Security Reminders for Your Employees: (Q3 2025)

Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.

As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.

Tips to Impress Your Assessor

The client-Assessor relationship is an important one. For a positive experience, you need to have good rapport and mutual trust. And the better your relationship, the easier your annual assessments will be to get through. Here’s a set of best practices to make the most of your relationship with your Assessor.

Hire the Right Assessor for You

If you’re looking for a new Assessor to work with, go into the process as if you were starting a dating relationship. 

Every organization has its own corporate culture — some are more easy-going, others are more formal. The same exists on the Assessor side. Your choice of Assessor should be a great match for your organization’s culture, because you’re forming a relationship that is an important one to get right. 

Start Your Relationship on the Right Foot

Once you’ve established the relationship and onboarded the Assessor, you may feel the need to have every T crossed and every I dotted before engaging with them. There’s often a kind of pressure to show the Assessor that you have all your sh*t together — very much like the family that tidies up around the house before the cleaning service arrives.

My recommendation is to let your Assessor see some of your mess right out of the gate. You don’t have to be ready for the assessment. Truthfully, the Assessor would be absolutely shocked if you were immediately ready — and they would probably dig deeper than usual to find the skeletons in the closet.

Instead, use your onboarding period as an opportunity to have important conversations about your current situation, how your company operates, scale and scope of the engagement, and other expectations. This ensures you start your relationship on the same page right out of the gate.

Related: 7 Common Mistakes You May Be Making with Your Compliance Assessor

Communicate Your Commitment to Compliance

As you do the hard work of getting ready for the Assessment, you can go to your Assessor when you need their input about how to implement a control that will pass muster, especially if there are multiple approaches one could take. Since they’ll already have a good understanding of your organization, they can advise you more knowledgeably and with the appropriate context. 

Some companies are hesitant to do this, because they don’t want to bother the Assessor, or because they don’t want to get caught doing something wrong. In fact, Assessors are glad to answer the occasional question, because it shows that you care about doing the right thing, and you want to make the Assessor’s job easier when it comes time for the annual assessment.

NOTE: These questions should be asked on a limited basis — if you need more hands-on help, you should hire a compliance Consultant.

Be Prepared for the Annual Assessment

When you’re ready for the assessment, make sure that you’re actually ready. There’s nothing that frustrates an Assessor more than a company that says they’re ready but they don’t have their act together. Their job is to come in, do the assessment, write up the results, and move on to the next gig. They aren’t there to hold your hand and guide you to the finish line. That’s a Consultant’s role.

So how do you know if you’re really ready for the annual assessment? If you’re leveraging TCT Portal, it will be obvious, because you’ll see that all of your evidence has been submitted and every assignment has been completed. All of your evidence is at your fingertips and you can produce it at a moment’s notice.

There’s nothing that impresses an Assessor more than a client that is well organized and has everything within reach. It communicates that you take compliance seriously and you’re on top of your responsibilities. And when your Assessor has confidence in you, the entire assessment goes much quicker and easier.

Above all, be respectful of the Assessor’s time. Be honest about your readiness so that they don’t get strung along for months with a continually moving engagement.

Make the Onsite Assessment Easy

When it comes time for the onsite assessment, your Assessor will typically have their own list of things they’ll want to see. Get a copy of that list and the topics they need to cover. Make sure you have everything ready to go — the agenda is lined up, you have designated people to cover each of the topics on the agenda, and there’s a backup person for each topic in case of an emergency.

Sit down with your team before the onsite visit and go over the agenda. Discuss expectations and make sure each person is clear on their role. Set expectations and answer any questions your team may have about the onsite visit in advance.

It even comes down to having the keys for all the locked rooms you’ll need to enter during the onsite inspection. Whatever will be needed during the visit, make sure it’s all set to go and within arm’s reach when the Assessor shows up.

When you have everything prepared ahead of time, with primary and secondary personnel in place, you’ll immediately score extra points with the Assessor. You’ve not only shown that you have your compliance act together, you’ve also demonstrated consideration for the Assessor. Onsite visits are hell on Assessors — they’re weary from travel, stuck in a hotel, separated from family, and mentally and physically exhausted. Every little consideration goes a long way in your favor.

Close the Loop Quickly

When the assessment is over, resolve any items for remediation as quickly as possible, but be reasonable with your timelines. Don’t delay. Before the onsite is over, coordinate with the Assessor when you’ll deliver the open items, and hit that date. Your Assessor has their own schedule to meet, so be respectful and fulfill your commitments.

TCT Portal Quick Tip: Easily Regulate User Access 

You have certain people in various functions across your compliance team, and in some cases, it’s important to limit who has access to various types of sensitive data in TCT Portal. You also need to limit functionality to the appropriate individuals. TCT Portal makes role-based access easy to manage.

You can take an assignment in TCT Portal and give it to a single individual. But you can also assign a single item to multiple people. So, if you have a team of people who share the same role, you can assign select items to all of the people who could provision the required evidence.

In this scenario, everyone on the team gets the assignment reminders, and will continue to receive them until one of the members takes action and completes the task.

You also have the ability to turn a user on in Restricted Mode. Restricted Mode allows specified users to only see the items they are assigned to. Restricted Mode is highly customizable — you can restrict only selected users, and you can vary the restrictions on a case-by-case basis.

If your organization prefers to limit the visibility of certain people on their engagements, simply submit a request to TCT’s support team and we’ll show you how to use Restricted Mode.

What’s Going on in Security Today

Vanta bug exposed customers’ data to other customers

Vanta, a major player in the compliance space, pushed a product code change that caused private data from some of its customers to be exposed to other customers. Vanta stated that

hundreds of their clients were impacted. 

One client was told that they had employee data exposed to a different client’s Vanta instance. Information such as name, roles, and MFA configuration settings were reportedly exposed to different client instances.

New Linux Flaws Enable Full Root Access via PAM and Udisks Across Major Distributions

Qualys recently discovered two new vulnerabilities, which can be exploited to gain root

privileges on major Linux distributions. SUSE 15’s PAM enables a local attacker to elevate the

“allow_active” user, then call Polkit actions that essentially allow the remote user to simulate being physically connected or present in front of the machine. 

The second vulnerability chains off the first one, using the libblockdev service, which allows the “allow_active” user to gain root privileges once the first vulnerability is exploited.

China breaks RSA encryption with a quantum computer, threatening global data security

While AI is taking the mainstream by storm, quantum computing is quietly redefining everything about computing. Chinese engineers, using a quantum computer built by D-Wave Systems, says they have factored out a 22-bit RSA integer, theoretically decrypting RSA.

RSA encryption is heavily used in all sorts of computer industries as a security measure,

especially banking. While a 22-bit RSA integer is still small in the realm of RSA (many keys are

2048 or higher these days), this is an early step towards eventually breaking the encryption

algorithm.

US Insurance Industry Warned of Scattered Spider Attacks

Google has officially warned insurance company giants that the Scattered Spider attack is

leaving the retail sector and moving towards the insurance industry. Scattered spider officially

starts as a sophisticated social engineering network of attacks targeting multiple employees at

their target organization. Once they get some of that information, they try to deliver

ransomware payloads to perform data theft, and extortion.

Kali Linux 2025.2 released with 13 new tools, car hacking updates  

Kali Linux has been around for years in the computer world. It is a Linux operating system that

has several tools built into it, for Cyber Offense and Cyber Defense purposes. The newest version 2025.2 has 13 new tools built into it. There is a new interface, there is a new Kali Menu,

new hacking tools, including a car hacking toolset. 

Newer and smarter cars can be probed by these toolsets, and can potentially be breached, exposing sensitive information within these cars with internet connectivity within them.

OpenAI to Help DoD With Cyber Defense Under New $200 Million Contract 

OpenAI has opened up “OpenAI for Government,” a $200 million campaign designed to allow US government workers to enhance their work capabilities. This marks a major shift for the AI

Giant, as they are now officially working alongside the US government. This partnership will allow AI to start pioneering prototype capabilities in the AI frontier.