Glossary

Cybersecurity Glossary

Every acronym and term we use across the site, defined in plain English for business owners — no jargon, no assumptions.

A

Attack surface: Every device, account, app, and connection an attacker could try to exploit. Reducing it (fewer exposed services, less standing access) is a core security goal.

BAA (Business Associate Agreement): A HIPAA-required contract between a healthcare provider and any vendor that handles patient data, binding the vendor to safeguard it. Learn more →
Backup (3-2-1): Keep 3 copies of data, on 2 types of media, with 1 copy offsite/offline. The standard that makes ransomware recovery possible without paying. Learn more →
BEC (Business Email Compromise): A scam where an attacker uses a compromised or spoofed email to trick someone into wiring money or sharing data. One of the costliest cybercrimes for SMBs. Learn more →

CMMC: Cybersecurity Maturity Model Certification — the security standard defense contractors must meet to handle government information. Learn more →
Credential stuffing: Attackers taking username/password pairs leaked from one breach and trying them on other sites, betting people reuse passwords.
CUI (Controlled Unclassified Information): Sensitive government information that isn't classified but still must be protected — the data that triggers CMMC Level 2.

Dark web: Hidden parts of the internet where stolen data and credentials are bought and sold. Monitoring it tells you if your logins have leaked. Learn more →
Data breach: An incident where sensitive information is accessed or taken without authorization. Most carry legal notification duties.
DFARS 252.204-7012: The defense contracting clause requiring safeguarding of covered information and 72-hour cyber-incident reporting. Learn more →

EDR (Endpoint Detection & Response): Modern security software on computers and servers that detects, investigates, and stops threats — far beyond traditional antivirus. Learn more →
Encryption: Scrambling data so only someone with the key can read it — required for sensitive data both 'in transit' (moving) and 'at rest' (stored).
Endpoint: Any device that connects to your network — laptop, desktop, phone, tablet, server. Each is a potential entry point.
ePHI: Electronic Protected Health Information — patient health data in digital form, protected under the HIPAA Security Rule.

Firewall: A barrier that filters network traffic, blocking unwanted connections between your network and the internet (or between internal segments).
FTC Safeguards Rule: A federal rule requiring 'financial institutions' — including auto dealers, accountants, and others that handle financial data — to maintain a written security program (WISP). Learn more →

GLBA: The Gramm-Leach-Bliley Act — the law behind the FTC Safeguards Rule, requiring protection of consumers' non-public financial information.

HIPAA: The U.S. health-privacy law whose Security Rule sets cybersecurity requirements for healthcare providers and their vendors. Learn more →

Incident response (IR): The organized process for handling a cyberattack: detect, contain, eradicate, recover, and review. A written plan is required by most frameworks and insurers. Learn more →

Least privilege: Giving each person and system only the access they need to do their job — and nothing more. Limits the damage of a compromised account.

Malware: Malicious software — viruses, ransomware, spyware, trojans — designed to damage, steal, or take control of systems.
MFA (Multi-Factor Authentication): Requiring a second proof of identity (a code, app approval, or key) on top of a password. The single highest-impact control against account takeover. Learn more →
MSP (Managed Service Provider): A vendor that keeps your IT running — devices, networks, email, software. Not the same as security. Learn more →
MSSP (Managed Security Services Provider): A vendor that keeps your IT secure — monitoring for threats, responding to incidents, and operating security controls 24/7. Learn more →

NAIC Model Law: The NAIC Insurance Data Security Model Law — state-adopted rules requiring insurance agencies to maintain a written security program. Learn more →
NIST CSF: The NIST Cybersecurity Framework — a widely used model organizing security into Identify, Protect, Detect, Respond, Recover, and Govern.
NIST SP 800-171: The 110-control standard for protecting Controlled Unclassified Information — the technical backbone of CMMC Level 2. Learn more →
NPI (Non-public Personal Information): Personal financial information a business collects that isn't publicly available — protected under GLBA and the NAIC Model Law.

Penetration test: An authorized simulated attack on your systems to find exploitable weaknesses before a real attacker does.
PHI: Protected Health Information — patient data covered by HIPAA, in any form (electronic PHI is 'ePHI').
Phishing: Fraudulent emails or messages that trick people into clicking malicious links, opening malware, or revealing credentials. Learn more →
PII (Personally Identifiable Information): Data that can identify a person — name, SSN, driver's license, account numbers. A prime target and a notification trigger if breached.

Ransomware: Malware that encrypts your data and demands payment to unlock it. The dominant threat to SMBs, often delivered via phishing or stolen credentials. Learn more →

Shadow AI: Employees using AI tools (like ChatGPT) for work without approval or oversight — risking confidential data leaking into public models. Learn more →
SIEM: Security Information and Event Management — a system that collects and analyzes logs from across your environment to spot threats.
SOC 2: An independent audit report showing a vendor meets defined security controls. Often requested when vetting a service provider.
Social engineering: Manipulating people (not hacking computers) into giving up access or information — the human side of most attacks. Learn more →

vCISO: A virtual/fractional Chief Information Security Officer — senior security leadership and strategy on a part-time, affordable basis. Learn more →
VPN: Virtual Private Network — an encrypted tunnel that protects data traveling between a remote user and the network.

WISP: Written Information Security Program — the documented security plan several regulations (FTC Safeguards, NAIC, IRS Pub 4557) require by name. Learn more →

Zero Trust: A security model that trusts nothing by default and verifies every user and device on every request — 'never trust, always verify.' Learn more →

That's the point of working with us — we translate the jargon into plain decisions. Start with a free 30-minute assessment.