Cybersecurity: Your Guide to Common Terms
Our series on cybersecurity terms continues (check the last post out here), and this time, we’re taking a look at the heart of cybersecurity. What’s covered under the cloud umbrella? What is encryption? Can you really trust zero-trust? This crash course in cybersecurity terms will help you better understand the fundamentals.
Cloud security: The combination of processes, policies, procedures, tools, and controls your organization uses to protect its cloud-based assets, such as data and applications. Cloud security examples include:
- Security tools such as password managers
- Security policies that restrict user access to sensitive data
- Controls such as encrypting data stored in the cloud
Cyber insurance: A business insurance product that protects against financial losses stemming from a cybersecurity incident or data breach. While coverage varies, common cyber policies address areas such as business interruption, forensic investigations, and regulatory defense and fines.
Cybersecurity posture: Your organization’s overall ability and capability to prevent, defend against, and recover from cyber threats. The posture is the status of your company’s total defenses, including security solutions and practices.
Data privacy: The area concerning how your organization collects, uses, stores, shares, and manages the data of individuals, including employees and customers. Many nations, local governments, and industries have some form of data privacy regulations, from the General Data Protection Rule (GDPR) in the European Union to the Personal Protection Information Law (PIPL) in China.
Decryption: The process of converting encrypted data back into its original format. The process requires the right decoding tools, such as keys, passwords, or codes.
Encryption: The process of scrambling data (“plaintext”) into an unreadable format (“cypher text”) to protect it from unauthorized access. Encryption standards vary based on the encryption purpose, whether that’s to store data online or send a secure email. One of the most commonly used methods is the Advanced Encryption Standard, or AES, with AES-256 as the strongest cipher currently available.
Endpoint: Any computing device, such as a desktop, mobile device, server, or IoT device, that connects to your company’s network. Endpoint security is a top priority for many organizations because threat actors often target endpoints as the initial entry point into the network.
PII (personally identifiable information): Any data that allows an individual to be identified, directly or indirectly, such as their name, date of birth, address, government identification number, phone number, and biometrics (such as fingerprints, facial recognition, or iris recognition). PII is very valuable for cybercriminals because they can use it for fraud schemes, phishing, and other nefarious purposes.
Security audit: A systematic process for evaluating your cybersecurity posture, including assessing policies, procedures, and security tools. Audits help you discover security weaknesses and vulnerabilities so you can take the necessary measures to close those gaps.
Security stack: The multiple layers of cybersecurity tools that your organization has in place to detect, respond to, and recover from cyber threats. The layers range from the infrastructure and hardware all the way up to applications and users.
VPN (virtual private network): An app or software that creates an encrypted connection over the internet from your device or network. When you use an unsecured connection, such as a public WiFi hotspot, a VPN protects the information that you transmit from the prying eyes of a hacker.
Zero-knowledge architecture: A security principle that grants you—and no one else—access to your data. The data is encrypted locally on your device, and access requires a password or another form of authentication.
Zero-trust security: A cybersecurity approach based on the idea that no connection can be trusted implicitly, regardless of where it originates. In a zero-trust model, every user and device must be dynamically authenticated and their access continuously authorized and validated. For example, if you’re trying to log in to your corporate network, zero-trust security would require authentication before you can access a resource, whether you’re logging in from your corporate office or from home.
Cybersecurity is ever-evolving, but a basic understanding of data privacy and access will always be in season.