Cybersecurity terms, plain and simple

A security mechanism that restricts who can view or use resources in a computing environment. Access control policies define which users, devices, or systems are permitted to access specific data or applications, and under what conditions. For Irish SMEs, strong access control — including role-based permissions and the principle of least privilege — is one of the most effective ways to limit the blast radius of a breach.

A sophisticated, long-term cyberattack in which an intruder gains access to a network and remains undetected for an extended period. APT actors — often nation-state groups or well-funded criminal organisations — are patient, methodical, and focused on high-value targets. While APTs typically target large enterprises and critical infrastructure, supply-chain attacks mean SMEs can be used as stepping stones into bigger organisations.

Malicious software created or enhanced using artificial intelligence tools, enabling attackers to produce novel variants faster than traditional signature-based defences can detect them. AI lowers the technical barrier for writing functional malware, meaning less-skilled threat actors can now produce sophisticated attacks. Endpoint Detection and Response (EDR) tools that use behavioural analysis are better equipped to catch AI-generated threats than legacy antivirus.

Phishing attacks that use large language models (LLMs) to craft highly personalised, grammatically perfect lure emails at scale. Unlike traditional phishing, which is often identifiable by poor spelling or generic greetings, AI-powered phishing can mimic a colleague's writing style, reference real recent events, and pass basic human scrutiny. Security awareness training must evolve to account for the fact that employees can no longer rely on spotting obvious errors.

A complete, up-to-date register of all hardware, software, data, and services that an organisation owns or relies upon. You cannot protect what you do not know you have — asset inventory is the foundation of every effective security programme. NCSC Ireland's 12 Steps to Cyber Security lists asset management as the first and most critical control.

The total set of points — hardware, software, network interfaces, user accounts, and third-party integrations — through which an attacker could potentially gain unauthorised access to a system. Reducing your attack surface by disabling unused services, removing unnecessary software, and enforcing least-privilege access is a core principle of good security hygiene.

A chronological record of events within a system, capturing who did what, when, and from where. Audit logs are essential for detecting suspicious activity, investigating incidents, and demonstrating compliance with regulations such as NIS2 and GDPR. Logs should be stored securely, retained for an appropriate period, and reviewed regularly — not just after an incident.

The process of verifying that a user, device, or system is who or what it claims to be. Passwords alone are the weakest form of authentication; multi-factor authentication (MFA) adds one or more additional verification steps — such as a one-time code or biometric check — to significantly reduce the risk of unauthorised access.

A documented plan for creating, storing, and testing copies of critical data so that it can be recovered following a ransomware attack, hardware failure, or accidental deletion. The industry-standard approach is the 3-2-1-1-0 rule: three copies of data, on two different media types, with one copy offsite, one copy offline or immutable, and zero unverified backups.

A type of fraud in which an attacker impersonates a senior executive, supplier, or trusted contact via email to trick employees into transferring money or sensitive data. BEC attacks cost businesses billions globally each year and are often carried out without any malware — making them difficult for technical controls alone to catch. Staff training and payment verification procedures are the most effective defences.

The legal obligation to inform regulators and, in some cases, affected individuals when a personal data breach occurs. Under GDPR, Irish businesses must notify the Data Protection Commission (DPC) within 72 hours of becoming aware of a qualifying breach. NIS2 introduces separate, stricter incident reporting timelines for in-scope organisations — including a 24-hour early warning, a 72-hour incident notification, and a 30-day final report.

A policy that allows employees to use their personal smartphones, laptops, or tablets for work purposes. BYOD increases flexibility and can reduce hardware costs, but it also introduces significant security risks — personal devices may lack corporate security controls, run outdated software, or be shared with family members. A formal BYOD policy should define acceptable use, minimum security requirements, and the organisation's right to remotely wipe corporate data.

A globally recognised professional certification awarded by ISACA, validating expertise in auditing, controlling, and monitoring information systems. CISA-certified professionals are qualified to assess whether an organisation's IT controls are adequate, functioning correctly, and aligned with business objectives. It is one of the most respected credentials in the information security and IT audit profession.

A management-focused certification from ISACA that validates expertise in information security governance, risk management, incident management, and programme development. CISM is designed for practitioners who design and manage enterprise security programmes rather than those focused on technical implementation. It is widely recognised by employers and regulators as a mark of security leadership competence.

Widely regarded as the gold standard of cybersecurity certifications, the CISSP is awarded by ISC2 and covers eight domains of security knowledge — from security architecture and engineering to identity management and software development security. It requires a minimum of five years of professional experience and is recognised globally as a mark of senior security expertise.

The senior executive responsible for an organisation's information security strategy, governance, and risk management. The CISO reports to the board or CEO, translates technical risk into business language, and ensures that security investment is aligned with organisational objectives. Many SMEs cannot justify a full-time CISO — which is why the virtual CISO (vCISO) model has become increasingly popular.

The set of policies, controls, and technologies designed to protect data, applications, and infrastructure hosted in cloud environments such as Microsoft Azure, AWS, or Google Cloud. Cloud security is a shared responsibility — the cloud provider secures the underlying infrastructure, while the customer is responsible for securing their data, access controls, and configurations. Misconfigured cloud storage is one of the most common causes of data breaches.

A governance and management framework for enterprise IT, developed by ISACA. COBIT provides a comprehensive set of controls and best practices for aligning IT activities with business goals, managing risk, and ensuring compliance. It is widely used by auditors and security professionals to design and assess IT governance programmes.

The state of adhering to laws, regulations, standards, or contractual obligations relevant to an organisation's operations. In the cybersecurity context, compliance typically refers to meeting the requirements of frameworks such as NIS2, GDPR, ISO 27001, or sector-specific regulations. Compliance is a floor, not a ceiling — it establishes minimum acceptable standards but does not guarantee that an organisation is genuinely secure.

A UK government-backed certification scheme that helps organisations protect themselves against the most common cyber threats. It covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. While not yet mandatory in Ireland, Cyber Essentials is increasingly referenced in procurement requirements and provides a useful baseline for SMEs starting their security journey.

A specialist insurance product that covers financial losses arising from cyberattacks, data breaches, and related incidents. Policies typically cover costs such as incident response, legal fees, regulatory fines, business interruption, and customer notification. Insurers are increasingly requiring policyholders to demonstrate minimum security controls — such as MFA and tested backups — before issuing or renewing coverage.

A framework developed by Lockheed Martin that describes the stages of a cyberattack: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. Understanding the kill chain helps defenders identify where they can interrupt an attack before it reaches its goal. Disrupting an attack at the early stages — such as blocking delivery — is far less costly than responding after exploitation.

The ability of an organisation to anticipate, withstand, recover from, and adapt to cyberattacks and security incidents. Resilience goes beyond prevention — it acknowledges that breaches will happen and focuses on minimising their impact and restoring normal operations quickly. NIS2 explicitly requires in-scope organisations to demonstrate cyber resilience, not just compliance with technical controls.

A service that continuously scans dark web forums, marketplaces, and data dumps for an organisation's compromised credentials, stolen data, or mentions of their brand. When employee passwords or customer data appear on the dark web, it is often the first indicator that a breach has occurred — sometimes months before the organisation discovers it internally.

An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorisation. Data breaches can result from cyberattacks, accidental disclosure, insider threats, or lost/stolen devices. Under GDPR, Irish businesses must report qualifying breaches to the Data Protection Commission within 72 hours and may face significant fines for failures in data protection.

Ireland's national data protection supervisory authority, responsible for enforcing the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The DPC investigates complaints, conducts audits, and can impose fines of up to €20 million or 4% of global annual turnover for serious GDPR violations. Irish businesses that handle personal data must comply with DPC guidance and report qualifying data breaches within 72 hours.

Synthetic media — video, audio, or images — generated by artificial intelligence to convincingly portray a real person saying or doing something they did not. Deepfakes are increasingly being used in fraud, including CEO impersonation attacks where a fake audio or video call is used to authorise fraudulent payments. Verification procedures that do not rely solely on voice or video recognition are essential defences.

A security strategy that layers multiple independent controls so that if one fails, others remain in place. Rather than relying on a single firewall or antivirus product, defence in depth combines network controls, endpoint security, identity management, encryption, monitoring, and user training. No single control is perfect — layering them significantly raises the cost and complexity of a successful attack.

An attack that overwhelms a website, server, or network with traffic from thousands of compromised machines simultaneously, making it unavailable to legitimate users. DDoS attacks are often used as a distraction while attackers carry out other malicious activity, or as a form of extortion. Cloud-based DDoS mitigation services can absorb large-scale attacks before they reach an organisation's infrastructure.

An email authentication protocol that prevents attackers from sending emails that appear to come from your domain — a technique known as email spoofing. DMARC builds on SPF and DKIM to tell receiving mail servers what to do with messages that fail authentication checks. Implementing DMARC is one of the most impactful and cost-effective email security controls available to Irish SMEs.

An EU regulation that establishes binding requirements for the digital operational resilience of financial entities — including banks, insurance companies, investment firms, and their critical ICT service providers. DORA came into force in January 2025 and requires in-scope organisations to implement robust ICT risk management, incident reporting, resilience testing, and third-party risk oversight. It operates alongside NIS2 but with sector-specific requirements.

A security technology that continuously monitors endpoint devices — laptops, desktops, servers, and mobile devices — for signs of malicious activity, and provides tools to investigate and respond to threats. Unlike traditional antivirus, which relies on known malware signatures, EDR uses behavioural analysis to detect novel threats. EDR is now considered the minimum standard for endpoint protection in any organisation handling sensitive data.

The process of converting data into an unreadable format using a cryptographic algorithm, so that only authorised parties with the correct decryption key can access it. Encryption protects data both at rest (stored on devices or servers) and in transit (moving across networks). Full-disk encryption on laptops and mobile devices is a critical control — if a device is lost or stolen, encrypted data remains inaccessible to the finder.

The world's first comprehensive legal framework for artificial intelligence, adopted by the European Union in 2024. The EU AI Act classifies AI systems by risk level — from minimal to unacceptable — and imposes obligations on developers and deployers of high-risk AI. Irish businesses that use AI tools in hiring, credit scoring, critical infrastructure, or law enforcement contexts will need to assess their obligations under the Act.

A continuous process of identifying, prioritising, and reducing the vulnerabilities and misconfigurations that could be exploited by an attacker. Exposure management goes beyond traditional vulnerability scanning by considering the business context and exploitability of each weakness — helping organisations focus remediation effort where it matters most.

A network security device or software that monitors and controls incoming and outgoing network traffic based on predefined security rules. Firewalls act as a barrier between trusted internal networks and untrusted external networks such as the internet. Modern next-generation firewalls (NGFW) go beyond port and protocol filtering to inspect application-layer traffic and detect threats in real time.

The systematic collection, preservation, and analysis of digital evidence following a security incident, with the goal of understanding what happened, how, and by whom. Digital forensics is critical for incident response, insurance claims, and potential legal proceedings. Evidence must be handled in a way that preserves its integrity and chain of custody — which is why engaging a qualified forensics professional is important.

Another term for a virtual CISO (vCISO) — a senior security professional engaged on a part-time or retainer basis rather than as a full-time employee. The fractional model gives SMEs access to board-level security leadership at a fraction of the cost of a full-time hire. The engagement can be structured as a fixed monthly retainer, a project-based arrangement, or a hybrid of both.

The European Union's primary data protection law, which came into force in May 2018. GDPR grants individuals rights over their personal data and imposes obligations on organisations that collect, store, or process it — including requirements for lawful basis, data minimisation, security, and breach notification. Irish businesses are subject to GDPR and supervised by the Data Protection Commission (DPC).

The framework of policies, processes, roles, and accountability structures through which an organisation directs and controls its information security activities. Good security governance ensures that security decisions are made at the right level, aligned with business objectives, and subject to appropriate oversight. It is a core component of the vCISO role and a key requirement under NIS2.

The concept of employees as an active layer of security defence — able to recognise, resist, and report social engineering attacks, phishing emails, and suspicious activity. Building a human firewall requires ongoing security awareness training, clear reporting channels, and a culture where employees feel safe raising concerns without fear of blame.

A framework of policies and technologies that ensures the right individuals have access to the right resources at the right times, for the right reasons. IAM encompasses user provisioning, authentication, authorisation, single sign-on (SSO), and privileged access management (PAM). Weak IAM — such as shared accounts, excessive permissions, or no MFA — is one of the most common root causes of security breaches.

The organised approach to addressing and managing the aftermath of a security breach or cyberattack. An effective incident response plan defines roles and responsibilities, communication procedures, containment steps, eradication processes, and recovery actions. Having a tested plan in place before an incident occurs dramatically reduces the time to recovery and the overall cost of a breach.

A pre-arranged agreement with a cybersecurity firm to provide rapid incident response services when needed, typically at a pre-negotiated rate. Having a retainer in place means you are not scrambling to find qualified help in the middle of a crisis. Some cyber insurance policies require or incentivise the use of pre-approved incident response providers.

A security risk that originates from within an organisation — typically a current or former employee, contractor, or business partner who misuses their authorised access. Insider threats can be malicious (deliberate sabotage or data theft) or unintentional (accidental data disclosure or falling for a phishing attack). Monitoring user behaviour, enforcing least-privilege access, and conducting offboarding procedures are key controls.

The international standard for information security management systems (ISMS), published by the International Organisation for Standardisation. ISO 27001 provides a systematic framework for managing sensitive information, covering risk assessment, security controls, and continual improvement. Certification to ISO 27001 demonstrates to customers, partners, and regulators that an organisation takes information security seriously.

A security principle that states users, applications, and systems should be granted only the minimum level of access required to perform their function — nothing more. Enforcing least privilege limits the damage that can be caused by a compromised account or a malicious insider. It is a foundational control in Zero Trust architecture and a key requirement of NIS2.

A type of artificial intelligence trained on vast quantities of text data, capable of generating human-like text, answering questions, writing code, and performing a wide range of language tasks. LLMs such as GPT-4 and Claude underpin tools like ChatGPT and Microsoft Copilot. From a security perspective, LLMs introduce risks including data leakage (employees sharing sensitive information with AI tools) and their use by attackers to craft more convincing phishing and social engineering attacks.

A broad term for any software intentionally designed to cause harm to a computer, network, or user. Malware includes viruses, worms, trojans, ransomware, spyware, and adware. It is typically delivered via phishing emails, malicious downloads, compromised websites, or infected USB drives. Endpoint protection, email filtering, and user awareness training are the primary defences.

An authentication method that requires users to verify their identity using two or more independent factors: something they know (password), something they have (authenticator app or hardware token), or something they are (biometric). MFA is one of the single most effective controls against account takeover — it blocks the vast majority of credential-based attacks even when passwords have been compromised.

A third-party company that provides outsourced monitoring and management of security systems and functions. MSSPs typically offer services such as 24/7 security operations centre (SOC) monitoring, threat detection, firewall management, and vulnerability scanning. Unlike a vCISO, an MSSP focuses on operational security delivery rather than strategic leadership and governance.

Ireland's national authority for cybersecurity, operating under the Department of the Environment, Climate and Communications. The NCSC provides guidance, incident response support, and threat intelligence to Irish organisations. It publishes practical resources for SMEs — including the 12 Steps to Cyber Security framework — and is the designated national authority for NIS2 implementation in Ireland.

The practice of dividing a computer network into smaller, isolated zones to limit the spread of an attack. If an attacker compromises one segment — such as a guest Wi-Fi network or a workstation — segmentation prevents them from moving laterally to more sensitive systems such as financial databases or operational technology. It is a key control in Zero Trust architecture.

The EU's Network and Information Security Directive 2 (NIS2) is the primary European legislation governing cybersecurity for critical and important sectors. It replaces the original NIS Directive and significantly expands its scope, covering sectors including energy, transport, health, digital infrastructure, manufacturing, food, and waste management. In Ireland, NIS2 was transposed into national law in October 2024, with enforcement by the NCSC.

The sanctions available to national authorities for non-compliance with NIS2. For essential entities, fines can reach €10 million or 2% of global annual turnover (whichever is higher). For important entities, the maximum is €7 million or 1.4% of global annual turnover. Senior management can also be held personally liable, and temporary bans on executives are possible in serious cases.

Information gathered from publicly available sources — websites, social media, company filings, job postings, and more — and used to build a picture of a target organisation or individual. Attackers use OSINT extensively during the reconnaissance phase of an attack to identify employees, technologies in use, and potential vulnerabilities. Organisations should periodically review their own digital footprint to understand what an attacker could learn about them.

The process of identifying, acquiring, testing, and applying software updates (patches) to fix security vulnerabilities and improve functionality. Unpatched software is one of the most common entry points for attackers — many major breaches exploit vulnerabilities for which patches were available months or years before the attack. A formal patch management process should define timelines for applying critical, high, and medium-severity patches.

A simulated cyberattack conducted by authorised security professionals to identify exploitable vulnerabilities in systems, networks, or applications before real attackers do. Penetration tests can be black-box (no prior knowledge), white-box (full knowledge), or grey-box (partial knowledge). Results should be used to prioritise remediation, not just to generate a compliance report.

A social engineering attack in which an attacker sends a fraudulent message — typically by email — designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. Phishing is the most common initial attack vector in cybercrime. Variants include spear phishing (targeted at a specific individual), whaling (targeting executives), vishing (voice phishing), and quishing (QR code phishing).

A controlled exercise in which an organisation sends realistic but harmless fake phishing emails to its own employees to test their awareness and identify who is most susceptible to social engineering. Phishing simulations are most effective when combined with immediate, non-punitive training for those who click, and when results are used to improve the overall security awareness programme.

A security discipline focused on controlling, monitoring, and auditing the use of privileged accounts — those with elevated permissions such as system administrators, database administrators, and root accounts. Privileged accounts are high-value targets for attackers because compromising one can provide unrestricted access to critical systems. PAM solutions enforce just-in-time access, session recording, and credential vaulting.

A phishing attack that uses QR codes instead of traditional hyperlinks to direct victims to malicious websites. Because QR codes are opaque — the destination URL is not visible until scanned — they bypass many email security filters and exploit the trust users place in physical or digital QR codes. Quishing attacks are increasingly common in Ireland, particularly targeting business owners and employees via email and printed materials.

A type of malware that encrypts a victim's files and demands a ransom payment — typically in cryptocurrency — in exchange for the decryption key. Modern ransomware attacks often involve double extortion: attackers exfiltrate data before encrypting it, threatening to publish it publicly if the ransom is not paid. Offline, tested backups are the most effective defence against ransomware, alongside EDR, MFA, and network segmentation.

A structured process for identifying, analysing, and evaluating the cybersecurity risks facing an organisation. A risk assessment considers the likelihood and potential impact of various threat scenarios, the effectiveness of existing controls, and the organisation's risk appetite. It is the foundation of any security programme and a core requirement under NIS2, ISO 27001, and GDPR.

The level of risk an organisation is willing to accept in pursuit of its objectives. Risk appetite is not a fixed number — it varies by risk type, business context, and regulatory environment. Defining risk appetite is a board-level responsibility and is essential for making proportionate security investment decisions. A vCISO helps translate technical risk into business terms so that leadership can make informed choices.

A document that records identified risks, their likelihood and impact scores, the controls in place to mitigate them, and the residual risk remaining after those controls are applied. A well-maintained risk register is a living document — reviewed and updated regularly — and is a key artefact for demonstrating governance maturity to regulators, insurers, and board members.

A cloud-delivered security architecture that combines network security functions — such as secure web gateway, cloud access security broker (CASB), and Zero Trust Network Access (ZTNA) — with wide-area networking (WAN) capabilities. SASE is designed for distributed workforces and cloud-first organisations, providing consistent security regardless of where users are located.

A systematic evaluation of an organisation's security posture, policies, and controls against a defined standard or framework. Security audits can be internal (conducted by the organisation's own team) or external (conducted by an independent third party). Regular audits help identify gaps, validate the effectiveness of controls, and provide evidence of due diligence to regulators and insurers.

Structured education programmes designed to improve employees' understanding of cybersecurity threats, safe behaviours, and their role in protecting the organisation. Effective security awareness training goes beyond annual compliance tick-boxes — it uses engaging formats, real-world examples, and regular reinforcement to build lasting behavioural change. It is the most cost-effective security investment available to most SMEs.

A centralised team — internal or outsourced — responsible for continuously monitoring an organisation's IT environment for security threats, analysing alerts, and responding to incidents. A SOC typically operates 24/7 and uses a combination of SIEM tools, threat intelligence, and human analysis. For most Irish SMEs, a managed SOC provided by an MSSP is more cost-effective than building an internal capability.

A formal document that defines an organisation's security objectives, the rules governing the use of its systems and data, and the responsibilities of employees and management. Security policies provide the governance foundation for all security activities and are a requirement under NIS2, ISO 27001, and most cyber insurance policies. Policies must be communicated clearly, reviewed regularly, and enforced consistently.

The overall strength of an organisation's cybersecurity defences — encompassing its policies, controls, processes, and culture. Security posture is not a binary state but a spectrum, and it changes continuously as new threats emerge, technology evolves, and the business grows. A vCISO's primary role is to assess, improve, and maintain an organisation's security posture over time.

A prioritised, time-bound plan for improving an organisation's security posture. A security roadmap translates the findings of a risk assessment into a sequence of actionable initiatives, with clear owners, timelines, and success metrics. It is a key deliverable from a vCISO engagement and provides the board with visibility of where security investment is going and what outcomes it is delivering.

Technology — applications, services, or devices — used within an organisation without the knowledge or approval of the IT or security team. Shadow IT is particularly prevalent in remote and hybrid work environments, where employees use personal tools to work around perceived friction. It creates security blind spots because unsanctioned tools are not subject to the organisation's security controls, patching, or data governance policies.

A technology platform that aggregates and analyses log data from across an organisation's IT environment — firewalls, servers, endpoints, applications — to detect patterns indicative of a security incident. SIEM provides the visibility needed to identify attacks that span multiple systems and is a core component of a mature security operations capability. Cloud-based SIEM solutions have made this technology more accessible to mid-market organisations.

In the EU context, an SME is defined as a business with fewer than 250 employees and either an annual turnover not exceeding €50 million or a balance sheet total not exceeding €43 million. SMEs make up over 99% of businesses in Ireland and face a disproportionate cybersecurity burden — they are targeted by attackers who assume they have weaker defences, but often lack the resources of larger organisations.

The use of psychological manipulation to trick people into divulging confidential information or performing actions that compromise security. Social engineering exploits human tendencies such as trust, urgency, authority, and fear rather than technical vulnerabilities. It underpins the majority of successful cyberattacks — including phishing, vishing, pretexting, and BEC fraud.

An attack that targets the software development or distribution pipeline to inject malicious code into legitimate software before it reaches end users. The SolarWinds attack of 2020 — in which malicious code was inserted into a trusted IT management tool and distributed to thousands of organisations — is the most prominent example. Supply chain attacks are particularly dangerous because victims trust the compromised software.

An email authentication protocol that allows domain owners to specify which mail servers are authorised to send email on their behalf. SPF helps prevent email spoofing by enabling receiving mail servers to verify that an incoming message from a domain was sent from an authorised source. SPF works alongside DKIM and DMARC to form a comprehensive email authentication framework.

Evidence-based knowledge about existing or emerging threats — including the tactics, techniques, and procedures (TTPs) of threat actors — that can be used to inform security decisions. Threat intelligence helps organisations understand who is likely to target them, how, and why, enabling more targeted and effective defences. It is consumed by SOC teams, incident responders, and security leadership.

The process of identifying, assessing, and mitigating the cybersecurity risks introduced by vendors, suppliers, and other third parties that have access to an organisation's systems or data. Supply chain attacks and third-party breaches are a growing threat — attackers increasingly target smaller, less-secure suppliers as a route into their larger customers. NIS2 explicitly requires in-scope organisations to manage supply chain security.

A structured process for identifying potential threats to a system, understanding how they could be exploited, and prioritising mitigations. Threat modelling is typically conducted during the design phase of new systems or applications, but it is equally valuable for assessing existing environments. It helps organisations move from reactive security to a proactive, risk-informed approach.

A senior cybersecurity professional engaged on a part-time, fractional, or retainer basis to provide strategic security leadership to an organisation that does not have — or need — a full-time CISO. A vCISO brings board-level security expertise, builds and oversees the security programme, manages risk, ensures regulatory compliance, and reports to leadership. For Irish SMEs, the vCISO model delivers enterprise-grade security governance at a proportionate cost.

A weakness in a system, application, network, or process that could be exploited by a threat actor to gain unauthorised access or cause harm. Vulnerabilities can be technical (unpatched software, misconfigured systems) or procedural (weak password policies, lack of security training). Identifying and remediating vulnerabilities before attackers exploit them is the goal of vulnerability management programmes.

An automated process that probes systems, networks, and applications for known security weaknesses. Vulnerability scanners compare the configuration and software versions of target systems against databases of known vulnerabilities, producing a prioritised list of findings for remediation. Regular scanning — at least quarterly, and after significant changes — is a baseline security practice and a requirement under many compliance frameworks.

A technology that creates an encrypted tunnel between a user's device and a corporate network, protecting data in transit from interception. VPNs are widely used to secure remote access for employees working from home or public locations. However, traditional VPNs have limitations — they grant broad network access once connected, which is why Zero Trust Network Access (ZTNA) is increasingly preferred for modern remote work environments.

A highly targeted form of spear phishing that specifically targets senior executives — CEOs, CFOs, and board members — who have authority to authorise large financial transactions or access to sensitive information. Whaling attacks are carefully researched and personalised, often referencing real business relationships, upcoming events, or financial transactions to appear legitimate.

A software vulnerability that is unknown to the vendor and for which no patch exists. Zero-day vulnerabilities are highly valuable to attackers because there is no available fix — organisations cannot patch what has not yet been disclosed. Defence against zero-days relies on layered controls such as EDR, network segmentation, and behaviour-based detection rather than signature-based patching.

A security model based on the principle of 'never trust, always verify' — every user, device, and connection must be authenticated and authorised before being granted access to resources, regardless of whether they are inside or outside the corporate network. Zero Trust replaces the traditional 'castle and moat' approach, which assumed that anything inside the network perimeter could be trusted. It is the recommended architecture for modern, distributed organisations.

A technology that implements Zero Trust principles for remote access — granting users access only to the specific applications they need, rather than broad network access. Unlike traditional VPNs, ZTNA continuously verifies user identity and device health before granting access, and limits lateral movement if a device is compromised. It is the preferred remote access architecture for organisations with distributed workforces.