Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Glossary

Jargon, in plain English.

A working dictionary of the IT, cyber and AI terms SME owners run into. Every term is deep-linkable.

Identity & access

MFA · Multi-Factor Authentication.

A second proof of identity (a code from your phone, a security key) on top of the password. Stops the most common SME breach — stolen-password attacks.

#mfa

SSO · Single Sign-On.

One login that opens many systems. Reduces password sprawl. Centralises the risk — if SSO is compromised, everything is.

#sso

IAM · Identity and Access Management.

The set of tools and rules deciding who can access what.

#iam

RBAC · Role-Based Access Control.

People get access based on their job, not their name. Easier to audit.

#rbac

Privileged access · Admin / superuser rights.

Accounts that can change other accounts, delete data, install software. The keys to the kingdom.

#privileged-access

Conditional access · Login rules that depend on context.

“Only allow admin login from inside the office or from a managed laptop.”

#conditional-access

OAuth · “Sign in with…” under the bonnet.

How one app gets permission to act on another.

#oauth

Federated identity · Your identity, used in someone else's system.

Convenient. Means losing your account loses access to many things.

#federation

SCIM · Auto-sync of user accounts across SaaS tools.

Creates and disables accounts when HR records change.

#scim

Account takeover (ATO) · When an attacker controls a real user account.

Often invisible for days.

#ato

Token / session theft · Stealing the “logged-in” cookie, not the password.

Modern attack that bypasses MFA after sign-in.

#token-theft

Threats & attacks

Ransomware · Malware that encrypts your files and demands a payment.

Modern variants also steal data and threaten to leak it.

#ransomware

Phishing · Fraudulent emails or messages that trick people.

The most common cause of SME breaches.

#phishing

Spear phishing · Phishing targeted at a specific person.

Researched, personalised. Far more successful than generic phishing.

#spear-phishing

Whaling · Spear phishing aimed at executives.

Targets directors who can authorise payments.

#whaling

Smishing · Phishing via SMS / text message.

Often pretends to be a courier, bank, or HMRC.

#smishing

Vishing · Phishing via phone call.

“This is Microsoft / your bank.” Hang up and call back on a known number.

#vishing

Social engineering · Manipulating a person rather than a system.

Trust and urgency are the levers.

#social-engineering

BEC · Business Email Compromise.

Attacker takes over a real email account — usually finance or a director.

#bec

Payroll diversion · Fraudster impersonates an employee asking to change bank details.

Verify changes by phone using a number from your records.

#payroll-diversion

Zero-day · A flaw being exploited before there is a fix.

Most real-world breaches use old, well-known flaws on unpatched systems.

#zero-day

Supply-chain attack · Attacking you via one of your suppliers.

Your supplier's problem becomes your problem.

#supply-chain

DDoS · Distributed Denial of Service.

Flooding a website with junk traffic until it stops responding.

#ddos

Drive-by download · Malware that infects you by visiting a website.

Rare with patched browsers but still happens.

#drive-by

Juice jacking · Compromised public USB charging points.

Use your own plug at airports.

#juice-jacking

USB drop · An attacker leaves an infected USB stick somewhere staff will find it.

Unknown USB sticks go to IT, never into a work machine.

#usb-drop

Malware · Malicious software — the umbrella term.

Ransomware, info-stealers, banking trojans, cryptominers.

#malware

Info-stealer · Malware whose job is to harvest passwords, cookies, and tokens.

Increasingly common. Why session-token theft bypasses MFA.

#info-stealer

Backup & recovery

RTO · Recovery Time Objective.

How long you can survive being down before it really hurts. Usually shorter than people assume.

#rto

RPO · Recovery Point Objective.

How much recent data you can afford to lose. “The last hour” vs “the last day” needs very different backup setups.

#rpo

3-2-1 backup · Three copies, two media, one off-site.

The minimum rule of thumb.

#3-2-1-backup

Immutable backup · A backup that cannot be changed or deleted after writing.

Critical for ransomware survival — the attacker can't encrypt the backups too.

#immutable-backup

Bare-metal restore · Rebuilding a server from scratch using backup.

Test whether you have this or just file-level backups.

#bare-metal-restore

DR / BCP · Disaster Recovery & Business Continuity Planning.

DR is the technical recovery. BCP is keeping the business running while DR happens.

#dr-bcp

Operations

SIEM · Security Information and Event Management.

Collects and watches security logs.

#siem

EDR · Endpoint Detection and Response.

Modern antivirus that looks for suspicious behaviour, not just known viruses.

#edr

API · Application Programming Interface.

How two systems talk to each other. Treat API keys like passwords.

#api

Webhook · An automated notification one system sends another.

Used by Zapier, Make, Power Automate.

#webhook

MDM · Mobile Device Management.

Software that lets you enforce passcodes, encryption, and remote wipe on phones and laptops.

#mdm

SSRF · Server-Side Request Forgery.

Where a website fetches a URL provided by the attacker. OWASP A10.

#ssrf

SBOM · Software Bill of Materials.

A list of every third-party library your application includes.

#sbom

WAF · Web Application Firewall.

A filter sat in front of your website that blocks common attacks.

#waf

CI/CD · Continuous Integration / Continuous Deployment.

The automated pipeline that tests and releases code changes. Without it, changes are made by hand — mistakes are hard to prevent and hard to reverse.

#ci-cd

Email security

SPF · Sender Policy Framework.

DNS record listing who's allowed to send email from your domain.

#spf

DKIM · DomainKeys Identified Mail.

A cryptographic signature on outgoing email.

#dkim

DMARC · Email authentication policy.

Tells receiving servers what to do when SPF or DKIM fails. Without DMARC at p=reject, criminals can impersonate your domain.

#dmarc

Email spoofing · Forging the “From” field of an email.

Trivially easy without SPF/DKIM/DMARC.

#email-spoofing

BIMI · Brand Indicators for Message Identification.

Lets your verified logo show next to emails.

#bimi

Data & compliance

GDPR · UK / EU data protection law.

Governs how you handle personal data. Applies to almost every business.

#gdpr

DPA 2018 · Data Protection Act 2018.

The UK domestic law alongside UK GDPR.

#dpa-2018

Personal data · Information about an identifiable person.

Wider than people think.

#personal-data

ICO · Information Commissioner's Office.

The UK data protection regulator. Breach line: 0303 123 1113.

#ico

DPIA · Data Protection Impact Assessment.

A structured review of risk when you do something new with personal data.

#dpia

DSAR / Subject Access Request · When someone asks for the data you hold on them.

You must respond within one month.

#dsar

PECR · Privacy and Electronic Communications Regulations.

The cookies + electronic marketing rules.

#pecr

NIS / NIS 2 · Network and Information Systems Regulations.

Cyber resilience law for “essential” and “important” services. Most SMEs aren't in scope — but you may be if you're a supplier to one.

#nis

Cyber Essentials · UK government-backed minimum cyber standard.

Five technical controls. Achievable in weeks.

#cyber-essentials

ISO 27001 · International information-security management standard.

Heavier-weight than Cyber Essentials.

#iso-27001

IASME · Cyber-security certification body.

Runs Cyber Essentials assessments.

#iasme-glossary

CIS Controls · A prioritised list of cyber controls.

Free, framework-style.

#cis-controls

OWASP · Open Web Application Security Project.

The non-profit behind the OWASP Top 10.

#owasp-org

ROPA · Record of Processing Activities.

A list of what personal data you process, why, and for how long. UK GDPR Article 30 requirement for most businesses.

#ropa

OFSI · Office of Financial Sanctions Implementation.

Part of HM Treasury. Enforces UK sanctions — including the rule that paying ransom to a sanctioned entity is a strict-liability criminal offence.

#ofsi

PCI DSS · Payment Card Industry Data Security Standard.

Applies to any business that takes card payments. Most SMEs comply through their payment processor (e.g. Stripe handles the heavy lifting), but you still have a responsibility for how cards are handled in your business.

#pci-dss

EU AI Act · EU regulation on artificial intelligence.

Phasing in 2025–2027. Most SME use of AI is low-risk; high-risk uses (recruitment, credit decisions, healthcare) face stricter rules. Applies to UK firms selling AI services into the EU.

#ai-act

Insurance

Cyber insurance · Insurance against cyber incidents.

Usually covers ransomware response, business interruption, customer notification.

#cyber-insurance

Deductible / Excess · What you pay before the policy pays.

Set it at a level you could absorb.

#deductible

Sub-limit · A cap inside a cap.

Your £1m policy may have a £100k sub-limit on social engineering.

#sub-limit

Retroactive date · How far back a policy will look.

If you discover a breach today that happened last year, the retroactive date decides whether you're covered.

#retroactive-date

IR retainer · A pre-paid incident response engagement.

Included with many cyber policies.

#incident-response-retainer

AI

LLM · Large Language Model.

The technology behind ChatGPT, Claude, Copilot.

#llm

Hallucination · When an AI confidently invents an incorrect answer.

Common, even with good models.

#hallucination

Prompt injection · Hostile instructions hidden in data the AI reads.

A risk for AI that browses, reads emails, or uses tools on your behalf.

#prompt-injection

Training data · What the AI learned from.

If a vendor “trains on your prompts,” your inputs become part of the model.

#training-data

RAG · Retrieval-Augmented Generation.

An AI that looks up your documents before answering.

#rag

AI agent · An AI that can take actions, not just answer.

Browses the web, runs code, sends emails. Treat agents as junior staff with no probation.

#ai-agent

Cloud

SaaS · Software as a Service.

You log in to use someone else's software.

#saas

IaaS · Infrastructure as a Service.

You rent virtual servers.

#iaas

PaaS · Platform as a Service.

You bring code; the platform runs it.

#paas

Shared responsibility model · What the cloud provider does vs what you do.

Cloud providers protect the platform. You protect your accounts, data, and configurations. Most cloud breaches are misunderstanding this line — including the fact that Microsoft does not back up your Microsoft 365 data.

#shared-responsibility

Tenant · Your isolated slice of a shared cloud service.

Whoever owns the tenant owns your data.

#tenant

Data residency · Where your data physically lives.

Matters for GDPR and customer contracts.

#data-residency

Network & web

VPN · Virtual Private Network.

An encrypted tunnel between two networks.

#vpn

Firewall · Network filter that allows or blocks traffic.

Still essential.

#firewall

DNS · The internet's address book.

Who controls your DNS controls your email and website.

#dns

TLS / SSL certificate · The padlock in your browser.

Proves the website is who it says it is and encrypts the connection. Expires — track the date.

#tls

Network segmentation · Splitting one network into several.

Stops a compromise in one place spreading.

#network-segmentation

Zero trust · Don't trust anything by default.

Practical version: MFA everywhere, conditional access, device compliance.

#zero-trust

Rate limiting · Capping how often something can be tried.

Stops brute-forcing of logins, password resets, payment attempts.

#rate-limiting

XSS · Cross-site scripting.

A web flaw that lets an attacker run malicious code in another user's browser.

#xss

CSRF · Cross-site request forgery.

Tricking a logged-in user's browser into making a request they didn't intend.

#csrf