Let’s Talk Vocabulary
Cybersecurity is one of those topics where knowing the vocabulary can make things easier to grasp. Nothing is more frustrating than being tech-talked by some IT professional who is purposefully trying to confuse you into thinking they have all the answers.
Unfortunately I’ve encountered many brilliant engineers in my career who were all too willing to tech-talk people. This usually gets them what they want in the short term. However, in the long run it erodes the bond of trust that IT professionals have to work so hard to earn.
With that in mind, I’m here to arm you all with 4 basic cybersecurity terms that will help you speak confidently with your IT provider (or in-house IT department). Let’s begin!
Vulnerability – A weakness that could trigger automatically or be intentionally exploited to cause a security breach.
The term vulnerability has a large scope. Failing to set a strong password for the default user login on your shiny new piece of hardware is a vulnerability. Anyone who knows the default username and password for that particular device can now access it. That person in Accounts Payable who blindly downloads and opens every email attachment they get? Also a vulnerability. In short, a vulnerability is any opening you’ve overlooked or behavior you have not trained your employees against that the bad guys can exploit.
Threat – The potential of a threat actor or agent to exercise a vulnerability (cause a breach).
Hackers. Malicious bots. That sketchy looking guy with the hoodie on his laptop in the corner of your local coffee shop. These are examples of things and people that can exploit a vulnerability, which makes them threats and/or threat actors. Keep in mind that there are passive threats as well, like malicious websites or enticing file downloads that are actually malware. The best way to limit threats is to eliminate all of your known vulnerabilities, and training yourself and your team to develop an eye for identifying threats and vulnerabilities before they become a security breach.
Threat Vector – A path or a means by which a cybercriminal gains access through one or more of six main routes into a computer system by exploiting a vulnerability (also called an Attack Surface).
Ok, so that definition got very specific, so let’s make it a bit more elegant. Simply put, Threat Vectors are the routes and paths that threat actors take to exploit a vulnerability. There are six widely accepted vectors that are commonly used to cause a breach. They are:
- The network
- Web applications
- Remote access portals
- Mobile devices
Note that the six main routes do not cover all vectors. For example, a smart home device (also referred to as an IoT device) may have a local, unencrypted record of your wireless network credentials, yet it’s not truly a network or mobile device. While there are other vectors, a business or individual who pays close attention to these six routes will be more secure than someone who doesn’t.
Risk – The likelihood and impact that a threat could exercise a vulnerability.
Last but no least, that four letter word – RISK. I’ve sat in many long, heated debates about risk between IT professionals and those they are trying to protect. A cybersecurity mindset and good habits are free. Outsourced cybersecurity training, risk assessments, and security hardening projects are not. Many business owners and leaders find themselves trying to run the numbers on how impactful a breach could be vs. how much shoring up a threat would cost them, and how much of a hassle it would be to day to day operations.
For example – a receptionist’s computer, used by multiple workers, sharing a single login to perform specific functions, offers a hassle-free way for receptionists to transition between shifts and share data. However, if you read my other post Stop Sharing User Accounts, you’d know this leaves a huge vector wide open for bad guys to exploit and is a terrible risk to take for multiple reasons.
This may seem like an obvious risk that is easily avoided, but many small businesses choose convenience over security, and I encounter this specific scenario more often than I care to admit. Proper education on the true risk of a given scenario is massively important to personal security, as well as business security.
To be blunt, education is the single biggest threat deterrent you can arm yourself with.
We hope you found these 4 terms and the explanations useful. Now get out there and confidently speak about cybersecurity!