Menu
close
Call +44 (0)20 3005 4440
Intersys Logo
+44 (0)20 3005 4440
Call us now!
Menu
Close

Managed IT Support

A Reasonable, Fixed Monthly Fee for All Your IT Needs
Managed IT Support Provider

Consulting Services

The High Level IT Consulting Services You Need to Transform Your Business
Get IT Consulting Services

Cyber Security

A Comprehensive Range of Cyber Security Services for Robust, Industry-Leading Protection
Get Cyber Security Services

IT Solutions

Whatever your IT needs, we'll create a tailormade solution for you
Get IT Solutions

TikTok Security Risks: The Ugly Truth and How to Protect Your Business Data

Filed under ,
by Martin Philp on 27 April 2023

This post was updated on 6 March and 13 March 2025 to reflect recent political and cyber security developments regarding TikTok.

Are there TikTok security risks to business you should worry about?

Depends who you ask. And when.

This is how the world’s most powerful nation has handled the matter:

2020: Donald Trump considers TikTok a security threat to the USA and announces that the government is considering a ban.

2021: Jo Biden revokes Trump’s order, pending further government investigation.

2024: Jo Biden confirms government concerns via an act ordering TikTok’s owner ByteDance to divest (give up its ownership) due to alleged security concerns.

2025: In January, Donald Trump temporarily kicks this act into the long grass allowing TikTok to continue business without divestment. However, in March The Guardian reports Trump is in talks with four groups over the TikTok sale. 

This convoluted approach may be highly confusing to businesses looking for clarity on this issue. And it’s pretty clear that the security concerns about TikTok are wrapped up with political ones; and possibly even the social media habits of presidents.

As a cyber security provider, we are looking at this issue from one perspective only: risk and security. Since we’re not in the business of keeping you in suspense, here’s our verdict: potential TikTok risks mean you should not allow the app on your business devices without a very good reason.

We’ll explain why below. We recommend you read on to understand TikTok security risks and do everything you can to keep your business safe.

First a little background…

What Exactly is TikTok?

TikTok is a wildly popular Chinese-owned video-sharing app that allows users to make and share short videos with other Tik-Tokers. It’s been around since 2016 and in 2025 had 955 million active users globally.

Video topics range from entertainment and dance to lifehacks and bite-sized learning. The typical TikTok user is under 24, although brands and businesses are quickly joining the bandwagon to appeal to a younger target audience.

Which is why we’re writing this for you…

What are the TikTok Security Risks?

Like almost all social media platforms, TikTok gives you fun stuff in exchange for permission to harvest data about you. We’ll talk about that harvesting in more detail below.

But many countries are particularly uncomfortable with TikTok because of its Chinese ownership (Beijing-based ByteDance) and the (currently) theoretical risk that the company could potentially share its customer data with the Chinese government. The platform has always insisted that it doesn’t share any data with those running the country. But then, say detractors, they would say that, wouldn’t they?

Meanwhile, Article Seven of China’s National Intelligence Law states that all Chinese organisations and citizens should ‘support, assist and co-operate’ with Chinese intelligence efforts.

Oh, right. Gosh.

Mmm…

How are Governments Reacting to TikTok Security Risks?

China’s rival India responded to perceived TikTok security risks by banning the platform in 2020. It saw the app and several others based in China as a national security threat.

America’s back-and-forth stance on a complete ban on TikTok, as outlined in our intro, continues to unfold.

Meanwhile, many governments around the world – including the UK, US, Australia, Canada, Belgium and Denmark – have banned the app from government devices and networks due to concerns that it could harvest confidential data.

But many, including the UK, have stopped there. In January 2025, Darren Jones, the chief secretary to the Treasury, said, ‘consumers who want to post videos of their cats or dancing, that doesn’t seem like a national security threat to me’.

It’s all a bit muddy, isn’t it? So let’s gather the evidence from a cyber security point of view, to see what TikTok has actually done that should concern us.

Whoops – TikTok Does Things it Says it Won’t Do 

If TikTok’s credibility was hanging by a thread due to governmental bans, two events have tipped it over the cliff in the cyber security community.

Since 2020, TikTok has tried to reassure people that Chinese employees can’t access the data of non-Chinese users.

But then in December 2022, ByteDance – owner of TikTok – confessed that its Beijing-based employees accessed the data of at least two US journalists, and a ‘small number’ of others. They were tracking their locations to check if they were meeting TikTok employees suspected of leaking information to the media.

Call us paranoid, but that sounds a lot like accessing the data of non-Chinese users. And rather ups the ante on TikTok security risks.

TikTok has since updated its privacy policy to say that European user data can be seen by its employees outside the continent including in China.

Meanwhile, the company was recently fined £12.7m by the UK Information Commissioner’s Office for illegally processing the data of over a million children who were using the platform without the consent of their parents.

That just sounds… terrible.

What Sort of Permissions does TikTok Require?

The model for many social media platforms is data harvesting for commercial profiling – for instance, finding out things about you so they can target ads and get you to buy stuff.

So, like most social media companies TikTok will collect the following type of information from you:

  • personal details to (username, email, mobile number, DOB and password)
  • payment information
  • information included in content you create such as photos, videos and location information
  • IP addresses, your operating system and network data
  • details on how you use the site, and who you talk to/message
  • your audio and video through your camera and microphone (common with most video sharing apps)

But there are permissions it requests that go above and beyond these that have raised eyebrows and for many amount to TikTok security risks. Most apps require permissions to a few data sets to function, but TikTok would have you believe that it requires access to all of them.

It asks to:

  • collect any content you create on the platform – even if you don’t publish it
  • share information with Facebook if you sign in that way
  • access all your phone contacts; connect to your Wi-Fi; know your exact location using GPS
  • keep the device turned on and automatically start the app when the device is powered on
  • access the contents of your clipboard and typing patterns, which can be used for identity verification.

Should I be Worried About this Data Harvesting?

TikTok, like many other social media apps, justifies its access to personal data with the ‘all the better to serve you with’ argument.

But, unlike many other mainstream social media apps, which are American, TikTok is Chinese owned. Many cyber security experts and governments fear that the Chinese state could weaponise personal information in times of conflict. For instance, they could use your data and preferences to spread misinformation or undertake corporate espionage.

It’s important to point out that these kinds of TikTok security risks are largely theoretical. At least for now.

Should I Allow My Staff to Access TikTok on Work Phones?

That’s down to your workplace policies. If you don’t allow other social media, obviously no.

If you do and want to let people use TikTok – perhaps you’re a media agency and it’s important for your work – then follow due diligence to minimise its ability to collect data (see next section).

The Intersys view is this: unless there’s a very special reason why your people need to access TikTok at work, leave well alone. We believe its methodology and track record so far suggests real and present TikTok security risks.

If you work in a highly regulated sector such as insurance, banking and finance, you need to be particularly vigilant about TikTok. Make sure you tighten your ‘bring your own device’ (BYOD) and work-from-home (WFH) policies to ensure that staff are not inadvertently exposing confidential business data via TikTok. 

Read the next section for details on how to do this. 

I’m Going to Use TikTok But I Also Acknowledge TikTok’s Security Risks. What Should I Do to Stay as Safe as Possible?

Take these immediate steps to minimise the amount of data TikTok can collect from your device. Many are based on the fundamental cyber security methodology called the ‘principle of least privilege’ (PoLP). Only give people/apps the information they need to know about you online to perform a task – nothing more.

Do remember, though, that limiting your permissions can affect your ability to access all the features of the app.

Review your TikTok security settings
  • Don’t share your phone contacts with TikTok. Check your current settings by clicking on your profile/Me, then on the three lines in the top right corner. Click on Settings and Privacy > Privacy > Sync Contacts. Ensure the button is turned off (grey not green).
  • Don’t link TikTok with your Facebook account. Follow the path settings above to > Privacy and turn off Sync Facebook Friends.
  • Minimise ad personalisation. To limit ad personalisation based on your behaviour go to Settings and Privacy > Privacy > Ads Personalization and turn off Use of Off-TikTok Activity for Ad Targeting.
  • Keep your profile anonymous.
    • Sign up with an alias ‘junk’ email not linked to your other important accounts or contacts. It’s easy to create one at Gmail.
    • You don’t need to add your phone number to set up an account, so don’t do it!
    • Don’t use your full name in your profile – or a handle you commonly use on other accounts – unless there’s a very good reason (for instance, your personal ‘brand’ is out there online and your TikTok account contributes to that). Where possible, go unique and anonymous.
  • Set your account to private. If you’re using TikTok for a select group – not strangers – go private. Go to Settings > Privacy > turn the Private Account toggle on.
  • Stop people you know finding you. If you don’t want people you know getting ‘Follow’ suggestions for your account, go to Settings and Privacy > Privacy > Suggest Your Account to Others and turn off.
  • Don’t ‘like’ things or follow people. Doing both of these gives the algorithm a huge amount of information about you. But remember, your page will still be personalised if you avoid these actions – the app will base what it shows you on demographic factors and how long you watch videos.
  • Don’t view or use the platform’s in-app browser to view third-party content – in our view, this is a genuine TikTok security risk. TikTok, like many other apps, can closely monitor content you view. In 2022, developer Felix Krause discovered TikTok injecting code that could record every single keystroke users made. Says Intersys MD Matthew Geyman, ‘Social media companies claim their in-app browsers protect you from threats and improve your experience. While there’s a grain of truth there, they conveniently leave out how it lets them track every website you visit and everything you do online. The real question is: do you trust these companies with that kind of power?’ Find out more about in-app browser security risks.

Use app protection policies on corporate mobile devices 

You can protect corporate data on employee mobile devices by rolling out app protection policies (APP). Intune app protection policies for instance are a great way to ringfence an organisation’s data in a Microsoft environment. By deploying these policies, you’ll be able to completely control the access and sharing of data by apps on mobile devices. 

Some examples of the extra layer of protection that Intune app protection policies offer include:

  • Insisting on a PIN or fingerprint to access corporate email on a mobile device
  • Stopping users from copying and pasting corporate data into personal apps
  • Ensuring that only approved apps can have access to corporate data. 

Finally, you can browse TikTok without having an account at all. While the app will still gather some information such as your IP and device information, going account-free significantly reduces what it can get access to.

Intersys is a specialist cyber security provider offering everything from full security operation services to one-off rapid breach response to organisations under threat. We also offer cyber security training packages to organisations that include smart use of social media. To find out more, talk to an Intersys cyber security expert now.

Please note: future TikTok updates may result in differences in how you access settings. 

Stay up to date with IT Industry news

Subscribe to our newsletter

Please enable JavaScript in your browser to complete this form.

Subscribe to our newsletter

Please enable JavaScript in your browser to complete this form.

In other news
February 27, 2025

In-App Browser Security Risks: What Every Business Should Know

February 26, 2025

Intersys Welcomes Claire Geyman as Director of Finance and Commercial Excellence

January 27, 2025

World Data Protection Day 2025: Data Protection Tips from Intersys

January 23, 2025

Fibre Optic Attack Sparks Reflection on Resilience in London’s Insurance Market

December 19, 2024

Cyber Security Year in Review 2024: Trends, Tips and Predictions from our Experts

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram