Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Translation

Technical risk → business risk.

Sixteen examples of what cyber and IT reports actually say — and what each finding means for your business. After the examples, three rules for translating any report yourself.

What a technician says

“You have no CI/CD or deployment controls.”

What it means for you

“CI/CD” is the automated pipeline for testing and releasing changes. Without it, changes are made by hand. Mistakes are hard to prevent, hard to spot, and hard to reverse. There's no record of what changed when.

What a technician says

“Several internet-facing servers have unpatched critical CVEs.”

What it means for you

Old, well-known holes are still open. Most ransomware doesn't use new techniques — it uses these old holes. Patching is the single most effective cyber activity, and it isn't being done.

What a technician says

“Your TLS configuration receives a B grade and uses TLS 1.1.”

What it means for you

The padlock in the browser doesn't actually protect customers the way it should. Older versions of the encryption can be broken.

What a technician says

“Stale accounts exist for users deprovisioned more than 6 months ago.”

What it means for you

People who left months ago can still log in. If their credentials were ever leaked, or guessed, they're a free way back in.

What a technician says

“Logging is local-only with no centralisation or retention.”

What it means for you

If you're attacked, you won't be able to tell what happened, how, or for how long. Insurance claims and ICO conversations both go badly when there's no log evidence.

What a technician says

“BYOD devices are not enrolled in MDM.”

What it means for you

Personal phones and laptops with company email are unmanaged. If one is lost, you can't wipe the work data; if one is hacked, you can't see it; if the owner leaves, the data goes with them.

What a technician says

“DNS is not under direct organisational control.”

What it means for you

Whoever holds your DNS records controls your email and your website. If that's your old IT supplier or a contractor, they have a lever you don't.

What a technician says

“Firewall rules have not been reviewed in 18 months.”

What it means for you

The internet keeps your front door — and the rules deciding who gets in are out of date. Old rules for staff who left, for tools you don't use, or for tests that never ended.

What a technician says

“There are 23 Power Automate flows running with no documentation.”

What it means for you

Important business automations live in one person's account with no oversight. If they leave, the flows stop — or worse, no one knows they ever existed until they stop.

Three rules for translating your own reports

  1. If a finding says “could allow” — ask: who, doing what, to which business outcome?
  2. If a finding says “best practice not followed” — ask: what does the worst case look like, in money?
  3. If a finding is a single acronym — ask: where does this live, who controls it, who would notice if it broke?