Skip to content
Archived content. You are viewing v2 of SME Digital Advisor — the four-page terms reference (Terms, Translation, Asking, About). Go to current site →

Translation

Technical risk → business risk.

Sixteen examples of what cyber and IT reports actually say — and what each finding means for your business. After the examples, three rules for translating any report yourself.

What a technician says

“Your applications have SQL injection vulnerabilities.”

What it means for you

A flaw in one old internal system could allow someone to view, change, or delete business data.

What a technician says

“You are using SA credentials across multiple databases.”

What it means for you

One reused master password could give total control over your company databases.

What a technician says

“There is no segmentation between virtual servers.”

What it means for you

If one system is compromised, the attacker may be able to move into others — because everything is too closely connected.

What a technician says

“You have no CI/CD or deployment controls.”

What it means for you

“CI/CD” is the automated pipeline for testing and releasing changes. Without it, changes are made by hand. Mistakes are hard to prevent, hard to spot, and hard to reverse. There's no record of what changed when.

What a technician says

“Users are using AI to create Node.js applications.”

What it means for you

Staff are now able to create software that touches company data — even if they do not understand the risks.

What a technician says

“Several internet-facing servers have unpatched critical CVEs.”

What it means for you

Old, well-known holes are still open. Most ransomware doesn't use new techniques — it uses these old holes. Patching is the single most effective cyber activity, and it isn't being done.

What a technician says

“There is no MFA on privileged accounts.”

What it means for you

A single password — if leaked, guessed, or phished — gives the attacker full admin rights. MFA on admin accounts blocks the most common SME breach.

What a technician says

“Your backup tier is not immutable.”

What it means for you

If ransomware reaches your backup system, the backups themselves can be encrypted or deleted. You have a backup until the moment you need it.

What a technician says

“Your TLS configuration receives a B grade and uses TLS 1.1.”

What it means for you

The padlock in the browser doesn't actually protect customers the way it should. Older versions of the encryption can be broken.

What a technician says

“Stale accounts exist for users deprovisioned more than 6 months ago.”

What it means for you

People who left months ago can still log in. If their credentials were ever leaked, or guessed, they're a free way back in.

What a technician says

“Authentication endpoints have no rate limits.”

What it means for you

An attacker can attempt a password a million times until one works. Without limits, brute-force is just a matter of patience.

What a technician says

“Logging is local-only with no centralisation or retention.”

What it means for you

If you're attacked, you won't be able to tell what happened, how, or for how long. Insurance claims and ICO conversations both go badly when there's no log evidence.

What a technician says

“BYOD devices are not enrolled in MDM.”

What it means for you

Personal phones and laptops with company email are unmanaged. If one is lost, you can't wipe the work data; if one is hacked, you can't see it; if the owner leaves, the data goes with them.

What a technician says

“DNS is not under direct organisational control.”

What it means for you

Whoever holds your DNS records controls your email and your website. If that's your old IT supplier or a contractor, they have a lever you don't.

What a technician says

“Firewall rules have not been reviewed in 18 months.”

What it means for you

The internet keeps your front door — and the rules deciding who gets in are out of date. Old rules for staff who left, for tools you don't use, or for tests that never ended.

What a technician says

“There are 23 Power Automate flows running with no documentation.”

What it means for you

Important business automations live in one person's account with no oversight. If they leave, the flows stop — or worse, no one knows they ever existed until they stop.

Three rules for translating your own reports

  1. If a finding says “could allow” — ask: who, doing what, to which business outcome?
  2. If a finding says “best practice not followed” — ask: what does the worst case look like, in money?
  3. If a finding is a single acronym — ask: where does this live, who controls it, who would notice if it broke?