Glossary

A second proof of identity (a code from your phone, a security key) on top of the password. Stops the most common SME breach — stolen-password attacks.

One login that opens many systems. Reduces password sprawl. Centralises the risk — if SSO is compromised, everything is.

The set of tools and rules deciding who can access what.

People get access based on their job, not their name. Easier to audit.

Accounts that can change other accounts, delete data, install software. The keys to the kingdom.

“Only allow admin login from inside the office or from a managed laptop.”

How one app gets permission to act on another. The scopes you grant matter.

Convenient. Means losing your account loses access to many things.

Creates and disables accounts when HR records change.

Often invisible for days. MFA + login alerts are the main defences.

Modern attack that bypasses MFA after sign-in.

Modern variants also steal data and threaten to leak it.

The most common cause of SME breaches.

Researched, personalised. Far more successful than generic phishing.

Targets directors who can authorise payments.

Often pretends to be a courier, bank, or HMRC.

“This is Microsoft / your bank.” Hang up and call back on a known number.

Trust and urgency are the levers.

Attacker takes over a real email account — usually finance or a director.

Verify changes by phone using a number from your records.

Most real-world breaches use old, well-known flaws on unpatched systems.

Your supplier's problem becomes your problem.

Flooding a website with junk traffic until it stops responding.

Rare with patched browsers but still happens.

Use your own plug at airports.

Unknown USB sticks go to IT, never into a work machine.

Ransomware, info-stealers, banking trojans, cryptominers.

Increasingly common. Why session-token theft bypasses MFA.

How long you can survive being down before it really hurts.

How much recent data you can afford to lose.

The minimum rule of thumb.

Critical for ransomware survival.

Test whether you have this or just file-level backups.

DR is the technical recovery. BCP is keeping the business running while DR happens.

What your IT supplier promises to do.

Outsourced IT — runs your systems for a monthly fee.

The place most breaches start.

The single most boring and most effective security activity.

Collects and watches security logs.

Modern antivirus that looks for suspicious behaviour, not just known viruses.

How two systems talk to each other.

Used by Zapier, Make, Power Automate.

Software that lets you enforce passcodes, encryption, and remote wipe on phones and laptops.

Where a website fetches a URL provided by the attacker. OWASP A10.

A list of every third-party library your application includes.

A filter sat in front of your website that blocks common attacks.

DNS record listing who's allowed to send email from your domain.

A cryptographic signature on outgoing email.

Tells receiving servers what to do when SPF or DKIM fails. Without DMARC at p=reject, criminals can impersonate your domain.

Trivially easy without SPF/DKIM/DMARC.

Lets your verified logo show next to emails.

Governs how you handle personal data. Applies to almost every business.

The UK domestic law alongside UK GDPR.

Wider than people think — includes business contact details.

The UK data protection regulator. Breach line: 0303 123 1113.

A structured review of risk when you do something new with personal data.

You must respond within one month.

The cookies + electronic marketing rules.

Cyber resilience law for “essential” and “important” services.

Five technical controls. Achievable in weeks.

Heavier-weight than Cyber Essentials.

Runs Cyber Essentials assessments.

Free, framework-style.

The non-profit behind the OWASP Top 10.

A list of what personal data you process, why, and for how long. GDPR Article 30 requirement.

Usually covers ransomware response, business interruption, customer notification.

Set it at a level you could absorb.

Your £1m policy may have a £100k sub-limit on social engineering.

If you discover a breach today that happened last year, the retroactive date decides whether you're covered.

Included with many cyber policies.

The technology behind ChatGPT, Claude, Copilot.

Common, even with good models.

A risk for AI that browses, reads emails, or uses tools on your behalf.

If a vendor trains on your prompts, your inputs become part of the model.

An AI that looks up your documents before answering.

Treat agents as junior staff with no probation.

You log in to use someone else's software.

You rent virtual servers.

You bring code; the platform runs it.

Most cloud breaches are misunderstanding this line.

Whoever owns the tenant owns your data.

Matters for GDPR and customer contracts.

An encrypted tunnel between two networks.

Still essential.

Who controls your DNS controls your email and website.

Expires — track the date.

Stops a compromise in one place spreading.

Practical version: MFA everywhere, conditional access, device compliance.

Stops brute-forcing of logins.

A web flaw that lets an attacker run malicious code in another user's browser.

Tricking a logged-in user's browser into making a request they didn't intend.