Top 10 Cyber Security Terms Every Leader Should Know

Cyber security is no longer only the concern of top secret government agencies and huge corporations. Attackers know that organizations of all sizes, industries, and missions have valuable assets that can benefit an attacker. Here are the top 10 cyber security terms that leaders should know as they develop their understanding of cyber security:

1. Defense-In-Depth is a security concept where organizations put many layers of security in place to prevent and reduce the impact of attacks. Defense-in-depth was historically used in the design of medieval castles that had many layers of security protections: a moat, a large outer wall, multiple watch towers, and a secure room at the top of a central tower for the king. An attacker would need to swim across the moat, climb the walls, avoid detection from the guards in the watchtower, and break into the secure room at the top of the tower in order to gain access to the king. The same approach can be applied to your organization’s cyber security where multiple levels of security are put in the way of a would-be attacker. Even if the attacker could breach one level of security, each successive layer continues to protect the organization.

2. Multi-Factor Authentication (MFA), sometimes known as two-factor authentication (2FA), is a low-cost solution that provides an additional layer of security to your logins. A username and password have been the most common method of accessing information and IT resources for years but these can be easily compromised by attackers. By combining something a user knows (such as their username and password) with something that the user physically has (a multi-factor authentication token or mobile app that provides a random numeric code), attackers can no longer easily gain access to your organization’s IT environment or sensitive data.

3. Firewalls are a method of detecting and blocking cyber attack attempts using software or a physical device. They are commonly placed between your organization’s internal network and the internet but can also be used within your organization. A properly-configured firewall allows or blocks network traffic based on a set of predefined rules. An Intrusion Detection System/Intrusion Prevention System (IDS/IPS) examines network communications to search for attacks and blocks them.

4. Software-as-a-Service (SaaS) refers to a cloud-based technology that provides any number of services (bookkeeping, payroll, email, invoicing, productivity, security, etc) that support your organization. While these SaaS tools can provide huge benefits to organizations, it is also critical to understand how your organization is leveraging that service, how the service protects your sensitive data, and that security measures are put into place to prevent attacks.

5. Penetration Testing, or pen testing, is a type of cyber security service that an organization can use to understand and remediate the organization’s security vulnerabilities. During a pen test, the tester will use the tools, tactics, and procedures of a hacker to attempt to penetrate the organization to identify vulnerabilities and determine their impact. After the pen test is completed, the tester provides actionable guidance on how to improve the security of the organization.

6. Ransomware is a type of malicious software that an attacker can trick a user into installing that maliciously encrypts all data on the affected device. After the data is encrypted, the attacker will typically demand a ransom be paid prior to the data being decrypted. Attackers commonly hold their victim’s data ransom for thousands to millions of dollars. Organizations that have a rock-solid data backup and restoration program are at a significant advantage because they are able to get back to business as usual without having to pay the ransom to decrypt the business-critical data.

7. Bring-Your-Own-Device, or BYOD, is a common IT strategy where organizations allow the use of their employee’s personal devices to conduct business. While this strategy can save the organization money on IT assets, it can also increase the risk of data loss and cyber attacks. With strong policies and the right device management tools that implement those policies, BYOD can be made more secure and therefore lower the risk to your organization.

8. Phishing is a type of attack executed over email, text message, or chat program designed to cause the victim to install malicious software, provide sensitive information, or to conduct other follow-on attacks. This type of attack can be prevented by providing security training to the workforce and putting technical measures in place to block these attacks. Spearphishing is a variant of phishing targeted at a specific user in the company, say perhaps someone in the Finance department that handles bank transactions. Another type of phishing is called whaling, a type of phishing targeting high-value, influential, or decision-making members of an organization.

9. NIST Cyber Security Framework (CSF) is a framework widely used across many industries from the U.S. National Institute of Standards and Technology. The framework helps organizations understand their current security maturity and design a roadmap for improving security. The NIST CSF is the foundation for all of RipRap Security’s work with our clients as we believe that the internationally-recognized standard also aligns very closely with the goals and missions of small and medium organizations.

10. Password Manager is a type of security tool that organizations can provide to employees to improve password hygiene and protect sensitive information. These tools are a place where employees can securely store all of their passwords, rather than on a sticky note under the keyboard or in a spreadsheet. Our team suggests that all organizations provide password managers for their teams and put in place policies to encourage their use.

Getting Started

Want to learn more about cyber security? Continue reading our other blog posts to expand your security knowledge.

Are you interested in a more personal experience? Click this link to schedule a free 30 minute consultation with RipRap Security. We’ll discuss your current security initiatives, cyber security goals, and how our team can help you become more cyber secure so you can focus on your organization’s mission.

About RipRap Security

RipRap Security is a cyber security consulting company focused on bringing decades of experience supporting the US Federal Government in preventing and responding to cyber attacks to organizations that make communities a better place. For more information, please visit our website and find us on LinkedIn and Twitter.