Plain-English guide

Cyber security, explained

Do you know your phishing from your firewall? You are not alone. Cyber security has more jargon than almost any other part of running a business, and most of it is written for IT departments, not the people who actually have to make the decisions. This is a plain-English guide to the terms you will actually meet, what each one means, and why it matters to a small business. No sales pitch, no scare tactics, just clear answers.

Find a term

Showing all 49 terms.

Common queries
Software that detects and removes malicious programs (viruses, ransomware, spyware and the rest). Modern tools do more than scan files; the better ones watch how programs behave and stop anything acting suspiciously. Every Windows and Mac device in your business should have it switched on and kept up to date. It is one of the five Cyber Essentials controls.
Everything an attacker could potentially target: your laptops, phones, servers, cloud accounts, websites, and the people who use them. The bigger and less tidy your setup, the larger the attack surface. Reducing it (removing old accounts, shutting down unused services, retiring kit you no longer need) is one of the cheapest ways to lower your risk.
The process of proving you are who you say you are before you get access to something. A password is one factor. The problem is that passwords get guessed, reused and stolen, which is why multi-factor authentication (see MFA) has become the single most useful security step a small business can take.
A separate copy of your data, kept so you can recover if the original is lost, corrupted or held to ransom. The rule worth remembering is 3-2-1: three copies, on two different types of storage, with one kept off-site or offline. A backup you have never tested is only a hope, so check that you can actually restore from it.
A network of computers that have been quietly infected and are controlled remotely by an attacker, usually without the owners knowing. Botnets are rented out to send spam, launch attacks and mine cryptocurrency. If a device on your network is unusually slow or your internet connection is being hammered for no reason, a botnet infection is one possible cause.
An attacker trying huge numbers of password combinations until one works, usually with automated tools. Short or common passwords fall in seconds. Long passphrases, account lockouts after failed attempts, and MFA make brute-forcing impractical.
A scam where a criminal gets into, or convincingly imitates, a trusted email account (often a director or supplier) and uses it to request a payment or a change of bank details. BEC costs UK businesses more than almost any other type of cyber crime because it relies on trust, not malware. The defence is a habit: verify any payment or bank-detail change by phone, using a number you already hold, never one from the email itself.
Computing services delivered over the internet rather than from a server in your office: Microsoft 365, Google Workspace, Xero, Dropbox and so on. The cloud provider secures the underlying platform, but your data and accounts are still your responsibility. Most small-business breaches in the cloud come down to weak passwords and missing MFA, not the provider being hacked.
Attackers taking username and password pairs leaked from one website and trying them on others, betting that people reuse the same password. If you use one password across several accounts, a breach at any one of them puts all of them at risk. A password manager and unique passwords shut this down.
A UK Government-backed certification that proves your business has five basic controls in place: a firewall, secure settings, access control, malware protection and up-to-date software. It is increasingly required to win contracts, qualify for some insurance, and reassure clients. It is also the most cost-effective security step most small businesses can take. See our Cyber Essentials service and pricing.
Any incident where information is accessed, taken or exposed without authorisation. For a small business that usually means customer or staff personal data, which brings legal duties under UK GDPR, including reporting serious breaches to the ICO within 72 hours. Knowing in advance who you would call and what you would do turns a crisis into a procedure.
An attack that floods your website or service with so much traffic that it falls over and legitimate customers cannot reach it. It does not steal data; it takes you offline, sometimes as a smokescreen or an extortion threat. Cloud hosting and a service like Cloudflare absorb most of these.
A step up from traditional antivirus. EDR continuously watches what is happening on your devices, spots suspicious behaviour, and can isolate a compromised machine before a problem spreads. It is increasingly standard in managed security because it catches threats that slip past basic antivirus.
Scrambling data so that only someone with the right key can read it. If a laptop or phone is encrypted and it gets lost or stolen, the thief gets an expensive paperweight, not your client files. Turn on full-disk encryption (BitLocker on Windows, FileVault on Mac) everywhere, and make sure your website uses HTTPS.
Any device that connects to your network and is used to do work: laptops, desktops, phones, tablets, servers. Each one is a potential way in for an attacker, which is why endpoints are where a lot of security effort sensibly goes. See also EDR.
A barrier that controls what network traffic is allowed in and out, blocking unwanted connections. Your broadband router has one, and so does every computer. Properly configured firewalls are one of the five Cyber Essentials controls. The common mistake is leaving default settings or admin passwords in place.
The plan and the actions for dealing with a security incident: who does what, who to contact, how to contain the damage and how to recover. Even a one-page plan, agreed before anything goes wrong, dramatically reduces the cost and chaos of a real incident. Practising it once a year is worth more than any document gathering dust.
A risk that comes from inside the business: a disgruntled employee, a careless click, or someone walking out with data when they leave. Most insider incidents are accidents, not malice. Good access control (people can only reach what they need) and removing accounts promptly when someone leaves handle the bulk of it.
Short for malicious software: a catch-all for viruses, ransomware, spyware, trojans and worms. It usually arrives through a dodgy email attachment, a fake download, or an unpatched weakness in software. Up-to-date devices, malware protection and a wary workforce are the core defences.
A specialist firm that looks after your security for you: monitoring, protecting and responding on your behalf, usually for a monthly fee. For a small business with no in-house security team, this is how you get enterprise-grade protection without hiring for it. Worth knowing: IT support and cyber security are not the same job, and many IT providers do not do the second one.
A service where specialists monitor your systems around the clock, investigate alerts, and respond to threats on your behalf. It pairs the EDR technology with actual humans watching, which matters because attacks do not keep office hours. This is a core part of a modern managed-security package.
Proving who you are with two or more things: something you know (a password) plus something you have (a code on your phone or an app prompt). MFA stops the overwhelming majority of account takeovers, even when your password has been stolen. If you do one thing after reading this page, turn MFA on for your email and your cloud accounts.
An app that creates and stores a strong, unique password for every account, so you only have to remember one master password. It removes the two worst password habits in one go: reusing them, and choosing weak ones. For a small business, a shared password manager is one of the highest-value, lowest-cost tools available.
Applying the updates that software makers release to fix security holes. Attackers actively hunt for businesses running out-of-date software because the weaknesses are public and easy to exploit. Turning on automatic updates for your operating systems, browsers and apps closes that door. Keeping software supported and updated is one of the five Cyber Essentials controls.
A controlled, authorised attempt by a security professional to break into your systems the way a real attacker would, so you find the weaknesses before a criminal does. The result is a report of what was found and how to fix it. It is a deeper, more active check than an automated vulnerability scan.
Any information that identifies a living person: names, emails, addresses, payment details, and more sensitive categories like health records. If you hold it, UK GDPR makes you responsible for keeping it safe and for using it properly. Knowing what personal data you hold and where it lives is the first step to protecting it.
Fake messages, usually email, designed to trick someone into clicking a malicious link, opening an infected attachment, or handing over passwords or payment details. It is the most common way attacks start. The best defences are MFA (so a stolen password is not enough), and staff who know what to look for. Regular, light-touch awareness training pays for itself.
The principle that every person and system should have the minimum access needed to do the job, and no more. If an everyday account does not have admin rights, malware that lands on it cannot do as much damage. Not using admin accounts for routine work is one of the simplest, most effective controls there is.
Malware that locks or encrypts your files and demands a payment to release them, often alongside a threat to leak the data. It can stop a business trading overnight. Paying does not guarantee you get the data back, and it marks you as a target. Reliable, tested, offline backups are the difference between an expensive afternoon and an existential crisis.
Tools that let someone connect to a computer or network from elsewhere. Useful for home working and IT support, dangerous when left open to the internet without protection. Remote Desktop Protocol (RDP) exposed to the world is one of the most common ways ransomware gets in. If you need remote access, put it behind a VPN and MFA.
The exercise of working out what could go wrong, how likely it is, and how badly it would hurt, so you can spend your time and money on the things that matter most. Security is not about doing everything; it is about doing the right things first. A short, honest risk assessment is where any sensible security plan starts.
A system that gathers logs and events from across your IT and flags suspicious patterns in one place. It is the engine behind serious monitoring, more common in larger or regulated businesses, and usually delivered as part of a managed service rather than run in-house by a small firm.

In the Terminator films, Skynet is the artificial intelligence that becomes self-aware, decides humanity is the problem, and starts a war with the machines. It is why people half-joke about the robots taking over every time a new AI tool launches. Reassuringly, your firewall is not about to declare war on you.

In real life it is far less dramatic and entirely British. Skynet is the UK's military satellite communications programme, run by the Ministry of Defence. The current generation, Skynet 6, is the UK Government's largest space initiative, with over £5 billion invested over ten years. The Skynet 6A satellite is being built by Airbus in the UK and is due to launch with SpaceX in 2027, providing secure, sovereign communications for the armed forces through to 2042 and beyond. So if someone mentions Skynet in a security context, they most likely mean satellites, not the end of the world.

Phishing by other channels: smishing is by text message, vishing is by phone call. The trick is the same (impersonate someone trusted, create urgency, get you to act), only the medium changes. The same rule applies: slow down, and verify through a channel you trust before doing anything with money or passwords.
Manipulating people rather than hacking technology: the con artist's craft applied to cyber crime. Phishing, BEC, smishing and vishing are all forms of it. Because it targets human nature, technology alone cannot stop it; aware, confident staff are your strongest defence.
A targeted, researched phishing attack aimed at a specific person, using real details to seem convincing, rather than a generic mass email. A message that names your supplier, your role and a genuine project is far harder to spot. Senior staff and finance teams are the usual targets, so they need the most support.
Malware that quietly watches what you do: capturing keystrokes, passwords, and what is on your screen, then sending it to an attacker. It often rides in with free downloads or dodgy attachments. Malware protection and keeping software updated are the main defences.
The technology that encrypts the connection between a web browser and a website, shown by the padlock and the "https" in the address bar. It stops others reading or tampering with data in transit. Every business website should use it; today it is expected, and its absence is a red flag to customers.
An attack that reaches you through a supplier, a piece of software, or an IT provider you trust, rather than hitting you directly. Because you have let that third party in, the attack inherits that trust. Knowing who has access to your systems and data, and expecting basic security of your suppliers (Cyber Essentials is a fair bar), is how you manage it.
The industry's term for whoever is behind an attack: organised criminal gangs, lone opportunists, hostile states, or occasionally insiders. For most small businesses the realistic threat is financially motivated criminals running automated, opportunistic attacks, not a targeted operation. That is good news, because basic controls defeat most opportunists.
Malware disguised as something harmless, a useful program, an invoice, a software update, that you let in because it looks legitimate. The name comes from the wooden horse, and the lesson is the same: be wary of what you invite through the gate. Only install software from sources you trust.
A secure, encrypted tunnel between a device and a network, used so remote workers can reach company systems safely, or to protect traffic on untrusted Wi-Fi. For business it is mainly about safe remote access. Note it is not a magic privacy cloak; it protects the connection, not the device at either end.
A weakness in software, hardware or a process that an attacker could exploit: an unpatched program, a default password, a misconfigured setting. Vulnerabilities are normal and constant; the job is to find and fix the important ones before they are used against you. See vulnerability scanning and patching.
An automated check that hunts across your systems for known weaknesses and reports what it finds, so you can fix them. It is broader and more regular than a pen test, and a sensible part of ongoing security hygiene. Many businesses run scans monthly and patch what comes up.
Spear phishing aimed at the big fish: directors, owners and senior decision-makers, often impersonating them to authorise payments or extract sensitive information. The higher the authority of the account, the bigger the prize, so leadership deserves the strongest protection and the most realistic training.
The encryption that protects your wireless network. Use WPA2 or, better, WPA3, with a strong password, and keep a separate guest network so visitors and untrusted devices never touch your business systems. Old, open or weakly secured Wi-Fi is an easy way in.
Malware that spreads by itself from computer to computer across a network, without anyone needing to click anything. Because it self-replicates, one infected device can become many quickly. Up-to-date software and good network segmentation slow it down.
A brand-new vulnerability that the software maker does not yet know about, so there is no patch available, hence "zero days" to fix it. They are rare in everyday small-business attacks, which overwhelmingly use old, known weaknesses instead. Strong fundamentals and fast patching once a fix appears are the realistic defence.
A security approach that assumes no user or device is automatically trusted, even inside your own network, and checks every request. In practice for a small business it means MFA everywhere, least-privilege access, and verifying devices, rather than trusting anything just because it is "inside". It is a direction of travel more than a product you buy.

Not sure where your business stands?

Most of the terms above come down to a handful of practical steps. We help Yorkshire small businesses get the basics right, get Cyber Essentials certified, and stay protected, without the jargon or the scare tactics.

Not sure where you stand first? Take our free Cyber Essentials self-check.

Or call us: 01759 686 660  ·  Email: [email protected]