Security terms explained simply for business leaders. No jargon, no acronyms without explanation. Just clarity.
Take Free AssessmentDeciding who in your organisation can access what - which systems, which files, which rooms. Like managing keys to your office: you decide who gets a key, which doors it opens, and you take it back when they leave. Good access control means people only have access to what they need for their job, nothing more.
Software that protects your computers from harmful programs. It scans files and emails for known threats and blocks them. Modern versions (often called "endpoint protection") do more - they watch for suspicious behaviour and can stop new threats they haven't seen before. Every computer in your business should have this running.
Proving you are who you say you are when logging in. Usually this means entering a password. Stronger authentication requires more proof - like a code sent to your phone as well as your password. The more valuable the system, the stronger the authentication should be.
Your plan for keeping copies of important business data so you can recover if something goes wrong - whether that's a computer failure, accidental deletion, or ransomware attack. A solid approach is the 3-2-1 rule: keep three copies of important data, store them on two different types of storage, with one copy kept somewhere offsite (like cloud storage).
Planning how your business keeps running when something disrupts normal operations - a cyber attack, power cut, flood, or key staff being unavailable. It means identifying which parts of your business are most critical and having plans ready to keep them working or get them back quickly.
Protecting your data and applications when they're hosted on external services like Microsoft 365, Google Workspace, or Amazon Web Services. The cloud provider secures their infrastructure, but you're responsible for configuring your account securely - things like who can access what, whether data is encrypted, and what gets logged.
A UK government-backed scheme that covers five basic security controls: firewalls, secure settings, access control, malware protection, and keeping software updated. Many government contracts require it. Cyber Essentials Plus adds a hands-on technical check.
Insurance that helps cover costs when something goes wrong - breach investigation, legal fees, notifying affected customers, business losses during downtime, and sometimes ransom payments. Premiums depend on your security practices, and insurers increasingly ask for evidence that you have proper controls before they'll cover you.
When someone who shouldn't have access gets hold of personal or sensitive information - whether by hacking, a lost laptop, or an employee error. Depending on where your customers are located, you may need to report serious breaches to regulators within tight timeframes. Beyond fines, breaches damage customer trust and can take years to recover from.
How your organisation handles personal information about customers, employees, and others. This includes what you collect, why you collect it, how long you keep it, who can access it, and individuals' rights to see or delete their data. Different countries have different laws - GDPR in the UK and EU, CCPA in California, and various others worldwide. Poor data privacy practices lead to regulatory fines and lost customer trust.
Your plan for getting computer systems back up after a major failure or attack. This means knowing which systems to restore first, how long recovery should take (your "recovery time objective"), and how much data loss you can tolerate (your "recovery point objective" - essentially, how recent your backups need to be).
An EU regulation that came into effect in 2025, requiring financial services firms to manage technology risks properly, test their resilience, and report incidents.
Scrambling data so only someone with the right key can read it. Think of it as putting information in a locked box - even if someone steals the box, they can't see what's inside without the key. You should encrypt data when it's stored on devices ("at rest") and when it's being sent over the internet ("in transit"). If properly encrypted data is stolen, it would take an attacker an impractical amount of time to decode it - potentially thousands of years with current technology.
Security software that protects individual devices - laptops, desktops, phones, tablets. It goes beyond traditional antivirus to include behaviour monitoring (spotting suspicious activity), threat detection, and the ability to respond to attacks. Usually managed centrally by IT so they can see threats across all company devices.
A security barrier that sits between your network and the internet, controlling what traffic can come in and go out. It blocks connections that look suspicious or come from known bad sources. Think of it as a security guard checking everyone at the door. Every business needs one - either a physical device or software-based.
The EU law (also adopted in UK law) that governs how organisations handle personal data. It gives individuals rights over their data - to see it, correct it, delete it, or take it elsewhere. If you collect customer or employee data from people in the UK or EU, GDPR applies to you regardless of where your business is based. Non-compliance can result in fines up to 4% of global turnover.
Your plan for what to do when something goes wrong - a breach, attack, or system failure. Who gets called first? What gets shut down to stop the spread? Who talks to customers or regulators? Having a plan before an incident happens means you respond faster and make fewer panicked decisions.
The international standard for managing information security. Getting certified means an independent auditor has verified you have a proper security management system in place. Unlike SOC 2 (see below), ISO 27001 is pass/fail - if you don't meet the requirements, you don't get certified. Increasingly required by larger clients and for certain contracts.
Requiring two or more different proofs to log in - typically your password plus a code from your phone or an app. The idea is that even if someone steals your password, they still can't get in without also having your phone. Essential for email, cloud services, banking, and anything sensitive. Sometimes called "two-factor authentication" or "2FA."
The umbrella term for any malicious software designed to harm you - viruses, ransomware, spyware, and more. Malware can steal your data, lock your files for ransom, spy on what you type, or use your computers to attack others. It typically arrives via email attachments, links in emails that take you to infected websites, dodgy downloads, or compromised websites.
Protecting your organisation's computer network from intruders and attacks. This includes using firewalls (see Firewall) to control traffic, separating sensitive systems from general ones, monitoring for unusual activity, and controlling who can connect to your network - including remote workers and guests.
Software that securely stores all your passwords and generates strong, random ones for each account. You only need to remember one master password to unlock the vault. Much more secure than using the same password everywhere or writing them on sticky notes. Most password managers can also automatically fill in your passwords on websites and apps, making them convenient as well as secure.
Keeping your software up to date with security fixes. When vendors like Microsoft or Apple discover security holes in their software, they release updates ("patches") to fix them. Attackers know about these holes too - so applying patches quickly is critical. Many breaches happen because known weaknesses (see Vulnerability Assessment) went unpatched for months.
Hiring ethical hackers to try to break into your systems, then report how they did it. They simulate real attacks to find weaknesses before criminals do. Usually done annually or after major system changes. More thorough than automated scanning because humans can chain together small issues into bigger problems.
Fake emails, texts, or calls designed to trick you into revealing passwords, clicking dangerous links, or transferring money. Attackers pretend to be trusted sources - your bank, your boss, a delivery company. Phishing is how most attacks start. Training staff to spot and report phishing attempts is one of your best defences.
A type of malware (see Malware) that encrypts your files and demands payment for the key to unlock them. Modern ransomware often steals your data first, threatening to publish it if you don't pay. Prevention is critical because recovery is painful - even paying doesn't guarantee you'll get your data back, and it funds further criminal activity.
This term is used to describe a report from independent auditors examining how well your organisation protects information. The report evaluates five areas called "Trust Service Criteria":
The security risks that come from your suppliers, vendors, and partners. If they have access to your data or systems and those get breached, your information could be exposed. Many major breaches started with a supplier. You need to assess their security before sharing sensitive access, and keep checking they're maintaining standards.
Creates a secure, encrypted connection between a device and your company network, even over the public internet. Essential for remote workers accessing company systems from home or cafes. Protects data from being intercepted on public WiFi. Business VPNs are different from consumer privacy VPNs - they're about secure access, not hiding your browsing.
Scanning your systems to find security weaknesses before attackers do. Automated tools check for known problems, missing patches (see Patch Management), and misconfigured settings. Should be done regularly - at least every three months. Different from penetration testing, which involves humans actively trying to break in rather than just identifying potential weak spots.
A security approach that trusts no one by default - not even people already inside your network. Every time someone tries to access something, they must prove who they are and that they're authorised, regardless of where they're connecting from. "Never trust, always verify." Becoming essential as staff work from anywhere on any device.
No technical expertise required. Complete your assessment in 45 minutes.
Take Free Assessment
Social Engineering
Tricking people into breaking security rules. This includes phishing emails, phone calls pretending to be IT support, or someone tailgating through a secure door. Attackers target people because they're often easier to fool than computer systems. Defence comes from training staff to verify requests and follow procedures even when someone sounds urgent or important.