IT & Cybersecurity Glossary

A documented strategy defining how a business continues operating during and after a major disruption — cyberattack, natural disaster, power outage, or key staff absence. A strong BCP includes identified critical functions, alternate operating procedures, communication plans, recovery time objectives (RTOs), and regular testing protocols. For businesses across North America, this includes scenarios such as severe weather events, supply chain disruptions, and ransomware attacks.

The delivery of computing services — servers, storage, databases, networking, software, and analytics — over the internet rather than from local hardware. Cloud computing allows businesses to access scalable IT resources on demand, pay only for what they use, enable remote work for distributed teams, and strengthen disaster recovery capabilities. Common platforms include Microsoft Azure, Microsoft 365, and Google Workspace.

The process of restoring IT systems, data, and infrastructure after a disruptive event — cyberattack, hardware failure, or natural disaster. Disaster recovery focuses specifically on technology restoration, guided by Recovery Time Objectives (RTO — how quickly systems must be restored) and Recovery Point Objectives (RPO — how much data loss is acceptable). DR is a critical component of, but distinct from, a broader Business Continuity Plan.

A cybersecurity technology that continuously monitors endpoints — computers, laptops, servers, and mobile devices — for signs of threats and automatically responds to suspicious activity. EDR uses behavioral analysis to detect zero-day attacks and ransomware that traditional antivirus software misses. A mandatory component of any serious cybersecurity program, and a key requirement under both PIPEDA (Canada) and HIPAA (US) obligations to protect sensitive information with appropriate safeguards.

A US federal law that sets national standards for protecting sensitive patient health information. HIPAA’s Security Rule requires healthcare organizations and their business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). Applicable to healthcare providers, health plans, and any technology or IT vendor that handles patient data on their behalf. Non-compliance can result in fines ranging from $100 to $50,000 per violation. Canadian healthcare organizations serving US patients or using US-based platforms may also need to maintain HIPAA-aligned practices.

A subscription model where businesses lease IT hardware — computers, laptops, servers, and networking equipment — from a managed service provider at a fixed monthly fee, instead of purchasing it outright. HaaS converts capital expenditures (CapEx) to operating expenses (OpEx), includes maintenance and hardware refreshes, and ensures businesses always operate on current, fully supported equipment without large upfront investments.

A subscription-based model where a third-party provider — called a Managed Service Provider, or MSP — proactively manages and maintains a business’s IT infrastructure, systems, and users on their behalf. Includes 24/7 monitoring, help desk support, patch management, network management, and security — all at a predictable flat monthly rate. Ideal for businesses across Canada and the United States that need enterprise-grade IT without the cost of a full in-house IT department.

A security control requiring users to verify their identity with two or more independent factors before accessing systems: something they know (a password), something they have (a phone or hardware token), and/or something they are (a biometric like a fingerprint). MFA blocks over 99% of automated credential-based attacks and is one of the most cost-effective security controls any business can implement. Required under both PIPEDA (Canada) and HIPAA (US) mandates to use appropriate security safeguards.

A global security standard maintained by the Payment Card Industry Security Standards Council that applies to any organization that accepts, processes, stores, or transmits credit card information. PCI-DSS requires businesses to maintain a secure network, protect cardholder data, manage vulnerabilities, implement strong access controls, and regularly monitor and test networks. Non-compliance can result in fines, increased transaction fees, and loss of the ability to process card payments. Applies equally to businesses in Canada and the United States.

Canada’s federal private-sector privacy law that governs how organizations collect, use, and disclose personal information in the course of commercial activities. PIPEDA requires businesses to obtain meaningful consent before collecting personal data, protect it with appropriate security safeguards, and report data breaches to the Office of the Privacy Commissioner of Canada. Most Canadian businesses that handle customer or employee data are subject to PIPEDA — and non-compliance can result in significant fines and reputational damage. US businesses operating in Canada or handling Canadian personal data may also be subject to PIPEDA obligations.

A type of malware that encrypts a victim’s files or systems, making them completely inaccessible, then demands payment — usually in cryptocurrency — for the decryption key. Ransomware typically enters businesses through phishing emails, unpatched software vulnerabilities, or compromised remote access credentials. A single ransomware attack can cost a small business tens of thousands of dollars in downtime, recovery costs, and potential breach notification obligations under PIPEDA (Canada) or applicable US state and federal laws. Prevention requires EDR tools, email filtering, MFA, regular patching, and tested off-site backups.

An auditing standard developed by the AICPA that evaluates a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 certification is increasingly required by enterprise clients and regulated industries — particularly financial services and healthcare — as proof that a technology vendor handles data responsibly. There are two types: SOC 2 Type I (a point-in-time assessment) and SOC 2 Type II (assessed over a period of time, and more rigorous). Relevant to both Canadian and US businesses operating in regulated sectors.

An outsourced executive-level IT strategy service where a managed IT provider supplies strategic technology leadership — IT roadmapping, vendor management, technology budgeting, and alignment of IT investments with business goals — without the cost of hiring a full-time CIO. vCIO services give small and mid-sized businesses across Canada and the United States access to enterprise-level strategic IT direction at a fraction of the cost of an in-house hire.

A technology that routes telephone calls over an internet connection instead of traditional telephone lines. Business VoIP systems offer advanced features — auto-attendant, call forwarding, mobile apps, voicemail-to-email, and CRM integration — at 30–60% lower cost than legacy phone service. VoIP also enables businesses to operate with a consistent professional phone presence whether staff are in the office, working remotely, or across multiple locations in Canada or the United States.