Cybersecurity Glossary

Your attack surface is the total collection of points where an attacker could potentially try to gain unauthorised access to your systems or data. Every device connected to the internet, every user account, every piece of software, every open port on a firewall, every third-party integration — all of these are part of your attack surface.

The larger your attack surface, the more potential entry points there are for an attacker to exploit. This is why reducing your attack surface is a core principle of good security: disable services and ports you don’t need, remove software that isn’t being used, close accounts for staff who have left, and review third-party access regularly. Cyber Essentials touches on this through its secure configuration and access control requirements. The key insight is that you can’t protect what you don’t know about — understanding your full attack surface is the first step to managing it.

Business continuity planning is the process of ensuring your organisation can continue operating — or recover quickly — when something goes badly wrong. In the context of cyber security, that means having plans and capabilities in place so that a ransomware attack, a prolonged system outage, or the loss of a key supplier doesn’t bring your business to a halt indefinitely.

The practical elements include: regular offsite backups that you’ve actually tested restoring from, documented procedures for operating without key systems, clear communication plans for staff and clients, and identified alternative working arrangements. Business continuity and disaster recovery are closely related — business continuity focuses on keeping essential operations running during an incident, while disaster recovery focuses on restoring systems and data after one. For small businesses, even basic preparation — tested backups, a written emergency contact list, and a rough plan for the first 24 hours — puts you significantly ahead of most.

Business Email Compromise is a type of fraud where attackers impersonate a trusted person — your CEO, a supplier, a solicitor, or a client — via email in order to trick someone in your organisation into making a payment to the wrong account or handing over sensitive information. It’s sometimes called invoice fraud, CEO fraud, or mandate fraud depending on how it’s executed.

BEC attacks are responsible for more financial losses globally than ransomware. They work because they exploit normal business processes — changing bank details, approving invoices, wiring funds — and they rely on staff acting quickly without verifying. The defence is procedural, not technical: any request to change payment details must be verified by phone using a number you already have on file, not one provided in the email. A single call before making a payment has stopped thousands of successful BEC attacks.

Cloud computing means using computing resources — storage, software, processing power, email — that are hosted and managed by a third party over the internet, rather than on physical hardware you own and maintain on your premises. When your business uses Microsoft 365, Google Workspace, Xero, Salesforce, or Dropbox, you’re using cloud computing.

For small businesses, cloud services have significant benefits: lower upfront costs, automatic updates, and the ability to work from anywhere. But moving to the cloud doesn’t remove your security responsibilities — it shifts some of them. You’re still responsible for who has access to your cloud accounts, how strong their authentication is, whether data is backed up correctly, and what the provider’s data handling practices mean for your UK GDPR obligations. One particular risk worth understanding: most cloud providers operate under US law (including the Cloud Act), which can have implications for where your data is processed and who has legal authority to access it.

Credential stuffing is an automated attack where criminals take lists of username and password combinations stolen from previous data breaches and try them against other websites and services. The attack works because so many people reuse the same passwords across multiple accounts. If your email and password from a breach at one service are the same as your login for your business banking, cloud accounting system, or email platform, an attacker trying the stolen credentials will get in.

Credential stuffing attacks are highly automated — tools can try millions of combinations per hour. The defence is straightforward: use unique passwords for every account (a password manager makes this practical), and enable MFA on all important accounts. With MFA enabled, a stolen password alone isn’t enough to get in.

CVSS stands for Common Vulnerability Scoring System, a standardised method for rating the severity of security vulnerabilities in software. It provides a numerical score, which helps organisations understand the potential impact of a vulnerability and prioritise their response accordingly. This scoring system is widely used to assess risks associated with vulnerabilities in various systems and applications. For small business owners in the UK, understanding CVSS can help you evaluate the security of your software and systems. When you receive CVSS scores for vulnerabilities, it’s important to take action based on the severity level, ensuring that critical vulnerabilities are addressed promptly to protect your business from potential threats.

Cyber Essentials is a UK government-backed certification scheme that helps organisations demonstrate they have basic cyber security controls in place. It was developed by the NCSC and is designed specifically to protect against the most common internet-based attacks — the kind that make up around 80% of all incidents affecting UK businesses.

To achieve certification, your organisation must evidence five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management (keeping software up to date). There are two levels: the self-assessed Cyber Essentials, and the independently audited Cyber Essentials Plus. Certification is required for all UK government contracts that involve handling personal data or sensitive information, and many larger organisations now require it from their suppliers as a condition of doing business.

Cyber Essentials Plus is the higher tier of the UK’s Cyber Essentials certification scheme. Unlike the standard Cyber Essentials, which is self-assessed — you answer questions about your own controls and an assessor reviews your answers — Cyber Essentials Plus involves an independent technical assessment. An accredited assessor actually tests your systems to verify that the five required controls are genuinely in place and working, not just ticked on a form.

The practical difference matters. A Plus certification means someone external has checked your devices, your patching, your configuration, and your access controls and confirmed they hold up under scrutiny. It carries more weight with clients, partners, and insurers, and it tends to surface gaps that a self-assessment might miss.

Cyber insurance is a type of business insurance policy designed to cover the financial costs of a cyber incident — including ransomware payments, data recovery, legal fees, regulatory fines, business interruption losses, and crisis communications. For small businesses, it can provide meaningful financial protection against the kind of costs that would otherwise be existential.

However, cyber insurance is not a substitute for security. Insurers increasingly require evidence that basic controls are in place before they’ll offer cover, and policies can include exclusions that void a claim if you haven’t maintained reasonable security hygiene. Reading the policy carefully matters: some policies exclude certain types of attack, cap ransomware payments, or require you to use the insurer’s own incident response firm. The claims process can also be contentious — there are documented cases of insurers disputing payouts on technical grounds after a business has suffered a significant breach.

The dark web is a part of the internet that requires specialist software — most commonly the Tor browser — to access, and is not indexed by standard search engines. While it has legitimate uses for journalists, activists, and people in countries with restricted internet access, it is also widely used by criminal groups to sell stolen data, trade in malware and hacking tools, and operate illegal marketplaces.

For small businesses, the dark web is relevant primarily because stolen credentials, financial data, and personal data from breaches regularly appear for sale there. Services exist that monitor dark web marketplaces for mentions of your domain, email addresses, or other business identifiers — this can provide early warning that your data has been compromised in a breach you’re not yet aware of. If your email domain appears in a dark web data sale, it’s a signal to force password resets on affected accounts and review access logs.

A data breach is any incident where personal data is accessed, disclosed, altered, or destroyed in a way that wasn’t intended or authorised. This includes a criminal stealing your customer database, an employee accidentally emailing sensitive information to the wrong person, a laptop containing personal data being lost or stolen, or ransomware encrypting files that included personal information.

Under UK GDPR, not every data breach needs to be reported — only those that are likely to result in a risk to the rights and freedoms of individuals. But if a breach does meet that threshold, you must report it to the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals — for example, financial data or health information was exposed — you must also notify the affected people directly. The 72-hour clock starts when you become aware, not when the breach happened, which is why having a clear incident response plan in place before anything goes wrong matters.

The Data Protection Act 2018 is the UK legislation that implements data protection law in the United Kingdom. It sits alongside UK GDPR and together they form the complete UK data protection framework. The DPA 2018 tailors certain aspects of the GDPR framework to the UK context — for example, it sets out specific exemptions for national security, law enforcement, and intelligence services, and it establishes the ICO as the supervisory authority.

For most small businesses, the practical requirements come from UK GDPR rather than the DPA 2018 specifically — the two laws work together, and compliance with one generally means compliance with the other in everyday business contexts. The DPA 2018 is referenced when specific exemptions apply or when discussing the ICO’s regulatory powers.

The Department for Science, Innovation and Technology (DSIT) is a UK government department responsible for promoting science, research, and technological innovation. For small business owners, DSIT plays a crucial role in shaping policies that can impact funding opportunities, technological advancements, and support services available to enhance their business operations. Staying informed about DSIT initiatives can help you access grants, resources, and guidance that strengthen your cybersecurity posture and overall business resilience.

Disaster recovery is the set of processes and capabilities that enable your organisation to restore systems, data, and operations after a major disruptive event — whether that’s a ransomware attack, a hardware failure, a fire, a flood, or any other incident that takes critical systems offline. The focus is on technical recovery: getting your data back, rebuilding systems, and restoring normal operations.

The two most important metrics in disaster recovery planning are the Recovery Time Objective (RTO) — how long you can afford to be down — and the Recovery Point Objective (RPO) — how much data you can afford to lose (i.e., how old can your most recent backup be). For most small businesses, having tested, offsite backups is the foundation of any disaster recovery capability. “Tested” is the critical word: a backup that has never been restored from is not a backup you can rely on when everything is on fire.

Encryption is the process of scrambling data so that it can only be read by someone who has the correct key to unscramble it. When data is encrypted, even if a criminal intercepts it or steals a device containing it, they see meaningless gibberish without the decryption key.

For small businesses, encryption matters in two main contexts: data at rest (files stored on laptops, phones, USB drives, and servers) and data in transit (information travelling across the internet). Most modern operating systems can encrypt device storage — Windows BitLocker and Apple FileVault are the common examples — and enabling device encryption on all company laptops and phones is a straightforward step that protects against the data breach risk from a lost or stolen device. Data in transit is handled by HTTPS (the padlock in your browser) and encrypted messaging. Note that encryption protects data from being read if intercepted or stolen — it doesn’t protect against ransomware, which uses encryption against you.

Endpoint security refers to the security controls applied to individual devices — laptops, desktops, phones, and tablets — that connect to your network. These devices are called “endpoints” because they sit at the edge of your network. Endpoint security software monitors for malicious activity, blocks known malware, and in more advanced products detects suspicious behaviour that might indicate an attack in progress.

Traditional antivirus software compared files against a database of known malware signatures. Modern endpoint security tools — often called Endpoint Detection and Response (EDR) — go further, monitoring behaviour patterns and using machine learning to identify threats that haven’t been seen before. For small businesses, having endpoint protection installed and kept up to date on all company devices is one of the five Cyber Essentials requirements. Windows Defender (built into Windows 10 and 11) meets the basic requirement for most small businesses, provided it’s enabled and updating correctly.

A firewall is a security control that monitors and filters network traffic — the data flowing in and out of your systems — and blocks anything that doesn’t meet predefined rules. Think of it as a border checkpoint: traffic that looks legitimate gets through, traffic that looks suspicious or comes from blocked sources gets stopped.

Firewalls can be hardware devices (a physical box sitting at the edge of your network), software running on individual computers, or cloud-based services. They’re one of the five technical controls required by Cyber Essentials. Having a firewall isn’t enough on its own — it needs to be correctly configured, with unnecessary ports and services closed, and it needs to be kept up to date. An outdated firewall from a vendor that’s stopped releasing security updates provides a false sense of security and, in some cases, has been actively exploited as an entry point by attackers.

Harden refers to the process of securing a system by reducing its vulnerabilities and improving its overall security posture. This can involve configuring software and hardware settings, applying security patches, and removing unnecessary services or applications that could be exploited by attackers. It is a proactive approach to cybersecurity that aims to make systems more resilient against threats. For small business owners in the UK, hardening your systems means regularly updating software, using strong passwords, and ensuring that only essential services are running. This helps protect sensitive data and reduces the risk of a successful cyber attack.

IASME (pronounced “I-AZ-me”) is the Information Assurance for Small and Medium Enterprises Consortium — a not-for-profit organisation that acts as one of the accreditation bodies for the UK’s Cyber Essentials certification scheme. They also run their own cyber assurance standard, IASME Cyber Assurance, which is designed specifically for smaller organisations and goes beyond the five Cyber Essentials controls to include areas like policies, procedures, and staff training.

IASME-accredited certification bodies are the organisations that carry out Cyber Essentials assessments on behalf of the NCSC. If you’re pursuing Cyber Essentials or Cyber Essentials Plus, you’ll likely be working with an IASME-accredited assessor, either directly through IASME or through another accreditation body such as CREST or the BCS.

The ICO — the Information Commissioner’s Office — is the UK’s independent regulator for data protection and privacy. It enforces UK GDPR and the Data Protection Act 2018, investigates complaints from members of the public about how their data has been handled, and can take formal action against organisations that break the rules.

For small businesses, the ICO is most relevant in two situations: first, if you suffer a data breach that affects personal data and meets the reporting threshold, you must notify the ICO within 72 hours; second, if a customer or employee complains about how you’ve handled their data, the ICO may investigate. The ICO publishes detailed guidance for small businesses and has a self-reporting tool for breaches. Fines can be significant for serious violations, but the ICO also has a track record of issuing reprimands and improvement notices rather than immediately reaching for financial penalties for smaller organisations acting in good faith.

Incident response is the organised approach to managing and recovering from a cyber security incident — whether that’s a ransomware attack, a data breach, a compromised email account, or a phishing attack that’s already resulted in a fraudulent payment. The goal is to contain the damage, understand what happened, recover operations, and prevent recurrence.

A good incident response plan doesn’t need to be long or complex, but it does need to exist before anything goes wrong. At a minimum it should cover: who to call first (internal and external), how to isolate affected systems without destroying evidence, when to contact the ICO (within 72 hours for qualifying data breaches), when to involve law enforcement, and how to communicate with clients and suppliers. Many small businesses don’t discover they have no plan until they’re in the middle of an incident and trying to make critical decisions under enormous pressure. Having even a one-page plan dramatically improves outcomes.

IoT — the Internet of Things — refers to physical devices that connect to the internet beyond traditional computers, phones, and tablets. In a business context this includes smart TVs, IP cameras, smart printers, building access control systems, environmental sensors, networked CCTV, and any other physical device that has network connectivity built in.

IoT devices are a significant and frequently overlooked part of business attack surfaces. They often run embedded software that receives few or no security updates, arrive with default passwords that are rarely changed, and sit on the same network as critical business systems. Several major cyberattacks have begun through compromised IoT devices — office printers and smart cameras being particularly common entry points. The basic controls are simple: change default passwords immediately, put IoT devices on a separate network segment from business systems where possible, and replace devices that no longer receive security updates.

KEV stands for Known Exploited Vulnerabilities, which are security flaws in software that have been identified and are actively being targeted by cybercriminals. For UK small business owners, this means staying informed about these vulnerabilities is crucial to protect their systems. Regularly check for updates from trusted sources like the NCSC and ensure your software is patched promptly to minimise the risk of exploitation. Consider implementing a vulnerability management strategy to keep your organisation secure.

The principle of least privilege means giving every user, application, and system only the minimum access they need to do their specific job — nothing more. A member of staff in accounts payable should be able to access the accounts system, but probably doesn’t need admin rights on the server, access to HR records, or the ability to install software. An application that sends newsletters doesn’t need access to your entire customer database.

The reason this matters is containment. If a user account is compromised — through phishing, a weak password, or malware — the attacker inherits that account’s access. If the account had admin rights and access to everything, so does the attacker. If the account had only the access needed for one specific role, the damage is contained. User access control — ensuring accounts only have the rights they need — is one of the five Cyber Essentials controls, and it’s one of the most commonly misconfigured in small businesses.

Malware is the umbrella term for any software that’s designed to harm, disrupt, or gain unauthorised access to computer systems. It includes ransomware (which encrypts your files and demands payment), viruses (which spread by attaching themselves to legitimate files), trojans (malicious software disguised as something legitimate), spyware (which secretly monitors your activity), and many other variants.

Malware typically gets onto systems through phishing emails with malicious attachments or links, compromised websites, infected USB drives, or software downloaded from unofficial sources. Malware protection — keeping anti-malware tools installed and up to date — is one of the five Cyber Essentials controls. But it’s worth understanding that no anti-malware tool catches everything, particularly newer or customised malware, which is why layered defences (good patching, MFA, restricted user access) matter more than relying on any single tool.

Multi-Factor Authentication means your account needs more than just a password to let you in. After you type your password, you’re asked to prove it’s really you in a second way — usually by entering a code sent to your phone, approving a prompt in an app, or plugging in a physical security key.

The reason this matters is simple: passwords get stolen. They turn up in data breaches, they get guessed, they get phished. MFA means that even if a criminal has your password, they still can’t get in without also having your phone or your physical key. For UK small businesses, enabling MFA across email and key business systems is one of the five controls required by Cyber Essentials — and it’s arguably the single most effective thing you can do to prevent account takeover.

The NCSC — the National Cyber Security Centre — is the UK government’s technical authority on cyber security. It’s part of GCHQ and was established in 2016 to provide a single authoritative source of guidance, incident response capability, and threat intelligence for the UK. Their website publishes free, practical guidance on everything from password management to ransomware response, written for organisations of all sizes.

For small businesses, the NCSC is one of the most useful free resources available. Their Small Business Guide covers the basics clearly and without unnecessary jargon. They also run the Cyber Essentials scheme in partnership with accreditation bodies, and they publish alerts when significant vulnerabilities or threats emerge that organisations need to act on quickly.

NIS2 is the EU’s updated Network and Information Security Directive, which came into force in 2023 and required EU member states to transpose it into national law by October 2024. It significantly expands the scope of organisations required to meet mandatory cybersecurity standards, extends into sectors like manufacturing, food, waste management, and digital infrastructure, and increases maximum fines substantially.

The UK is not subject to NIS2 directly following Brexit, but it matters to UK businesses in two ways: first, UK organisations that operate in or supply to EU member states may fall in scope of NIS2 through their EU entities or customers; second, the UK is consulting on its own updated cyber resilience legislation — the Cyber Security and Resilience Bill — which is expected to draw heavily on NIS2’s approach. Understanding NIS2 gives UK businesses a reasonable preview of where domestic UK regulation is heading.

Passkeys are a modern replacement for passwords, designed to be both more secure and easier to use. Instead of typing a password, your device (phone, laptop, or tablet) stores a cryptographic key and authenticates you using something you already do — like face ID, a fingerprint, or your device PIN. You never type a password, and there’s no password to steal, guess, or phish.

Passkeys are supported by Apple, Google, and Microsoft, and are increasingly available on major platforms including Microsoft 365, Google Workspace, and many banking apps. For small businesses, the main benefit is that passkey-protected accounts are essentially immune to the most common form of account takeover — credential theft through phishing — because there’s no credential to steal. The technology is still rolling out across services, but adoption is accelerating rapidly.

A password manager is software that securely stores your passwords and other credentials, so you only need to remember one strong master password to unlock access to all the others. Most password managers also generate strong, unique passwords for you automatically and fill them in when you visit a website or open an app.

The reason password managers matter is that most people — understandably — reuse passwords or use simple variations of the same password across multiple accounts. When one account is breached, attackers try those credentials everywhere else (this is called credential stuffing). A password manager solves this by making it practical to have a genuinely unique, complex password for every account. For businesses, password managers also help manage shared credentials securely, remove the need for passwords stored in spreadsheets or Post-it notes, and ensure that when a staff member leaves, shared account access can be changed systematically.

Patch management is the process of consistently applying updates to software, operating systems, and firmware to fix security vulnerabilities and bugs. When a software vendor discovers a security flaw in their product, they release a patch — a fix — to close it. The gap between when a patch is released and when it’s applied to your systems is the window during which attackers can exploit the known vulnerability.

For small businesses, patch management is one of the five Cyber Essentials controls, and it’s one of the most commonly neglected. The NCSC recommends applying high-severity patches within 14 days. This applies to everything: Windows, macOS, iOS and Android devices, routers, firewalls, printers, and any other internet-connected equipment. Many major breaches — including almost every ransomware attack — exploit vulnerabilities that had patches available for weeks or months before the attack occurred.

Penetration testing — usually called a pen test — is an authorised, simulated attack on your systems, carried out by a security professional to find vulnerabilities before real attackers do. The tester uses the same techniques as a genuine attacker but with explicit permission and a clear scope, and reports findings back to you rather than exploiting them.

For small businesses, penetration testing is usually considered once the basics are solid — there’s not much point commissioning a pen test if you haven’t yet applied your patches, set up MFA, or configured your firewall correctly, because the report will just tell you to do those things first. A pen test is most valuable when you want to verify that your existing controls are actually working, or before a significant change like migrating to the cloud or launching a new customer-facing system. Cyber Essentials Plus includes an element of technical verification, but it’s not a full penetration test.

Phishing is when a criminal sends you a message — usually an email, but sometimes a text or WhatsApp — that’s designed to look like it’s from someone you trust, with the goal of tricking you into handing over your password, clicking a malicious link, or making a payment to the wrong account.

The name comes from “fishing” — the attacker casts a line with convincing bait and waits to see who bites. Most phishing attacks are sent in bulk to thousands of people at once, using templates that impersonate banks, HMRC, Royal Mail, or well-known software providers. More targeted attacks — where the message is personalised to you specifically — are called spear phishing, and are significantly harder to spot. Phishing is the starting point for the vast majority of ransomware attacks and business email compromise fraud.

Ransomware is malicious software that breaks into your systems, encrypts your files so you can’t open them, and then demands payment — usually in cryptocurrency — for the key to unlock them. In many modern attacks, criminals also steal your data before encrypting it, so they can threaten to publish it publicly if you don’t pay. This is called double extortion.

For small businesses, a ransomware attack often means days or weeks of downtime, the potential loss of every file that wasn’t backed up offsite, and serious reputational damage if client data is exposed. The UK’s National Cyber Security Centre strongly advises against paying ransoms — payment doesn’t guarantee you’ll get your files back, and it funds further attacks. The practical defence is a combination of regular offsite backups, software patching, MFA on all accounts, and staff awareness about phishing emails, which are the most common entry point.

A risk register is a document that lists the risks your organisation has identified — in cyber security terms, the things that could go wrong — along with an assessment of how likely each risk is, how serious the impact would be, and what controls or mitigations are in place to address it. It’s a living document, meaning it should be reviewed and updated regularly rather than completed once and filed away.

For small businesses, a risk register doesn’t need to be complicated. A simple spreadsheet listing risks like “ransomware attack via phishing email,” “staff member clicks malicious link,” or “supplier has access to our data and suffers a breach” — with notes on likelihood, impact, and what you’re doing about each one — is genuinely valuable. The act of creating it forces the conversation about what you’re actually worried about and whether your current controls are adequate. A risk register that’s never opened again after it’s written is a compliance tick-box; one that’s reviewed quarterly and informs decisions is a management tool.

Secure configuration means setting up computers, devices, and software in a way that removes unnecessary features, disables default accounts and settings that aren’t needed, and reduces the number of ways an attacker could gain access. Out of the box, most software and devices are configured for convenience and broad compatibility rather than security — secure configuration is the process of changing those defaults to a more security-conscious baseline.

Examples include: disabling remote desktop access on computers that don’t need it, removing default admin accounts, turning off services that aren’t being used, ensuring software only has the network access it actually requires, and using an application allow-list to prevent unauthorised software from running. Secure configuration is one of the five Cyber Essentials controls. It’s also one of the more technically involved requirements — getting it right typically requires some IT expertise, and it needs to be maintained over time as new software is added and configurations drift.

Shadow IT refers to software, services, applications, and devices that employees use for work without the knowledge or approval of the IT function or business owner. It includes things like a team using a free file-sharing service to transfer large documents because the approved system is too slow, staff storing work files in a personal Dropbox, or someone installing an AI tool on a work laptop without telling anyone.

Shadow IT isn’t always malicious — it usually happens because people are trying to get their work done and the official option is inconvenient. But it creates real security risks: data ends up in places the organisation doesn’t know about, can’t audit, and can’t protect. It also creates compliance headaches under UK GDPR, where you’re responsible for personal data regardless of which service it ends up in. The most effective response is understanding why shadow IT is appearing — usually because a legitimate need isn’t being met — and addressing that, rather than simply banning tools that people will continue to use quietly.

SMB1001 is a cyber security certification standard developed by Dynamic Standards International (DSI), an Australian organisation, designed specifically for small and medium businesses. It uses a tiered “belt” system — Bronze, Silver, Gold, Platinum, and Diamond — with each level requiring progressively more technical controls and organisational maturity. Unlike Cyber Essentials, which is a binary pass/fail, SMB1001 allows organisations to start at a lower level and build up over time.

SMB1001 is newer and less established in the UK market than Cyber Essentials, and UK government contracts and supply chain requirements typically specify Cyber Essentials rather than SMB1001. However, SMB1001’s tiered structure is genuinely useful for small businesses that want a structured roadmap for improving their security maturity beyond the Cyber Essentials baseline. Whether it’s worth pursuing depends largely on whether your specific clients or sector require it.

Social engineering is the use of psychological manipulation to trick people into doing things that benefit an attacker — handing over passwords, making payments, opening attachments, or granting access to systems. Unlike hacking, which targets technical vulnerabilities in software, social engineering targets human vulnerabilities: helpfulness, authority, urgency, fear, and trust.

Phishing emails are the most common form of social engineering, but it also includes phone calls (sometimes called vishing), text messages (smishing), fake IT support requests, and impersonation attacks where someone poses as a supplier, colleague, or authority figure. The most effective social engineering attacks combine technical and human elements — for example, an attacker who compromises one supplier’s email account to send convincing invoice fraud requests to all of that supplier’s clients.

Spear phishing is a targeted form of phishing where the attacker researches you or your organisation before making contact, so the message appears highly specific and credible. Rather than a generic “your parcel is waiting” email sent to millions, a spear phishing attack might reference your actual supplier by name, mimic your CEO’s writing style, or arrive at a moment that makes perfect sense — like just after you’ve announced a new contract.

Attackers gather this information from LinkedIn, company websites, social media, and leaked data. The goal is the same as regular phishing — steal credentials, trigger a fraudulent payment, or install malware — but the personalisation makes it much harder for staff to recognise as suspicious. Business email compromise attacks almost always begin with spear phishing.

A supply chain attack happens when an attacker targets a supplier, software vendor, or service provider that you rely on — rather than attacking you directly — in order to reach you through the trusted relationship you have with that third party. Because businesses generally trust their established suppliers and automatically apply software updates from known vendors, a compromised supplier can provide an attacker with access to dozens or hundreds of downstream organisations at once.

High-profile examples include the SolarWinds attack, where malicious code was inserted into a software update that was then distributed to thousands of organisations worldwide. For small businesses, the most common supply chain risks are: IT providers with broad access to client systems, software that phones home to a vendor’s servers, and email platforms where one compromised account can reach an entire contact list. Knowing which third parties have access to your systems and data — and holding them to basic security standards — is the first step in managing supply chain risk.

A threat actor is anyone or any group that carries out or has the intent to carry out a cyber attack. The term is deliberately broad because the motivations, capabilities, and targets of those attacking organisations vary enormously. Threat actors include: financially motivated criminal gangs running ransomware operations as a business, nation-state groups conducting espionage or sabotage on behalf of governments, hacktivists with political motivations, and opportunistic individuals exploiting publicly known vulnerabilities with off-the-shelf tools.

For most small businesses, the relevant threat actors are financially motivated criminals rather than sophisticated nation-state groups. These attackers are not specifically targeting you — they’re running industrialised operations that scan the internet for any organisation with unpatched systems, weak passwords, or no MFA, and exploit whatever they find. Understanding this changes the defensive calculus: you don’t need to beat a determined nation-state adversary, you need to be harder to exploit than the organisation next door.

UK GDPR is the data protection law that governs how organisations in the United Kingdom collect, store, use, and share personal data. It came into effect in 2018 alongside the Data Protection Act, and was retained into UK law after Brexit — so it applies regardless of the EU’s version. Personal data means any information that can identify a living person: names, email addresses, IP addresses, location data, and much more.

For small businesses, UK GDPR creates real obligations: you must have a lawful reason to process personal data, you must tell people what you’re doing with their data, you must keep it secure, and you must report certain data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of them. Getting it wrong can result in ICO enforcement action and fines — but the more immediate risk for most small businesses is reputational damage if client data is lost or exposed.

Vishing — short for voice phishing — is a social engineering attack carried out over the phone rather than by email. The caller impersonates a trusted authority — your bank, HMRC, Microsoft technical support, a government body, or a supplier — and attempts to extract sensitive information, persuade you to transfer money, or get you to install remote access software on your computer.

AI voice cloning tools have made vishing significantly more dangerous in recent years, enabling attackers to generate convincing imitations of real people’s voices — including colleagues and company directors — from only a few seconds of audio sourced from social media or public recordings. The defence is verification: if a caller asks you to do anything financial or security-related, hang up and call back on a number you already have on file. Never call back on a number the original caller provided.

A VPN — Virtual Private Network — creates an encrypted tunnel between your device and a remote server, masking your internet traffic from anyone who might be watching on the network between you and that server. Originally developed for businesses to allow staff to securely connect to office systems while working remotely, VPNs are now also widely marketed to consumers for privacy.

For small businesses, VPNs are most relevant in two contexts: giving remote workers secure access to internal systems, and protecting staff who regularly work on public Wi-Fi networks. However, the security of a VPN is only as good as how it’s configured and maintained. In recent years, vulnerabilities in popular business VPN products from vendors like Fortinet, Ivanti, and Citrix have been actively exploited by attackers — making timely patching of VPN appliances a critical priority. A poorly maintained VPN can become an entry point rather than a protection.

A vulnerability is a weakness in a piece of software, hardware, or a system configuration that could be exploited by an attacker to gain unauthorised access, cause damage, or steal data. Vulnerabilities are discovered constantly — in operating systems, browsers, applications, routers, and virtually every piece of software that exists — and are typically assigned a severity score and given a unique identifier (called a CVE number) so they can be tracked.

Most vulnerabilities that affect small businesses are not exotic or theoretical — they’re well-known flaws in commonly used software for which patches already exist. The risk comes from the gap between when a patch is released and when it’s applied. Attackers routinely scan the internet for systems running unpatched software and exploit known vulnerabilities at scale. This is why patch management is a foundational security control, and why “it hasn’t been a problem yet” is not a reassuring answer when asked about update schedules.

Zero Trust is a security approach built on the principle of “never trust, always verify.” In a traditional network security model, anyone already inside the network perimeter — your office building, your VPN — was implicitly trusted. Zero Trust rejects that assumption entirely: no user, device, or system is trusted by default, regardless of where they’re connecting from, and access to any resource must be continuously verified.

In practical terms, Zero Trust means requiring strong authentication every time (not just once at login), limiting what each user and device can access to only what they specifically need, monitoring behaviour continuously for anomalies, and assuming that a breach may already be in progress. It’s less a product you buy and more an approach you build toward. For small businesses, the principles of Zero Trust are already embedded in good basic hygiene: MFA everywhere, least-privilege access controls, and not trusting devices just because they’re on your network.

A zero-day is a security vulnerability that is unknown to the software vendor — or known but not yet fixed — and therefore has no patch available. The name comes from the fact that developers have had “zero days” to fix the problem. Zero-days are particularly dangerous because there’s no straightforward defence: you can’t patch against a flaw the vendor doesn’t know about.

For most small businesses, zero-days are not the primary threat — the vast majority of attacks exploit known vulnerabilities that already have patches available. However, zero-days do matter because they’re often used in high-profile attacks on government, critical infrastructure, and large enterprises, and they sometimes trickle down into tools used by criminal groups targeting smaller organisations. Staying current with patches for everything else remains the most important practical step, because it removes the much larger attack surface of known, patchable vulnerabilities.