Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Q1 Security Insights 2026
Quick Take
On this insightful episode of Compliance Unfiltered, join the CU Guys as they delve into the essentials of security training and compliance for Q1 2026.
Discover the importance of regular security reminders, the role of incident response plans, and how to keep your organization vigilant against evolving threats. With practical tips and real-world examples, this episode is a must-listen for anyone looking to enhance their security posture and compliance strategies.
Tune in to stay ahead in the ever-changing landscape of cybersecurity.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Keith Jackson to your compliance Rose Bowl Mr. Adam Goslin. How the heck are you, sir?
I am doing good today Todd, how about yourself?
I cannot complain. I truly cannot.
It is that time again, sir. That’s right. Q1 of 2026 security reminders. Security reminders, security training edition, as a matter of fact. Tell the folks all about it, Adam.
So, you know, when it comes to training for, you know, for personnel, for security best practices, you know, there’s a there’s a number of things that just kind of leap out to folks, right. You’ve got your security awareness training at higher, you’ve got annual security awareness, a refresher training, etc. So, you know, in the event that your organization isn’t already doing those things, then by all means contact TCT, we can get you in the right direction.
But, you know, these are like the bare minimum, you know, type of a thing, but there’s various compliance requirements are going to mean, you know, there’s, you know, various other things, you know, that that should be done surrounding your, you know, security awareness and training program, not the least of which is security reminders, which is part of the reason why we do this kind of quarterly pod. You know, we’ve got organizations that will leverage both the, you know, the TCT pod and the TCT blog to use to supplement their security reminder, your kind of stance for their organization. So that’s part of the reason why we why we pleased to aim, if you will. Um, but that said, if you can do reminders, you know, more often than quarterly, great, you know, but, uh, you know, you want, you want the personnel maintaining vigilance, you know, all the way throughout the year, et cetera.
But, you know, the, you know, for, for different organizations, they’re going to have different types of directed training, um, that need to cover, you know, need, need to cover and or should cover additional, uh, facets that the organization wants to consider. So as an example, and one of the, one of the areas that, you know, oftentimes, uh, that organizations will kind of overlook is the fact that anybody on their team is a target. You know, I mean, everybody’s got a LinkedIn, they, you know, say that they’re working for the company, you know, et cetera. But because of that, the public association between the personnel and the organization itself, that means everybody, uh, you know, is, is effectively a target, not only, uh, in their day by day work, you know, arena, but also in their personal lives as well. Um, so, you know, everybody in the organization should not only be kind of paying attention to security and compliance related stuff, uh, when it can certainly, when it comes to work related elements, but, you know, just keep in mind that you could be, uh, you could be the subject of a, of kind of an indirect attack at trying to get to the organization.
So keep that in mind. Um, you know, every organization should have incident response, uh, an incident response plan, um, and, uh, you know, some type of a requirement for doing associated testing, uh, testing training, et cetera, you know, each year with your personnel, with certain vendors, et cetera.
And so as part of that training, um, it is recommended to, um, to do a tabletop exercise, uh, to run through various scenarios, et cetera. Um, but one of the big problems is, is that many organizations they’ll, they take on this notion that, oh, if I declared an incident, then it’s some type of a sign of failure, uh, you know, type of a thing. And so, you know, they don’t declare low level incidents. They don’t want to, um, you know, they don’t exercise their program, you know, throughout, throughout the year.
But my recommendation to companies is to take a different approach. You know, I’m never, I’m never scared to declare an incident. That’s why you have the incident plan. Um, and so instead declare incidents of, you know, kind of varying degrees. Obviously, if you’ve got a holy moly issue going on, um, then, you know, certainly going to declare, uh, declare an incident, but it could be as simple as somebody thought they lost their laptop, you know, or somebody thought they lost their phone with the, you know, the, with the company email on it, whatever it could be benign things like that. It could be traffic they’re seeing on their, you know, on their firewall or a directed attack or whatever it may be. Go ahead, declare the incidents because here’s the cool part is when you go ahead and declare those incidents, you know, not only are you exercising your incident, uh, plan, but the double bonus is that, uh, for many, uh, you know, audit assessment, uh, firms that are, they’re going and doing the annual, the annual assessment, um, they’ll look at that regular exercising of your incident response plan in the normal course of business as also checking the box for the annual, um, security and compliance, uh, you know, uh, uh, requirements for, uh, period periodic training.
If you’re not doing that, um, you know, you look at, uh, folks and their normal day by day compliance practices, um, you know, beyond, you know, beyond any of the, you know, kind of official training opportunities, um, then, you know, make sure that you have a good training program for existing and new personnel so that they can get up to speed on their day by day compliance responsibilities. Um, you know, it’s important for folks stay on top of their hardware inventory that, uh, every time new devices are purchased, the inventory should be updated that, you know, and whatnot for some organizations, they’ll put those updates off, but it just leaves a, it leaves an error prone possibility for a bunch of headaches when it comes to the end of the year. Did you remember to add everything to the inventory? Did you miss anything? You don’t want to have those out of whack, et cetera. So training your people on what are the things they’re supposed to be doing to stay proactive with their security and compliance program more their day by day responsibilities.
That’s another important element that, you know, a lot of organizations kind of whitewash, if you will, um, software development, you know, if your company is developing software, coding software, et cetera, um, then, uh, you know, then we’ve got the, we’ve got the opportunity for, uh, you know, for doing secure development training, uh, doing that on the, you know, various technology and languages that the, that the team is actually using, you know, things on those lines. So if you are doing any, even scripting, you know, then, you know, put your, put your folks through the software development training, you know, and, uh, another one that hits the folks in the DCI space is if your organization happens to have various, you know, point of sale or point of interaction, otherwise known as POS, POI devices, you know, then you want to make sure that you’re rolling out training for those folks surrounding, you know, device inspections.
How are they being done? How are you logging the fact that those were accomplished and, you know, and things that kind of falls into, you know, a couple of different categories of training, but, um, you’ve got that, you’ve got that as well that, that goes into the mix. But, you know, for a lot of folks, they don’t, um, they don’t, um, Yeah, really think through all of the various myriad of training opportunities that they may have, you know what I mean?
I do. Now it’s time for a quick tip Adam. Let’s give the folks a quick tip on how to unlock hidden TCT portal benefits.
Yeah, well, one of the, one of the things is that, I mean, we, we, when you’ve got a pro, when you got a platform, you started over a decade ago, right? AKA the TCT portal. You know, we first brought it up and put it online back in, back in 2015. It’s actually ready in 2014, but we put it online in 2015. And so this platform literally has had over a decade of usage, improvements, et cetera, that have been made to it. So, you know, every single year we have multiple functional releases. Those are being driven by client requests for features and functionality, et cetera, that they’d like to see in the platform. And so if, if for those folks that have been on the TCT portal for a while, you kind of address them and remind me, I want to come back to those that are kind of new to the, you know, new to the platform. But for those that have been on the platform for a while, you may not even be cognizant of some of the new features, capabilities, et cetera.
So what I recommend to folks to do is if you’re sitting there saying to yourself, there’s got to be a way to be able to do this better. I wonder if we could improve the, you know, the efficiency of our, of our existing program. Then I would strongly recommend folks go back to the portal support team, sit down and have a conversation with them, talk through what it is you’re doing today. What is it you’d like to be able to do things along those lines and, you know, the, the, you know, use the capability of the TCT team to help your organization further streamline, you know, streamline your engagement. You know, for those that are brand new to the platform, a lot of oftentimes, not even oftentimes, what we do is once we onboard somebody to the, you know, to the platform, we’ll spend, you know, several back-to-back weeks of, you know, kind of review and configuration and, you know, training and things along those lines. But then we’ll move that to every couple of weeks. Then we’ll move that to monthly for a period of time, you know, until they’re, until they’re settled in. So in many cases, the new folks that hit the platform, they’ve got that, that opportunity built in.
But for those that have been here for a while, or maybe it was a while since you used the platform last time, then file means, you know, go ahead, lean on the, lean on the, you know, internal TCT support team to be able to give you some help and assistance. Because with every tweak, every streamline, every modification that we make to make things smoother, faster, better. I feel like I’m doing a million dollar man, a million dollar man commercial here. We have the technology. We can rebuild him. You know, it’s just, it’s just a good way to get a good way to go about doing it. So I think it gives a good enough feel for the listeners on that one.
Indeed it does. Now it’s time for What’s in the News? Listeners can access links to the various news stories by going to the TCT website at GetTCT.com.
Click on the resources and click on security reminders. Adam, what’s new in the news?
Well, let’s hope that you weren’t an Aflac customer. Aflac had a breach that they disclosed, and as luck would have it, right before Christmas, the incident concluded, the incident investigation concluded, and they confirmed that they’re needing to notify over 22 million customers, that things like names, addresses, social security numbers, dates of birth, driver’s license, health records, and other data was impacted and stolen. So the other problem is it’s not just their direct customers, but it’s also any beneficiaries. Their information was also in this mix of stuff they got out there. So it’s not just the little guys that are struggling with old security and compliance stuff. So you’re not alone out there.
Another one that was interesting, there was a new kind of MongoDB vulnerability that they found is being exploited in attacks. There’s a vulnerability called Mongo bleed, where unauthenticated remote attackers can get into MongoDB servers and leak or extort sensitive information. And this particular finding is impacting the Zlib compression, which allows the attackers to read the heat memory without being authenticated. There was a patch released on December 19th, but some of the data that could be extracted include session tokens, passwords, API keys, and other sensitive info.
So for everybody, say on top of your patching, all that fun stuff, go ahead and if you use a MongoDB, go get that one applied as soon as you can. There was a Fortinet is bringing to light a re-warning, if you will. There was an old Fortinet vulnerability from 2020 that it resurfaced on Christmas Eve of 25, where it was allowing bypass of multi-factor authentication, not prompting when user names were changed. So 2FA would need to be enabled locally on the software and remote authentication via LDAP must be enabled. And the problem is they’ve got an inconsistent case sensitive matching for the local and remote usernames. It’s the root cause of the finding.
The issue is kind of disturbing because it was initially released in 2020, AKA five years ago people, but they were finding that just in the US alone, they were able to confirm there’s over a thousand systems that are still vulnerable. So it’s kind of eye-opening that people would leave those vulnerabilities out there. Another one, so there’s a bring your own vulnerable driver attack. So, you know, basically, this is a gaining popularity attack vector where they’ll gain access to a system and then go ahead and see what allowed drivers are allowed by the operating system and will then potentially enable or reinstate a particular vulnerable driver that may even have been removed from the system. But because of the fact that the operating system says, oh, this is a valid driver to have on this platform, even though the machine may have had that driver turned off, the attackers are capable of going in, you know, depending on their level of access, they can, you know, reload it, re enable it, load, you know, and whatnot, get it back onto the system.
So it’s almost like, you know, a back door within the back door type of, you know, type of deal. But, you know, it’s something for, you know, for folks to keep an eyeball on if they’ve, you know, gone in and remove drivers from their systems of all of a sudden that driver reappears, you know, then, you know, then what type of a deal.
And finally, the, you know, that we have traditional security frameworks that are leaving organizations exposed to AI specific attack vectors. So things like NIST, CSF, ISO 27001, CIS, there are three of the more commonly used industry standards for compliance and compliance frameworks, but they were created in a threat landscape that was different than today. So none of them have inclusions for AI and the threats that that may pose, et cetera. So, you know, certainly prompt injection is one example of a new AI based attack using natural language instead of SQL injection, cross-site scripting, command injection. So those are looking for specific patterns, characters are known attack signatures. So it’s an example of how there’s new AI threats and threat models that the modern cybersecurity world is kind of working to catch up to and to help to protect against. So just waving the flag for the folks out there, you know, keep that AI, keep the AI impacts in mind for your organization.
Most definitely. Hard to not have them front and center at them. You got that right. Parting shots and thoughts for the folks this week, sir?
Looking back on kind of the overview, there were a couple of different things that were related to kind of patching, related to system configuration and it’s changing of states, etc. So those controls that organizations have in place for keeping their inventory up to date, making sure that they have patching across all of their various inventory items that we have controls in place for monitoring systems, changes that happen to them with the fact that the attackers are bringing back valid drivers for the OS but that had been specifically disabled by the organization.
Things like that start putting your thinking cap on leveraging the tools in your toolbox that you already have to strengthen those to attempt to thwart these various kind of new attack vectors that we’re starting to see surfacing and resurfacing.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered, I’m Todd Coshow and I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
