TERMINOLOGY CYBERSECURITY

The world of security and privacy is full of complex concepts and jargon. On this page we explain the most important terms.

The world of cybersecurity and information security has a lot of complex concepts and jargon, and a significant portion of the vocabulary is made up of words that are not easy to translate from English. Concepts that are familiar to specialists, but are often unknown to organizations and employees who want to work with information security. Awareways focuses on the human side of security and privacy, so of course we consider it important that employees of any organization know what we are talking about. To build a bridge between our specialists and our customers, we have created a glossary on our website in which we have clearly defined the most important terms and concepts.

Two-factor authentication

2FA is an extra layer of security for your password that reduces the risk of a hacker gaining access to your online accounts by adding a second step to that password, such as the physical availability of your cell phone. In addition to entering your password, you are then also asked for a code that appears on your phone.

Many of the world’s largest websites have made 2FA readily available from the accounts’ security settings, but you will have to enable this feature yourself. The easiest way to read up and get started with it is through the website turnon2fa.com.

Antivirus software

Antivirus software is a type of program developed to protect computers from malware such as viruses, computer worms, spyware, botnets, rootkits and keyloggers. Antivirus programs ensure that dangerous software is detected, scanned and removed from your computer if necessary, but these programs come in many shapes and sizes, including free versions and paid subscriptions. Their main purpose is to protect computers and remove viruses once they are detected, but this is not a guarantee. Technical tools such as antivirus programs always go hand in hand with human action; see also ‘human factor’.

Adware

Adware is a type of malware that hides in computers and computer systems without the user’s knowledge. The software collects information from within the computer in order to display targeted advertisements. Also see Malware.

Personal Data Authority: AP (‘Autoriteit Persoonsgegevens’)

The Personal Data Authority (AP) is the Dutch data protection authority and the independent administrative body appointed by law as supervisor for the supervision of the processing of personal data (see also ‘personal data’). On January 1, 2016, the supervision of the Personal Data Protection Act (WBP in Dutch, the predecessor of the AVG – see also ‘AVG’) became the task of the Personal Data Authority (AP), which in this capacity has subsequently been supervising compliance with the AVG since May 25, 2018.

Companies and governments that process personal data are legally required to report a serious data breach to the AP immediately. In addition, the body has penalty powers, which means that violations can be financially taxed. Although the core purpose is to educate on privacy issues, investigation and enforcement of the AVG has become an important part. Fines for not adequately following the legislation or failing to report a serious data breach can be hefty.

General Data Protection Regulation: AVG (‘Algemene Verordening Gegevensbescherming’)

General Data Protection Regulation (AVG), the privacy legislation that applies throughout the EU and in the Netherlands, is the successor to the Personal Data Protection Act. The supervisor of the AVG is the Authority for the Protection of Personal Data (AP).

The AVG has been in effect since May 25, 2018, so by now the necessary process adjustments have undoubtedly been made. But are your employees fully aware of their role? More importantly, do they understand that they are the main link in protecting personal data and preventing a data breach?

Awareways offers an AVG learning module where the focus is entirely on the user. Your colleague who ultimately makes the final decision in the processing of privacy-sensitive information. In order to create recognizable situations, the Awareways AVG learning module can be adapted in detail to your daily situation.

Awareness

In a Dutch version of the glossary, Awareness could also be classed under the B of ‘bewustzijn’ (awareness) and the B of ‘beveiligingsbewustzijn’ (security awareness); the extent to which people recognize risks and are aware that they could jeopardize the security of information.

Awareways refers to awareness in particular as information awareness: what data do we process every day, how vulnerable and valuable is that information and above all: how can we handle it more carefully?

Information awareness is difficult to define in practice. Of course you can map out what happens on the work floor and what knowledge is present among employees. Are passwords handled more sensibly, how susceptible are people to phishing, et cetera. But what are the factors that make up ‘information awareness’? And also important: what does an investment in increasing it yield in terms of actual behavioral change? After all, a high level of information awareness does not necessarily mean that it is acted upon (Awareness does not equal behavior!). That’s why Awareways has done extensive research into awareness and behavioral change.

Security

All the measures needed to be protected against harmful influences. We distinguish between physical security – for example preventing unauthorized persons from entering a building or accessing a workplace – and digital security, protecting digital systems. For the latter category, see also Cybersecurity.

Information is of great value and its protection is becoming increasingly important. Of course organizations already take the necessary measures to protect data properly, but technical solutions alone are not enough. Because the most important link in the security chain, is simply ourselves.

BYOB: Bring Your Own Device

The use of personal devices such as laptops, phones and tablets while at work is becoming more and more natural. This can contribute to productivity, but a so-called BYOD policy (Bring Your Own Device) also has disadvantages. For example, the IT department has no insight into the security measures of your devices, while approximately 70 percent of the vulnerabilities within companies are end-user related. Employees are increasingly connecting their own devices to the company network. Because those devices are usually inadequately managed and secured, they are the fastest gateway for cybercriminals to company data.

If you have permission to use your own device, make sure that your device is updated, that it is properly secured with a strong password or PIN, that an up-to-date virus scanner is installed on it and that other users of the device do not have access to sensitive information.

CISO

CISO stands for Chief Information Security Officer. Know who the CISO is in your organization, because he or she is, next to the Service Desk or IT Help Desk, the direct point of contact for questions, comments or reports on information security.

Cloud

The cloud is a network of computers with software and data that can be accessed via the Internet, with the main applications being file storage and sharing.

The cloud is separate from files on your own computer, because then we speak of local storage. It is specifically about files that are not on your own network, where you consult data that is stored elsewhere, usually in large server farms and data centers linked via the Internet. The cloud and the Internet are thus inextricably linked.

Organizations are becoming increasingly dependent on cloud providers. Almost half of organizations (48 percent) use multiple cloud service providers with Amazon Web Services (AWS), Microsoft Azure and IBM being the most popular, Thales research found. On average, organizations use three cloud environments, but more than a quarter (28 percent) use as many as four or more.

Although several organizations have more than one cloud provider, less than half (46 percent) realize that they are more vulnerable to cyber attacks as a result.

Compliance

Compliance refers to working in accordance with applicable laws and regulations, and the compliance of individuals or organizations with them.

Until the AVG went into effect, two years ago now, organizations were particularly busy being compliant with privacy legislation. That hype has now passed, but it is now up to companies to make an effort to remain AVG-compliant. There is an increasing emphasis on enforcement, so organizations need to stay focused on their roles and responsibilities.

Are all employees aware of their role in information security? What are the common standards? Is the organization sufficiently aware of responsibilities and potential threats? What is the exemplary behavior of management? Awareways is happy to help you put your information security policy and behavior in place.

Cookie

A cookie is a small text file that is stored in the browser of your computer, tablet or smartphone when you first visit this website. In purely technical terms, it is a piece of data between a server and a browser that allows the server to recognize and track what the user has done in the past, such as previous web visits, preferences and interests. This can be very interesting for marketing purposes. Therefore, cookies and a responsible cookie policy are an important part of privacy.

Awareways uses cookies with a purely technical functionality. These ensure that the website works properly and that, for example, your preferences are remembered. These cookies are also used to make the website work properly and to optimize it.

Cyber attack

A cyber attack is a way for fraudsters, hackers and terrorists to obtain personal or vulnerable information or to disable computer systems or networks. Specifically, a cyberattack is any attempt to gain unauthorized access to data in order to expose, steal, modify or destroy it. Cyber attacks come in different shapes and sizes, from a phishing email or a computer virus to a hack or DDoS attack. However, the majority of security incidents are caused not by external attacks or technical failures of supporting systems, but by human error. It is no surprise that we often talk about the role that every employee in an organization must play in order to take proper care of information security and the protection of confidential data, both business-sensitive information and personal data.

Cyber Hygiene

Cyber hygiene: keeping networks and systems free of infection and avoiding sources of infection. In other words, the minimum required to secure an information network. For example, automatically locking a digital system if it is not used for a certain period of time, multi-factor authentication, making backups, using anti-virus software, and directing staff to behave securely.

Data breach

We speak of a data breach in any situation in which personal data is unintentionally disclosed. When other business data is leaked, we speak of a security incident.

A data breach need not be the result of a security problem: information can also be leaked in another way, for example through loss, theft or an incorrectly addressed email. Always report theft, loss or unauthorized disclosure of confidential information immediately to the Service Desk or, for example, the CISO. Within the rules of the legislation, the Privacy Officer has 72 hours to report a data breach to the AP, so immediate action – even internally – is crucial!

Encryption

Encryption means to make information unintelligible or inaccessible to others.

Encrypt data with a software and/or hardware solution that suits the type of information and the purpose of the storage or transmission, so that the data is stored or transmitted securely. Should security fail and the files are still stolen or intercepted, encryption prevents access to data. Don’t use insecure USB sticks, don’t store important data on your laptop’s hard drive, and never send confidential data via email or cloud storage platforms like Dropbox or WeTransfer.

Always report the theft of company hardware as well as your own equipment to the IT service desk, as criminals gaining access to sensitive information can cause many problems. Even if this is your personal data, because they can abuse your account(s) or, for example, send emails in your name to retrieve sensitive company information.

Data Protection Officer: FG (‘Functionaris Gegevensbescherming’)

The AVG provides a modernized, accountability-based framework for data protection compliance in Europe. Data protection officers will be central to that new legal framework for many organizations to enable compliance. In other words, a FG is someone who oversees the implementation of and compliance with privacy laws within the organization.

The concept of FG is not new. Although as the current legislation the WBP (read: until May 25, 2018) does not require any organization to appoint a data protection officer, in recent years it has become common practice in several EU member states to appoint a data protection officer. The function is seen as the cornerstone of accountability, whereby appointing a FG can simplify compliance with privacy laws and also provide a competitive advantage for companies, based on the idea that privacy is the business case of today.

GDPR

General Data Protection Regulation, the European privacy law and translation of AVG. See also AVG.

Hostage software

Hostage software is the Dutch translation of ransomware, which in turn is a combination of “ransom” and “malware”. Malware (see below) is a contraction of the English words ‘malicious’ and ‘software’. Malware is a collective term for all software that is used to disrupt computers, collect sensitive information or gain access to private systems.

Human Factor

Technology is not used in a secure way, there is insufficient awareness of the vulnerability of information and the right behavioral change is a serious challenge – that is, in short, the gist of the ‘human factor’ in information security. At the same time, we do not see employees as weak links, but as the key to making working more securely a natural part of every organization. Activate that human firewall! (see also Vulnerability).

Information Security

An information security policy is twofold. First, it provides guidance on the role of Information Security in general, where the entire organization must look at how data is handled. In addition to the attention of the IT team and management, this requires collaboration between all departments throughout the company. You see it everywhere, from small SMEs to large multinationals, but also in government agencies: extensive automation makes us very dependent on IT, but that awareness and the influence on daily operations is not (yet) always obvious.

In addition, we see an important focus on the AVG, the European privacy legislation that came into force in May 2018 (see also AVG). Many organizations are doing everything they can to get the practical issues in order. Think of mapping data flows and reducing all that data to only the necessary. What information do you have, can you have it, and on what grounds can you have it? Where do you store it and what do you do with it? A good information security policy is not only necessary but also offers opportunities.

Integriteit

Integrity has several definitions. With data integrity we speak of correct and complete information (and processing), with people it’s about reliability and with systems it’s about proper functioning.

Everyone does a favor for someone else from time to time. But what do you do when your neighbor asks if you can find out the state of affairs of a file? Would you do it?

Access to information gives power, and in your work you have to deal with a lot of sensitive and strictly confidential information. Think, for example, of access to files and price-sensitive information. You have a certain mandate to process this information, but how do you handle this power? In the Awareways learning module Integrity we go deeper into this and discuss, among other things, the various integrity violations and the risks involved.

ISO 27001

The ISO 27001, established by an independent assessor, is a guarantee that the confidentiality and integrity of data – business-critical information, but above all customer data – are secured according to the strict ISO standards. ISO stands for the International Organization for Standardization, a collaboration of national standardization organizations in 163 countries that is responsible for setting norms.

The ISO 27001 standard describes how information security could be set up as a process. This international standard applies to all types of organizations and specifies requirements for establishing, implementing, executing, monitoring, assessing, maintaining and improving a documented Information Security Management System (ISMS) in the context of the general business risks for the organization in question.

Director Maarten Timmerman: ” Being a specialist in the field of security awareness, as a fast growing organization we also want to be at the forefront of keeping all our data safe. Moreover, many of our customers are certified, and going through this process as an organization has given us not only more security but also firsthand insight into all the associated aspects: Practice what you preach!

Vulnerability

Vulnerability refers to ‘very sensitive’, or ‘susceptible to mischief’. A vulnerability in the world of cybersecurity is thus any weak spot in a system, software or hardware, generally caused by a programming error, that malicious people can take advantage of. But that vulnerability can also be the human role in the chain. More and more investments are being made in information security, but people are still the weakest link. Technology is not used in a secure way, there is insufficient awareness of the vulnerability of information and the right behavioral change is a serious challenge.

Awareways does not see the human factor as a weak link, but as the starting point for increasing information security. There are many smart measures that can be taken to activate the human firewall, and they don’t always require you to be technically savvy or have a serious understanding of IT. Examples include using strong passwords, structurally locking your computer screen when you are away from your computer, or knowing how to deal with phishing and other forms of social engineering.

Malware

Malware is a contraction of malicious software, a collective term for any software used to disrupt computer systems, collect sensitive information or gain access to proprietary computer systems.

Malware is often used in phishing (see also Phishing below). Emails that appear to be from your bank or credit card company may be from a hacker trying to gain access to your account. Clicking on a link in one of these emails may send you to a fake website designed to steal login or financial information, or install malware or spyware on the device. Therefore, it is better if you type the URL of the financial institution directly into the browser.

NCSC

National Cyber Security Center. Part of the Ministry of Justice and Security.In this center all information about cyber security comes together.  The center works for the central government and for processes that are of most importance in the Netherlands. For example, electricity, access to clean drinking water and vital parts of society such as the infrastructure, both physical and digital.

Baseline measurement

A baseline measurement maps out the level of information awareness. At the same time, it challenges employees to reflect on their own knowledge level and behavior. Participating in the security awareness research is therefore an awareness intervention in itself.

The Awareways baseline measurement provides concrete results, such as:

  • The current state of information awareness;
  • insight into cultural aspects, including the social norm, relevance and behavior;
  • practical spearheads for a security awareness follow-up program.

Personal Data

When we talk about privacy in the context of the AVG and information security, we are mainly talking about personal data and its protection.

Personal data is any data that can provide information about a person. They come in various types. First, there is data that provides general information about a person, such as name, date of birth and gender. Data that indirectly says something about you is also personal data. Think of your address, but also your salary or something seemingly ‘small’ like the IP address of your computer, which can be traced back to you.

The law also distinguishes special personal data, because their misuse can seriously damage privacy – for example, by fraudulently manipulating your identity. Special personal data includes your passport photo and signature, but also sensitive data such as your religion or belief, race, political affiliation, health and criminal record.

Phishing

Phishing is a collective term for (internet) fraud, in which criminals use fake emails and various tricks to trick you into revealing confidential information. Recent research has shown that as many as 91 percent of data breaches start with a phishing email, but attackers also use the telephone, SMS and social media, for example.

Awareways phishing software provides an online platform with which attacks can be simulated in a simple and cost-effective manner. We believe that with our team of experts, we have the right approach to make any organization defensible against phishing and other digital threats.

Privacy

Privacy stands for personal freedom, deciding who gets to which information about you, and the desire to be able to live unspoiled and unguarded. This has an important place in the modern working environment, because privacy is not only about what you do in your free time and what photos you share on Facebook, but also about how you handle personal data in your daily work.

These personal data are protected by law by the Personal Data Authority (AP) in order to prevent abuse. In addition, the GDPR places great emphasis on the documentation that a company must keep in order to demonstrate that this duty of accountability is being fulfilled.

Privacy impact assesment

The DPIA or Data Protection Impact Assessment is a tool used to identify the privacy risks of  data processing in advance. Because of the General Data Protection Regulation (GDPR), it may be mandatory for organisations to carry out a DPIA.

A DPIA is a handy administrative tool for identifying privacy risks of data processing, acting where necessary to reduce those risks and thus complying with the rules of the GDPR. For that reason, carrying out a DPIA – like appointing a DPO – is also interesting for organizations that are not obliged to do so. It encourages tot think about the impact of a project on privacy at an early stage, provides insight into the risks for the persons whose data are being processed and for the organisation itself, and whether there might be an approach that has fewer consequences for the privacy of all those involved.

Ransomware

A growing number of cybercriminals earn their living by infecting computers, networks and cell phones with ransomware. This is malicious software that encrypts devices or files, making it impossible for you to access your own files. This can lead to major financial losses, but also to losses of emotional value – when, as a private individual, you can no longer access the photos on your laptop, for example. Then the perpetrators knock on your door with their ransom demands.

Ransomware is a combination of “ransom” and “malware”, which is a contraction of “malicious” and “software”. Malware is a collective term for all software used to disrupt computers, collect sensitive information or gain access to private systems.

Security awareness engine

The Security Awareness Engine of Awareways is used as the core of a security awareness program. It’s an interactive tool in which employees can battle with each other to raise the collective level of information awareness to the right level, using substantive knowledge and stimulating gamification.

Looking for a tool that goes beyond e-learning? A tool that conveys knowledge and offers participants the challenge of growing visibly from ‘protector bronze’ to ‘protector diamond’? Then the Security Awareness Engine is for you. Technical measures, new insights, new processes, new laws and regulations; the awareness engine is flexible and can be adapted and expanded in real time.

Vishing

Cybercrime evolves, not unlike any other form of crime. In other words: no vault can be so secure as there will always be someone who can crack it. Vishing or “voice phishing” (see Phishing) plays a serious role here, and is a form of fraud in which social engineering is used via the telephone to gain access to personal and financial information with the aim of financial reward. Therefore, approach strange phone calls with the same due diligence as phishing emails.

Password Manager

Software in which a user can store the combination of password and username, in a kind of digital safe. Often the software can also create passwords itself, recognize websites and fill them in automatically.

Awareness campaigns and information awareness training pay a lot of attention to the importance of strong passwords. This is for good reason. An analysis by SplashData has shown that the number combination ‘123456’ was still the most frequently used password in the past year, for the sixth(!) year in a row.

So creating and remembering passwords is best left to password managers. Secure apps that act as digital safes are KeePass for Windows and 1Password for Apple. They can immediately test the strength of your passwords.

Wangiri-fraude

Wangiri is a form of telephone scam that attempts to get people to call back to expensive payphone numbers abroad, resulting in hefty phone bills. Wangiri’ is Japanese and means ‘ring once and stop’. Do not answer and do not call back! | Want to know more?

Zero-day

In terms of definition, zero-day is usually the first part of a term, such as zero-day exploit and zero-day vulnerability. In practice, the term is often used to talk about a zero-day attack (or zerodayattack); a computer threat that tries to exploit weak elements in software. A zero-day exploit is software that exploits a digital hole in security to carry out an attack, a zero-day vulnerability is the relevant vulnerability itself.

A zeroday attack is special because the vulnerability is not (yet) known to the user, but also not to the supplier of the software concerned, so there is no concrete protection against it (yet). This usually follows discovery with a patch, after which an update can ensure that the hole is closed.

AWAREWAYS

Euclideslaan 141 3584 BR Utrecht
+31 (0)30 227 14 67
info@awareways.com

Contact form