Cyber Security Breaches Survey 2019

This page gives you definitions for some terms used in some of the questions in the survey. During the interview the interviewer will also help to explain any of these terms if needed.

Business-as-usual health checks vs. ad-hoc health checks or reviews
Health check activities might include things like staff surveys, security assessments or vulnerability scans. Business-as-usual checks would be activities like this that are undertaken no a scheduled basis, e.g. annually. Ad-hoc checks will be the same kinds of activities but just undertaken as a one-off, e.g. in response to an attack.
Cyber security
Cyber security includes any processes, practices or technologies that organisations have in place to secure their networks, computers, programs or the data they hold from damage, attack or unauthorised access.
Cloud computing
Cloud computing uses a network of external servers accessed over the internet, rather than a local server or a personal computer, to store or transfer data. This could be used, for example, to host a website or corporate email accounts, or for storing or transferring data files.
Data classification
This refers to how files are classified (e.g. public, internal use, confidential etc).
Document Management System
A Document Management System is a piece of software that can store, manage and track files or documents on an organisation’s network. It can help manage things like version control and who has access to specific files or documents.
Externally-hosted web services
Externally-hosted web services are services run on a network of external servers and accessed over the internet. This could include, for example, services that host websites or corporate email accounts, or for storing or transferring data files over the internet.
Intellectual property
Intellectual property (IP) refers to the ideas, data or inventions that are owned by an organisation. This could, for example, include literature, music, product designs, logos, names and images created or bought by the organisation.
Malware (short for “malicious software”) is a type of computer program designed to infiltrate and damage computers without the user’s consent (e.g. viruses, worms, Trojan horses etc).
Penetration testing
Penetration testing is where staff or contractors try to breach the cyber security of an organisation on purpose, in order to show where there might be weaknesses in cyber security.
Personally-owned devices
Personally-owned devices are things such as smartphones, tablets, home laptops, desktop computers or USB sticks that do not belong to the company, but might be used to carry out business-related activities.
Phishing or social engineering
Fraudulent attempts to extract important information, such as passwords, from staff.
A type of malicious software designed to block access to a computer system until a sum of money is paid.
Removable devices
Removable devices are portable things that can store data, such as USB sticks, CDs, DVDs etc.
Restricting IT admin and access rights
Restricting IT admin and access rights is where only certain users are able to make changes to the organisation’s network or computers, for example to download or install software.
Risk assessment covering cyber security risks
This is the process of identifying and controlling any cyber security threats to an organisation’s data.
Segregated guest wireless networks
Segregated guest wireless networks are where an organisation allows guests, for example contractors or customers, to access a wi-fi network that is cut off from what staff have access to.
Table-top exercises
Table-top exercises are meetings where staff or senior managers simulate a cyber security breach or attack, then discuss and review the actions they would take for this breach or attack.
Threat intelligence
Threat intelligence is where an organisation may employ a staff member or contractor, or purchase a product to collate information and advice around all the cyber security risks the organisation faces.