Terms
Terms.
Plain-English definitions of the technology, security, data, AI and cloud terms SME owners and directors run into. Each entry is deep-linkable.
Identity & access
MFA · Multi-Factor Authentication.
A second proof of identity (a code from your phone, a security key) on top of the password. Stops the most common SME breach — stolen-password attacks.
#mfaSSO · Single Sign-On.
One login that opens many systems. Reduces password sprawl. Centralises the risk — if SSO is compromised, everything is.
#ssoRBAC · Role-Based Access Control.
People get access based on their job, not their name. Easier to audit.
#rbacPrivileged access · Admin / superuser rights.
Accounts that can change other accounts, delete data, install software. The keys to the kingdom.
#privileged-accessConditional access · Login rules that depend on context.
“Only allow admin login from inside the office or from a managed laptop.”
#conditional-accessFederated identity · Your identity, used in someone else's system.
Convenient. Means losing your account loses access to many things.
#federationSCIM · Auto-sync of user accounts across SaaS tools.
Creates and disables accounts when HR records change.
#scimAccount takeover (ATO) · When an attacker controls a real user account.
Often invisible for days.
#atoToken / session theft · Stealing the “logged-in” cookie, not the password.
Modern attack that bypasses MFA after sign-in.
#token-theftThreats & attacks
Ransomware · Malware that encrypts your files and demands a payment.
Modern variants also steal data and threaten to leak it.
#ransomwarePhishing · Fraudulent emails or messages that trick people.
The most common cause of SME breaches.
#phishingSpear phishing · Phishing targeted at a specific person.
Researched, personalised. Far more successful than generic phishing.
#spear-phishingVishing · Phishing via phone call.
“This is Microsoft / your bank.” Hang up and call back on a known number.
#vishingBEC · Business Email Compromise.
Attacker takes over a real email account — usually finance or a director.
#becPayroll diversion · Fraudster impersonates an employee asking to change bank details.
Verify changes by phone using a number from your records.
#payroll-diversionZero-day · A flaw being exploited before there is a fix.
Most real-world breaches use old, well-known flaws on unpatched systems.
#zero-daySupply-chain attack · Attacking you via one of your suppliers.
Your supplier's problem becomes your problem.
#supply-chainDDoS · Distributed Denial of Service.
Flooding a website with junk traffic until it stops responding.
#ddosDrive-by download · Malware that infects you by visiting a website.
Rare with patched browsers but still happens.
#drive-byUSB drop · An attacker leaves an infected USB stick somewhere staff will find it.
Unknown USB sticks go to IT, never into a work machine.
#usb-dropMalware · Malicious software — the umbrella term.
Ransomware, info-stealers, banking trojans, cryptominers.
#malwareInfo-stealer · Malware whose job is to harvest passwords, cookies, and tokens.
Increasingly common. Why session-token theft bypasses MFA.
#info-stealerBackup & recovery
RTO · Recovery Time Objective.
How long you can survive being down before it really hurts. Usually shorter than people assume.
#rtoRPO · Recovery Point Objective.
How much recent data you can afford to lose. “The last hour” vs “the last day” needs very different backup setups.
#rpoImmutable backup · A backup that cannot be changed or deleted after writing.
Critical for ransomware survival — the attacker can't encrypt the backups too.
#immutable-backupBare-metal restore · Rebuilding a server from scratch using backup.
Test whether you have this or just file-level backups.
#bare-metal-restoreDR / BCP · Disaster Recovery & Business Continuity Planning.
DR is the technical recovery. BCP is keeping the business running while DR happens.
#dr-bcpOperations
Patching · Applying security updates.
The single most boring and most effective security activity.
#patchingEDR · Endpoint Detection and Response.
Modern antivirus that looks for suspicious behaviour, not just known viruses.
#edrAPI · Application Programming Interface.
How two systems talk to each other. Treat API keys like passwords.
#apiWebhook · An automated notification one system sends another.
Used by Zapier, Make, Power Automate.
#webhookMDM · Mobile Device Management.
Software that lets you enforce passcodes, encryption, and remote wipe on phones and laptops.
#mdmSSRF · Server-Side Request Forgery.
Where a website fetches a URL provided by the attacker. OWASP A10.
#ssrfSBOM · Software Bill of Materials.
A list of every third-party library your application includes.
#sbomWAF · Web Application Firewall.
A filter sat in front of your website that blocks common attacks.
#wafCI/CD · Continuous Integration / Continuous Deployment.
The automated pipeline that tests and releases code changes. Without it, changes are made by hand — mistakes are hard to prevent and hard to reverse.
#ci-cdEmail security
DMARC · Email authentication policy.
Tells receiving servers what to do when SPF or DKIM fails. Without DMARC at p=reject, criminals can impersonate your domain.
#dmarcEmail spoofing · Forging the “From” field of an email.
Trivially easy without SPF/DKIM/DMARC.
#email-spoofingBIMI · Brand Indicators for Message Identification.
Lets your verified logo show next to emails.
#bimiData & compliance
GDPR · UK / EU data protection law.
Governs how you handle personal data. Applies to almost every business.
#gdprICO · Information Commissioner's Office.
The UK data protection regulator. Breach line: 0303 123 1113.
#icoDPIA · Data Protection Impact Assessment.
A structured review of risk when you do something new with personal data.
#dpiaDSAR / Subject Access Request · When someone asks for the data you hold on them.
You must respond within one month.
#dsarPECR · Privacy and Electronic Communications Regulations.
The cookies + electronic marketing rules.
#pecrNIS / NIS 2 · Network and Information Systems Regulations.
Cyber resilience law for “essential” and “important” services. Most SMEs aren't in scope — but you may be if you're a supplier to one.
#nisCyber Essentials · UK government-backed minimum cyber standard.
Five technical controls. Achievable in weeks.
#cyber-essentialsISO 27001 · International information-security management standard.
Heavier-weight than Cyber Essentials.
#iso-27001ROPA · Record of Processing Activities.
A list of what personal data you process, why, and for how long. UK GDPR Article 30 requirement for most businesses.
#ropaOFSI · Office of Financial Sanctions Implementation.
Part of HM Treasury. Enforces UK sanctions — including the rule that paying ransom to a sanctioned entity is a strict-liability criminal offence.
#ofsiPCI DSS · Payment Card Industry Data Security Standard.
Applies to any business that takes card payments. Most SMEs comply through their payment processor (e.g. Stripe handles the heavy lifting), but you still have a responsibility for how cards are handled in your business.
#pci-dssEU AI Act · EU regulation on artificial intelligence.
Phasing in 2025–2027. Most SME use of AI is low-risk; high-risk uses (recruitment, credit decisions, healthcare) face stricter rules. Applies to UK firms selling AI services into the EU.
#ai-actInsurance
Cyber insurance · Insurance against cyber incidents.
Usually covers ransomware response, business interruption, customer notification.
#cyber-insuranceDeductible / Excess · What you pay before the policy pays.
Set it at a level you could absorb.
#deductibleSub-limit · A cap inside a cap.
Your £1m policy may have a £100k sub-limit on social engineering.
#sub-limitRetroactive date · How far back a policy will look.
If you discover a breach today that happened last year, the retroactive date decides whether you're covered.
#retroactive-dateIR retainer · A pre-paid incident response engagement.
Included with many cyber policies.
#incident-response-retainerAI
Hallucination · When an AI confidently invents an incorrect answer.
Common, even with good models.
#hallucinationPrompt injection · Hostile instructions hidden in data the AI reads.
A risk for AI that browses, reads emails, or uses tools on your behalf.
#prompt-injectionTraining data · What the AI learned from.
If a vendor “trains on your prompts,” your inputs become part of the model.
#training-dataAI agent · An AI that can take actions, not just answer.
Browses the web, runs code, sends emails. Treat agents as junior staff with no probation.
#ai-agentCloud
Tenant · Your isolated slice of a shared cloud service.
Whoever owns the tenant owns your data.
#tenantData residency · Where your data physically lives.
Matters for GDPR and customer contracts.
#data-residencyNetwork & web
TLS / SSL certificate · The padlock in your browser.
Proves the website is who it says it is and encrypts the connection. Expires — track the date.
#tlsNetwork segmentation · Splitting one network into several.
Stops a compromise in one place spreading.
#network-segmentationZero trust · Don't trust anything by default.
Practical version: MFA everywhere, conditional access, device compliance.
#zero-trustRate limiting · Capping how often something can be tried.
Stops brute-forcing of logins, password resets, payment attempts.
#rate-limitingXSS · Cross-site scripting.
A web flaw that lets an attacker run malicious code in another user's browser.
#xssCSRF · Cross-site request forgery.
Tricking a logged-in user's browser into making a request they didn't intend.
#csrf
Social engineering · Manipulating a person rather than a system.
Trust and urgency are the levers.
#social-engineering