipboard and typing patterns, which can be used for identity verification.

How organisations should respond

On the question as to whether businesses should allow staff to use TikTok on work devices Intersys said the risks outweigh the potential rewards in terms of staff satisfaction.

“If you don’t allow other social media, obviously no,” it explained. “If you do and want to let people use TikTok – perhaps you’re a media agency and it’s important for your work – then follow due diligence to minimise its ability to collect data.

“Unless there’s a very special reason why your people need to access TikTok at work, leave well alone. We believe its methodology and track record so far suggests real and present TikTok security risks.

“If you work in a highly regulated sector such as insurance, banking and finance, you need to be particularly vigilant about TikTok. Make sure you tighten your ‘bring your own device’ (BYOD) and work-from-home (WFH) policies to ensure that staff are not inadvertently exposing confidential business data via TikTok.”

“There are reports that, following data breaches, shares of traded companies underperform their competitors and often for significant periods.”

Matthew Geyman, managing director of Intersys, told StrategicRISK: “Given that trust is one of the hardest things to earn and the easiest to lose, and that reputational impact and legal action can easily outweigh the cost of regulatory investigation and penalties, all industries must take note.

“Reputational damage and falling stock prices following breaches are also a vector for hostile takeovers and change of corporate control – a threat to any large publicly traded organisation. For example: Yahoo’s breaches led to a significant drop in its share price and therefore its sale to Verizon, and the data breach at Capital One caused its share price to drop almost 15% (from around $100 to $85).”

He added: “There are reports that, following data breaches, shares of traded companies underperform their competitors and often for significant periods. Finally, there’s legal action: following a 2021 data breach affecting 75 million customers, T-Mobile paid a $350 million class action settlement plus an extra $150 million on data se