By Neil Johnson Cyber securityHow to manage cyber threats posed by your phone22 Aug 2023 As the government bans TikTok on governmental officials’ phones, we consider why you should care and how you can stay protected.There were more than a few eyebrows raised in March, when the Cabinet Office announced that it had introduced a precautionary ban on TikTok on government electronic devices, including laptops, tablets and mobile phones, across all departments. Since its launch in 2017, the short-form video-sharing app TikTok has gained around 1.5 billion active monthly users and been downloaded more than three billion times. That’s a lot of Gen Zers filming themselves lip-syncing to pop songs, performing dance routines or preparing meals. So what’s the harm?Data concernsAs with most social media networks, TikTok collects a lot of information about its users. This includes location data, likes, the device being used, and online activity beyond the platform. ByteDance claims that Western user data is never accessed or stored inside China, though. Instead of firefighting or focusing solely on individual threats, like TikTok, taking a holistic and serious approach to cyber security should be a priorityAt a national security level there may be genuine concerns, despite ByteDance’s assurances. After all, the app has been caught tracking journalists, as in the case of the Financial Times’ Cristina Criddle. Criddle set up a TikTok account named after and featuring videos of her cat Buffy on her personal mobile device. The account didn’t include her name or occupation, but TikTok ran her location data against those of employees to identify TikTok staff who had been speaking to the press.The UK is not the first country to place restrictions on the app at a governmental level. The EU, US, Canada, Australia and Taiwan also harbour concerns about the user data that TikTok’s Chinese owner ByteDance demands, stores and shares. The main question is whether ByteDance shares data with the Chinese government. Possible threat to national securityAccording to the Cabinet Office’s press release, the move is to safeguard sensitive government information. The TikTok app requires user permission to allow access to data stored on a device, such as contacts, user content and geolocation data, which the company then collects and stores. Having spent most of his career in the intelligence sector, Chris Brown, Principal Lead Consultant at cyber security consultancy Bridewell, says that national decisions and restrictions are not made without clear and concise analysis of the threat environment. The risk to finance and IT systems is higher following several councils suffering cyber attacks recently. Daniel Omisore FMAAT, Director of Finance at Camden Council“Therefore, when deciding to restrict particular applications or systems at this level, it is highly likely that the risk and impact for both critical national infrastructure and the wider community are deemed high,” he says. “While global social media applications such as TikTok offer exciting opportunities for connectivity and engagement, their usage within government departments raises some major concerns. The key consideration and major areas of analysis will be data privacy and security, geopolitical risks, national security and espionage, employee conduct and productivity, and compliance with legal and ethical standards.” An effective ban?Professor and Consultant Peter Cochrane OBE is slightly more sceptical as to the reasons behind the decision, and ultimately its effectiveness. “I can’t see what the big deal is. If GCHQ had confirmed a threat and advertised what that was, I’d be much happier.” He also points out how trying to control the internet is never an easy task and how bans might simply be ineffective when virtual private networks (VPNs) exist. “Even in China, where they have the Great Firewall, kids aren’t looking at the China news, they look at US news – they’ve all got VPNs. Banning anything on the internet is jolly difficult. People have tried to ban the dark web, you can’t do it, not unless you cut yourself off from the whole world.’ Why TikTok? Understandably, the government is concerned about how data might be used. Indeed, its press release states that “other data-extracting apps will be kept under review”, which is the real crux of the issue, says BCS (The Chartered Institute for IT) member and cyber security expert Lisa Forte, a Partner at Red Goat Cyber Security.Mobile device managementSo why should you care, and what should you do to protect yourself?“All social media applications are extremely aggressive in their data collection behaviours. Banning TikTok, but not Instagram for instance, makes the impact of the action extremely low. These are work devices. It is a hallmark of mobile device management – that you have only the applications you need to do your job on that work device. This means that social apps, photo editing apps and games are not appropriate. I think banning TikTok was a good move, but it is ineffective if you don’t also ban Instagram and similar apps,” says Forte.This is a point shared by Daniel Omisore FMAAT, Director of Finance at Camden Council with 10 years of public sector experience. “Data security and the use of data has been widely discussed in local government. The risk to finance and IT systems is higher following several councils suffering cyber attacks recently. If TikTok becomes banned more widely there may be a need to review data policy laws across all platforms, not just one.” Should businesses follow the government’s lead? Cochrane says there is a general lack of understanding of the severity of the threat to business from cyber security, so instead of firefighting or focusing solely on individual threats, like TikTok, taking a holistic and serious approach to cyber security should be a priority. “There is never a day when there isn’t a risk. The investment in cyber security is in antithesis to the actual threat that’s out there,” he says. And more specifically with regards to managing security on work devices, Forte is unequivocal: “You should not have any applications on a work device that you don’t need to do your job. That is basic cyber security hygiene. Businesses should ensure that this is the case with any phones, tablets or laptops they issue to employees. Businesses should have clear policies in place to stop employees downloading or using any app that isn’t necessary for their job, and this extends to all social media applications. Considering the growing trend of bringing your own devices (BYOD) to work, meaning people’s personal devices are doubling up as work devices, Omisore believes AAT members should be trained in data security and the appropriate saving of confidential information to ensure nothing business sensitive is exposed via personal devices. “There is nothing stopping anyone from creating accounts on personal devices, but if business accounts are accessed through these, appropriate training would be useful and relevant,” he says.TakeawaysInvest in cyber security software and trainingLearn about and stay up to date on data securityDo not download any applications (especially social media) to a work device that aren’t required for the jobEnsure nothing business sensitive is saved on personal devices used to access business accounts Neil Johnson is a freelance business journalist who contributes regularly to trade publications and member organisations, covering employability, recruitment, business trends and industrial analysis.