TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.

As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.

Security Is Everyone’s Job

In a lot of organizations, people go under the assumption that security is an IT thing — it’s someone else’s job. But the stark reality is that security is ultimately the responsibility of every single person in the organization — from the CEO to the janitor. Everyone plays a role in protecting your company from bad actors.

For example, anyone can receive a phishing email that could grant access to your internal network. Or, anyone could innocently hold the door open for someone entering behind them, not realizing that person is a threat. 

Everyone in your company is an opportunity for a bad actor to gain access to sensitive data, so everyone in your organization is responsible for maintaining security. 

Train your employees

The actions, activity, and observances of each person play an important role in security and compliance. That means that each person needs to be properly trained in security and compliance.

Some departments play larger roles than others. There are departments with direct interactions with external individuals, such as sales, customer service, or purchasing. Some departments within the company play an active role in validations and checks related to security and compliance — for example, HR performs background checks or provisions requests for employees to gain access to various systems as part of their job role within the organization. 

At the end of the day, every employee within the company plays a part in protecting the company.

Report anything suspicious

You’ve heard the expression, “If you see something, say something.” That holds true when it comes to protecting your organization from data breaches. If you see a strange email, or a USB drive that doesn’t seem to belong, or a visitor looks out of place — report it to the central group that handles security and compliance and to your direct manager so they can assist with escalation.

The more that your organization acts as a cohesive group to protect your company, the more ably you’ll be able to keep your sensitive information safe from bad actors.

TCT proves compliance doesn't have to suck.

Check out the TCT podcast:

Listen Now

Quick Tip: How and When to Flip to PCI DSS 4.0.1

If you’re up and running in TCT Portal on a PCI v4.0 track, you can contact TCT and make a request to transition to version 4.0.1 at any time. It’s as simple as sending a message to Portal Support and asking for your PCI track to be transitioned.

PCI SSC released the PCI 4.0.1 changes to the compliance standard already — but they haven’t yet released the reporting templates for version 4.0.1. We expect them to be released sometime in Q3.

For right now, you can make the request to transition to PCI DSS 4.0.1, but there’s no harm in waiting until the reporting templates have been released. Once they’re released, I would recommend that you go ahead and make the transition if you haven’t already done so.

If you opt to make the transition to PCI 4.0.1 now, when the reporting templates are available, TCT will automatically refresh them for your track. You won’t have to do anything else.

The good news is that there are no reported control differences between version 4.0 and 4.0.1. The bulk of the changes are clarifications and recommendations.

What’s Going on in Security Today

ShinyHunters Hits Ticketmaster with Breach Impacting 560 Million Users 

Ticketmaster was breached by cybercrime syndicate ShinyHunters. This breach was said to have compromised a known estimated 560 million user accounts across TicketMaster, and LiveNation. There was an estimated 1.3 Terabytes of data exposed. The types of data exposed include names, emails, home addresses, phone numbers, and billing/card information.

Quarter of Firms Suffer an API-Related Breach 

There is a new report out from Salt Security, suggesting that 23% of organizations polled (250) were breached via production-based APIs. Of those polled, 95% stated they have suffered some form of API-related security issue in their environment, ranging from data exposure to denial of service, among others. This report also reveals that only 8% of organizations sampled feel their API strategy is “advanced.” That is a concerning trend heading into 2025.

‘ONNX’ MFA Bypass Targets Microsoft 365 Accounts 

A new PhaaS (Phishing as a service) operation is currently bypassing 2FA logins in financial institutions, compromising business emails. The threat actors are using embedded QR Codes in PDF attachments within emails to redirect targeted personnel to phishing URLs, where the data being requested would be input, causing a successful phishing campaign. This phishing campaign was eventually linked back to the ONNX store, which uses Telegram bots.

Microsoft Unveils Ways To Detect Compromised Devices In Your Organization 

Microsoft has introduced a new way to help detect compromised/hacked machines in organizations. Network Analysts, through Windows Defender, can search for “hidden desktops” using Windows Defender’s new “DesktopName” option. Organizations can now use “Advanced Hunting” queries to see every instance of a particular process, on a per-computer basis. This can give network administrators and security administrators a new tool for detecting and investigating potentially compromised machines.

Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw 

Cryptocurrency platform Kraken had a flaw in their website that was exploited by a security researcher and their friends. Essentially, they were able to leverage a bug in the funding portion of the platform, then deposited $4 into their account without actually completing the deposit. The researcher mentioned this bug to two others, and those two accounts extorted a combined $3 million from Kraken’s treasury (not client accounts).

TCT Portal

Get your
personalized demo

See what TCT Portal can do for your organization

Show Me

You may also like