Cybersecurity Glossary
Plain-language definitions of the cybersecurity terms that matter most to Canadian small and medium businesses. No jargon, no fluff — just what you need to know.
A
Access Control
The practice of restricting who can access which systems, data, and resources within your organization. Good access control means employees only have access to what they need for their role — nothing more. This limits the damage if an account is compromised.
The Canadian Centre for Cyber Security addresses this under Baseline Control BC.12. Learn why least-privilege access matters during incidents →
Air-Gapped Backup
A backup copy of your data that is physically disconnected from your network and the internet. Because it has no network connection, ransomware cannot reach it — making it your most reliable recovery option after an attack.
Anti-Malware
Software that detects, prevents, and removes malicious software (malware) from your devices. Modern anti-malware goes beyond traditional antivirus to detect ransomware, spyware, and other threats using behavioural analysis — not just known virus signatures.
Addressed under Baseline Control BC.3.
Attack Surface
The total number of points where an attacker could try to enter or extract data from your environment. Every internet-facing system, employee account, cloud service, remote access tool, and connected device adds to your attack surface. The goal is to make it as small as possible — disable what you don't need, patch what you keep, and monitor what remains.
B
Backdoor
A hidden method of bypassing normal authentication to gain access to a system. Backdoors can be installed by malware, left behind by attackers after an initial breach, or even built into software by compromised developers. Once in place, a backdoor allows the attacker to return at will — even after you've changed passwords or patched the original vulnerability.
Baseline Cyber Security Controls
A set of 13 fundamental cybersecurity practices published by the Canadian Centre for Cyber Security (document ITSM.10.089), designed specifically for small and medium organizations. They represent the Government of Canada's recommended minimum security standard for Canadian businesses.
Business Email Compromise (BEC)
A type of fraud where an attacker impersonates a trusted person — typically a CEO, vendor, or lawyer — via email to trick an employee into transferring money, sharing sensitive data, or changing payment details. BEC does not use malware; it exploits trust and urgency. It is the most financially damaging form of cybercrime globally.
Brute Force Attack
An attack method where automated tools systematically try every possible password or key combination until the correct one is found. Short, simple passwords can be cracked in minutes. Strong passwords and multi-factor authentication make brute force attacks impractical.
Botnet
A network of compromised computers or devices secretly controlled by an attacker. Each infected device (a "bot") can be remotely commanded to send spam, launch denial-of-service attacks, distribute malware, or mine cryptocurrency — often without the owner knowing. Your business devices can become part of a botnet if they lack anti-malware protection or are running unpatched software.
Anti-malware protection (BC.3) is your first line of defence against botnet infection.
BYOD (Bring Your Own Device)
A policy where employees use their personal phones, laptops, or tablets for work. BYOD can reduce hardware costs but introduces security risks — personal devices may lack encryption, anti-malware, or automatic updates, and business data on personal devices is harder to control when an employee leaves.
C
Canadian Centre for Cyber Security (CCCS)
Canada's national authority on cybersecurity, part of the Communications Security Establishment (CSE). The CCCS publishes threat assessments, security guidance, and alerts for Canadian organizations, and operates the cyber incident reporting line at 1-833-CYBER-88.
Credential Stuffing
An automated attack that uses stolen username and password combinations from previous data breaches to try to log in to other services. It works because people reuse passwords across multiple accounts. If an employee uses the same password for a personal account and their work email, a breach at the personal service can compromise your business.
Cyber Insurance
Insurance coverage designed to help organizations manage the financial impact of cyber incidents, including breach response costs, business interruption, regulatory fines, and liability claims. Cyber insurers increasingly require specific security controls — particularly multi-factor authentication — as conditions of coverage.
What Canadian SMBs need to understand about cyber insurance →
Cloud Security
The practices, tools, and policies that protect data, applications, and infrastructure hosted in cloud environments (e.g., Microsoft 365, Google Workspace, AWS). Cloud providers secure the underlying infrastructure, but you are responsible for configuring access controls, enabling MFA, managing permissions, and protecting your data. This "shared responsibility model" means a misconfigured cloud account is your problem, not the provider's.
Addressed under Baseline Control BC.11 (Cloud and Outsourced IT Security).
Cybercrime-as-a-Service (CaaS)
A criminal business model where attack tools, infrastructure, and expertise are rented or sold to other criminals — much like legitimate software-as-a-service. CaaS has lowered the barrier to entry for cybercrime, meaning attackers no longer need technical skills to launch sophisticated attacks against your business.
Highlighted in the CCCS National Cyber Threat Assessment 2025-2026.
CyberSecure Canada
A federal cybersecurity certification program operated by Innovation, Science and Economic Development Canada (ISED). It allows small and medium organizations to demonstrate they have implemented the Baseline Cyber Security Controls through a voluntary certification process.
D
Dark Web
A part of the internet that is not indexed by search engines and requires specialized software (such as the Tor browser) to access. The dark web hosts marketplaces where stolen credentials, personal data, and hacking tools are bought and sold. After a data breach, your employees' usernames and passwords often appear on dark web markets within hours.
Data Breach
An incident where personal, confidential, or protected information is accessed, disclosed, or stolen by an unauthorized party. Under PIPEDA, Canadian organizations must report breaches involving personal information to the Privacy Commissioner and notify affected individuals when there is a real risk of significant harm.
DDoS (Distributed Denial of Service)
An attack that floods a website, server, or network with so much traffic that it becomes unavailable to legitimate users. "Distributed" means the traffic comes from thousands of compromised devices (a botnet) simultaneously, making it difficult to block. DDoS attacks are increasingly used as a smokescreen to distract your IT team while attackers breach other systems.
Defence in Depth
A security strategy that layers multiple independent defences so that if one control fails, others still protect you. Rather than relying on a single firewall or antivirus, defence in depth combines network security, access controls, encryption, employee training, backups, and monitoring. The 13 Baseline Controls are structured as a defence-in-depth framework — each control covers a different layer.
DMARC, SPF, and DKIM
Three email authentication protocols that work together to prevent attackers from sending emails that appear to come from your domain. SPF specifies which servers can send email for your domain. DKIM adds a digital signature to verify the email hasn't been altered. DMARC tells receiving servers what to do when an email fails SPF or DKIM checks.
E
Endpoint Detection and Response (EDR)
Security software that continuously monitors devices (endpoints) for suspicious activity and can respond automatically to threats. EDR goes beyond traditional antivirus by detecting unusual behaviour patterns — not just known malware signatures. Many cyber insurers now require EDR as a condition of coverage.
Exploit
A piece of code or technique that takes advantage of a specific vulnerability in software or hardware to gain unauthorized access or cause harm. Exploit kits — ready-made toolkits that bundle exploits for multiple vulnerabilities — are sold on the dark web, allowing attackers to automate attacks against unpatched systems.
Encryption
The process of converting data into a coded format that can only be read with the correct key. Encryption protects data both in transit (e.g., HTTPS connections) and at rest (e.g., encrypted hard drives). If an encrypted device is lost or stolen, the data remains unreadable without the decryption key.
The Baseline Controls require encryption on all portable media (BC.13) and backups (BC.7).
F
Firewall
A security device or software that monitors and controls network traffic based on predefined rules, acting as a barrier between your trusted internal network and untrusted external networks like the internet. Most businesses use both a network firewall (hardware at the perimeter) and host-based firewalls (software on individual devices).
Addressed under Baseline Control BC.9 (Network Security).
G
Get Cyber Safe
The Government of Canada's public awareness campaign on cybersecurity, operated by the Canadian Centre for Cyber Security. Get Cyber Safe provides free, plain-language tips and resources aimed at helping individuals and small businesses protect themselves online. It's one of the best starting points for businesses that are new to cybersecurity.
H
HTTPS
The secure version of HTTP — the protocol your browser uses to communicate with websites. HTTPS encrypts data in transit using TLS (Transport Layer Security), preventing attackers from intercepting information exchanged between your browser and the website. If your business website doesn't use HTTPS (look for the padlock icon), customers' form submissions, login credentials, and payment information are transmitted in plain text.
Addressed under Baseline Control BC.9 (Network Security).
I
Identity Theft
The fraudulent use of someone's personal information — name, Social Insurance Number, credit card details, or other identifying data — without their consent. When a data breach exposes customer or employee records, identity theft is often the downstream consequence. Under PIPEDA, your organization has a legal duty to protect this information and to notify affected individuals if it's compromised.
Incident Response Plan
A written document that defines who is responsible for what when a cybersecurity incident occurs, who to contact, which systems are critical, and what steps to follow. The Canadian Centre for Cyber Security designates incident response planning as BC.1 — the first of the 13 Baseline Controls — because everything else depends on having a plan before an incident hits.
Insider Threat
A security risk that comes from within your organization — an employee, contractor, or business partner who either intentionally or accidentally compromises your systems. Insider threats include disgruntled employees stealing data, well-meaning staff falling for phishing, or former employees whose accounts were never deactivated. Timely offboarding and least-privilege access controls are your primary defences.
K
Keylogger
Malicious software or hardware that secretly records every keystroke you type — capturing passwords, credit card numbers, emails, and other sensitive information. Keyloggers are typically delivered through phishing emails or bundled with pirated software. Anti-malware tools with behavioural detection can identify keylogger activity, and password managers that auto-fill credentials bypass keystroke capture entirely.
Anti-malware protection (BC.3) detects most software-based keyloggers.
L
Lateral Movement
The techniques an attacker uses to move through your network after gaining initial access — jumping from one system to another to find valuable data or gain higher privileges. A ransomware attacker who compromises a single employee's workstation uses lateral movement to reach file servers, backup systems, and domain controllers. Network segmentation and least-privilege access are your primary defences.
Least Privilege
A security principle that says users should have only the minimum level of access required to do their job — nothing more. If ransomware compromises an account with broad access, it can spread across your entire network. If that same account has only the minimum necessary permissions, the damage is contained.
Log Management
The practice of collecting, storing, and reviewing records of activity across your systems — who logged in, what they accessed, what changed, and when. Logs are critical for detecting suspicious activity, investigating incidents, and proving compliance with privacy regulations. Without logs, you cannot determine what happened during a breach or prove what data was or wasn't accessed.
Addressed under Baseline Control BC.4 (Security Event Logging). Why logs are essential for incident response →
M
Malware
Short for "malicious software." Any software intentionally designed to damage, disrupt, or gain unauthorized access to a computer system. Malware includes viruses, ransomware, spyware, trojans, and worms. It is commonly delivered through phishing emails, malicious websites, or compromised software updates.
How malware was delivered through a trusted software update →
Man-in-the-Middle Attack (MitM)
An attack where a criminal secretly intercepts and potentially alters communication between two parties who believe they are talking directly to each other. Common examples include eavesdropping on unencrypted public Wi-Fi, intercepting email between a business and its bank, or redirecting DNS queries to fake websites. HTTPS, VPNs, and encrypted email protocols defend against MitM attacks.
Managed Service Provider (MSP)
A company that remotely manages your IT infrastructure and systems on your behalf. MSPs typically have high-level administrative access to your network, making them both essential partners and high-value targets for attackers. A compromised MSP can give an attacker access to every client they manage.
Managed Detection and Response (MDR)
A cybersecurity service where a third-party provider monitors your systems around the clock, detects threats, and responds to incidents on your behalf. MDR combines EDR technology with human analysts who investigate alerts, triage threats, and take containment actions — giving small businesses access to 24/7 security expertise they couldn't afford to hire in-house. For most Canadian SMBs, MDR is the most practical path to enterprise-grade security monitoring.
Why insurers are increasingly requiring managed detection services →
Multi-Factor Authentication (MFA)
A security method that requires two or more verification steps to log in — typically something you know (password) plus something you have (phone or security key). MFA blocks over 99% of automated account compromise attacks. It is free to enable on most business platforms and is the single most impactful security upgrade a Canadian SMB can make.
N
Network Segmentation
The practice of dividing your network into separate zones so that a breach in one area cannot easily spread to others. For example, your point-of-sale system, employee workstations, and guest Wi-Fi should each be on separate network segments. If ransomware infects an employee's laptop on a segmented network, it cannot reach your payment systems or backup servers.
Addressed under Baseline Control BC.9 (Network Security).
P
Password Manager
Software that securely generates, stores, and auto-fills unique, strong passwords for every account. Password managers eliminate the need to remember dozens of passwords and remove the temptation to reuse them — one of the most common security vulnerabilities in small businesses.
Patch Management
The process of keeping software and operating systems up to date by applying security patches — fixes released by software vendors to close known vulnerabilities. Unpatched software is one of the most common ways attackers gain access to business systems. The Baseline Controls designate this as BC.2.
Penetration Testing (Pen Test)
An authorized simulated attack on your systems, conducted by security professionals, to find vulnerabilities before real attackers do. A pen test report shows you exactly how an attacker could get in, what they could access, and how to fix it. Some cyber insurance policies require or incentivize regular pen testing as a condition of coverage.
Phishing
A social engineering attack where criminals send fraudulent messages — typically emails — designed to trick recipients into clicking malicious links, opening dangerous attachments, revealing credentials, or transferring money. Phishing remains the number one attack vector for businesses of all sizes and the most common delivery mechanism for ransomware.
PIPEDA
The Personal Information Protection and Electronic Documents Act — Canada's federal privacy law. It applies to any private-sector organization that collects, uses, or discloses personal information in the course of commercial activity. PIPEDA requires mandatory breach reporting to the Privacy Commissioner when there is a real risk of significant harm, with fines of up to $100,000 per violation.
R
RDP (Remote Desktop Protocol)
A Microsoft protocol that allows users to remotely access and control another computer over a network. RDP is widely used for remote work and IT administration, but exposed RDP ports are one of the most common entry points for ransomware attacks. Attackers use brute force or stolen credentials to log in through RDP. Securing RDP requires MFA, VPN access, and disabling it when not needed.
Ransomware
Malicious software that encrypts your files and demands payment for their return. Modern ransomware often also steals data before encrypting it, threatening to publish it if the ransom is not paid (double extortion). The Canadian Centre for Cyber Security identifies ransomware as the top cybercrime threat facing Canada's critical infrastructure.
Ransomware-as-a-Service (RaaS)
A criminal business model where ransomware developers lease their tools to other attackers (affiliates) in exchange for a percentage of ransom payments. RaaS has made ransomware attacks accessible to criminals with little technical skill, dramatically increasing the volume of attacks against organizations of all sizes.
Risk Assessment
A systematic process of identifying what could go wrong (threats), how likely it is (probability), and how bad it would be (impact). A cybersecurity risk assessment helps you prioritize which security controls to implement first based on your specific business context — not every business faces the same risks. Our free assessment is built around this principle.
Recovery Time Objective (RTO)
The maximum acceptable amount of time that a system or business process can be offline before the organization's survival is at risk. Defining your RTO for each critical system helps prioritize which systems to restore first after an incident and determines how robust your backup and recovery procedures need to be.
S
Security Awareness Training
Ongoing education that teaches employees to recognize and respond to cybersecurity threats — particularly phishing, social engineering, and unsafe data handling. Effective training is short, frequent, and contextual (e.g., simulated phishing campaigns followed by immediate feedback), not annual compliance checkboxes. The Baseline Controls designate this as BC.6.
Shadow IT
Technology — cloud services, apps, AI tools, or devices — used by employees for work without organizational approval or oversight. Shadow IT creates data flows you cannot control, audit, or recover. Common examples include personal Dropbox accounts, unauthorized AI tools like ChatGPT used with business data, and messaging apps used for work communications.
SIM Swapping
An attack where a criminal convinces your mobile carrier to transfer your phone number to a device they control. Once they have your number, they can intercept SMS-based two-factor authentication codes, reset passwords, and access your accounts. This is why authenticator apps are more secure than SMS codes for MFA.
Spear Phishing
A targeted form of phishing directed at a specific individual or organization, using personalized information to make the attack more convincing. Unlike mass phishing campaigns, spear phishing emails reference your real name, job title, colleagues, or recent transactions. Attackers research their targets using LinkedIn, company websites, and previously breached data to craft highly believable messages.
Supply Chain Attack
An attack where criminals compromise a trusted vendor, software provider, or service to reach their actual targets downstream. Instead of attacking your business directly, attackers breach a tool or service you depend on — such as a software update mechanism, a managed service provider, or a SaaS platform — gaining access to every organization that trusts it.
T
Threat Intelligence
Information about current and emerging cyber threats — who is attacking, how they operate, what tools they use, and what vulnerabilities they target. The Canadian Centre for Cyber Security publishes threat intelligence through alerts, advisories, and the biennial National Cyber Threat Assessment. For SMBs, staying current with CCCS alerts and advisories is the most practical form of threat intelligence.
3-2-1 Backup Rule
A widely recommended backup strategy: maintain 3 copies of your data, on 2 different types of storage, with 1 copy stored offline or offsite — disconnected from your network. This ensures that even if ransomware encrypts your primary systems and your connected backups, you have an untouched copy to restore from.
Two-Factor Authentication (2FA)
A specific type of multi-factor authentication that uses exactly two verification steps. In practice, 2FA and MFA are often used interchangeably, though MFA can include three or more factors. See Multi-Factor Authentication (MFA).
U
Unauthorized Software
Any software installed on business systems without organizational approval — including browser extensions, free utilities, cracked applications, and personal tools. Unauthorized software can contain malware, create unpatched vulnerabilities, or exfiltrate data. Maintaining a software inventory and restricting installation privileges are core requirements of the Baseline Controls.
Addressed under Baseline Control BC.10 (Software Inventory).
V
VPN (Virtual Private Network)
A technology that creates an encrypted connection between an employee's device and your business network, protecting data in transit — especially important when working from home, coffee shops, or other locations outside the office. A business-grade VPN with MFA is essential for secure remote work.
Vishing (Voice Phishing)
A social engineering attack conducted over the phone, where the caller impersonates a trusted entity — such as a bank, government agency, tech support, or a senior executive — to extract sensitive information or convince the target to take an action. AI-generated voice cloning has made vishing dramatically more convincing, allowing attackers to mimic a specific person's voice from just a few seconds of audio.
Vulnerability
A weakness in software, hardware, or a process that an attacker can exploit to gain unauthorized access or cause harm. Vulnerabilities are assigned CVE numbers (Common Vulnerabilities and Exposures) for tracking. When a vendor releases a security patch, they are fixing a known vulnerability — and attackers begin scanning for unpatched systems almost immediately.
W
Whaling
A highly targeted phishing attack aimed at senior executives, board members, or other high-value individuals within an organization. Whaling emails are carefully crafted to impersonate legal counsel, regulators, or board members, and often involve urgent requests related to wire transfers, mergers, or legal matters. Because the targets have the authority to approve large transactions, successful whaling attacks can result in massive financial losses.
Wi-Fi Security
The practices and protocols that protect wireless networks from unauthorized access and eavesdropping. Business Wi-Fi should use WPA3 (or at minimum WPA2) encryption, strong passwords, and separate networks for employees and guests. An unsecured or poorly configured Wi-Fi network allows attackers within range to intercept traffic, access shared files, or pivot into your internal network.
Addressed under Baseline Control BC.9 (Network Security).
X
XDR (Extended Detection and Response)
A security platform that unifies threat detection and response across multiple layers — endpoints, email, cloud, and network — into a single system. Where EDR monitors individual devices and MDR adds human analysts, XDR correlates signals across your entire environment to detect complex attacks that no single tool would catch. For example, XDR might connect a suspicious login from an unusual location, a new email forwarding rule, and a large file download into a single coherent incident.
Z
Zero Trust
A security model built on the principle "never trust, always verify." Instead of assuming that everything inside your network is safe, Zero Trust requires strict verification for every user and device before granting access to any resource — regardless of their location. In practice, this means MFA on every account, least-privilege access, network segmentation, and continuous monitoring. Zero Trust is the direction modern cybersecurity is heading, but SMBs can start with its core principles today.
Zero Trust principles underpin several Baseline Controls including BC.12 (Access Control) and BC.9 (Network Security).
Zero-Day Vulnerability
A software vulnerability that is unknown to the vendor and has no available patch at the time it is exploited. "Zero-day" refers to the fact that the vendor has had zero days to fix it. These are the most dangerous vulnerabilities because there is no defence other than layered security controls — which is why the Baseline Controls emphasize defence in depth across multiple areas, not reliance on any single control.
Not Sure Where Your Business Stands?
Our free assessment evaluates your organization across all 13 of the Canadian Centre for Cyber Security's Baseline Control areas. It takes under 10 minutes and shows you exactly where to start.
Take the Free Assessment →
Social Engineering
The use of psychological manipulation to trick people into revealing information, granting access, or taking actions that compromise security. Phishing, pretexting (creating a fabricated scenario), and impersonation are all forms of social engineering. It exploits human trust rather than technical vulnerabilities.
Training that actually changes behaviour →