Managed IT & Operations.
MANAGED IT SERVICES· MSP
A subscription model in which a managed service provider (MSP) takes ongoing responsibility for a business's IT operations — monitoring, patching, security, help desk, and strategy — for a flat per-user or per-device monthly fee. Replaces the legacy hourly break-fix model. See also Break-Fix vs Managed IT Comparison.
BREAK-FIX IT
An hourly, reactive IT support model where the business only pays when something breaks. The provider has no financial incentive to prevent outages, and downtime costs typically dwarf the hourly bill. Largely superseded by managed services in 2026. See also Break-Fix vs Managed IT Comparison.
CO-MANAGED IT
A hybrid arrangement where an internal IT employee (or small team) handles day-to-day work and an outside MSP provides tooling, after-hours coverage, escalation, security operations, and strategy. Common at 50–250 person businesses that have outgrown a single internal IT generalist but don't yet need a full department.
REMOTE MONITORING & MANAGEMENT· RMM
The agent-based tooling MSPs install on every managed workstation and server to monitor health, deploy patches, push scripts, inventory hardware and software, and provide remote support without dispatching a technician. Examples include NinjaOne, ConnectWise Automate, Datto RMM, and N-able.
VIRTUAL CHIEF INFORMATION OFFICER· vCIO
A fractional strategy role provided by an MSP — quarterly business reviews, technology roadmaps, budget planning, vendor selection, and risk assessments — for businesses that need executive-level IT guidance but cannot justify a full-time CIO salary. Often bundled into premium MSP tiers at no extra cost.
SERVICE LEVEL AGREEMENT· SLA
A contractual commitment from an IT provider defining response time, resolution targets, uptime guarantees, and remedies if those targets are missed. Common MSP SLAs commit to a 15-minute response on critical issues and a 1-hour response on standard tickets during business hours.
HELP DESK TIER 1 / 2 / 3
Escalation levels inside an IT support organization. Tier 1 handles password resets, basic software issues, and known-issue scripts. Tier 2 handles application troubleshooting, account provisioning, and workstation rebuilds. Tier 3 handles infrastructure, networking, server, and security engineering. A well-staffed MSP resolves roughly 70–80% of tickets at Tier 1.
ASSET LIFECYCLE MANAGEMENT
The discipline of tracking hardware from purchase through retirement, with a planned refresh cadence (typically 4 years for laptops, 5 for desktops, 5–7 for servers). Avoids the trap of running mission-critical workloads on out-of-warranty hardware that cannot be patched against modern threats or covered by cyber insurance.
Cybersecurity.
MULTI-FACTOR AUTHENTICATION· MFA
A login method that requires two or more proofs of identity — typically a password plus a code from an authenticator app or hardware key. Microsoft's published data shows MFA blocks roughly 99.9% of automated credential attacks. Required by every modern cyber insurance carrier on email, VPN, and admin accounts.
ENDPOINT DETECTION & RESPONSE· EDR
Modern endpoint security software that detects and contains threats based on behavior rather than relying solely on known-malware signatures the way legacy antivirus did. EDR can identify ransomware mid-execution and automatically isolate the affected device from the network. Examples include Microsoft Defender for Business, SentinelOne, CrowdStrike, and Huntress.
SECURITY INFORMATION & EVENT MANAGEMENT· SIEM
A platform that aggregates logs from across the IT environment — firewalls, endpoints, identity providers, cloud services — and correlates them to detect suspicious patterns no single source would catch alone. The data backbone behind a 24/7 SOC. Examples include Microsoft Sentinel, Splunk, and Blumira.
SECURITY OPERATIONS CENTER· SOC
A team of security analysts that monitors a business's environment 24 hours a day, 7 days a week, investigates alerts, and triggers incident response when a real threat is detected. Most small businesses access a SOC through their MSP or a third-party MDR (Managed Detection & Response) provider rather than staffing one internally.
PHISHING / SPEAR PHISHING
Phishing is a fraudulent email designed to trick a user into clicking a malicious link, surrendering credentials, or paying a fake invoice. Spear phishing is a targeted version aimed at a specific person, often impersonating an executive or trusted vendor and using research from public sources (LinkedIn, the company website) to add credibility.
BUSINESS EMAIL COMPROMISE· BEC
The most expensive cyber threat facing small businesses in 2026 according to the FBI's IC3 reports. An attacker compromises a business email account (often via phishing), studies the inbox for weeks, then redirects a wire transfer or invoice payment by impersonating a vendor or executive. Median loss runs into six figures per incident.
RANSOMWARE
Malware that encrypts a business's files and demands payment for the decryption key, typically also stealing the data first and threatening to publish it (“double extortion”). MSPs defend against ransomware through MFA, EDR, patching, email filtering, immutable backup, and 24/7 monitoring — layered together, not any single control.
ZERO TRUST
A security principle that abandons the old “trusted internal network” model and instead verifies every user, device, and request individually, regardless of location. In practice this means MFA everywhere, device-compliance checks before granting access, and least-privilege permissions on every resource. NIST publishes the formal Zero Trust Architecture (SP 800-207).
SECURITY AWARENESS TRAINING
Recurring employee training on phishing recognition, password hygiene, safe handling of sensitive data, and incident reporting — with periodic simulated phishing tests to measure (and document) workforce performance. Required by HIPAA, the FTC Safeguards Rule, PCI-DSS, and every major cyber insurance carrier. KnowBe4 is the most common platform.
Microsoft 365 & Cloud.
MICROSOFT 365· M365
Microsoft's productivity and collaboration suite, sold by subscription per user per month. Includes the Office apps (Word, Excel, PowerPoint, Outlook), Exchange Online email, SharePoint, OneDrive, and Teams. The dominant productivity platform for small and mid-sized businesses worldwide.
M365 BUSINESS BASIC / STANDARD / PREMIUM
The three core SMB tiers of Microsoft 365. Business Basic ($7.50/user/month) is web/mobile only, no desktop apps. Business Standard ($15) adds the installed desktop Office apps. Business Premium ($27) adds Defender for Business EDR, Intune device management, Entra ID P1, and information protection — the security stack a small business actually needs.
M365 NONPROFIT
Microsoft's discounted licensing for verified 501(c)(3) organizations. Business Basic and Business Standard are FREE for up to 300 users; Business Premium is $6/user/month (a 78% discount from the $27 commercial price). Requires Microsoft nonprofit eligibility verification through a one-time application.
DEFENDER FOR BUSINESS
Microsoft's EDR product for small businesses (up to 300 users), included with Business Premium or sold standalone at $3/user/month. Provides next-generation antivirus, behavioral threat detection, attack-surface reduction, automated investigation, and threat-and-vulnerability management on Windows, Mac, iOS, and Android endpoints.
CONDITIONAL ACCESS
A policy engine inside Microsoft Entra ID (formerly Azure AD) that grants or denies access based on signals — user identity, device compliance, location, application, risk score — rather than just whether the password is correct. The technical heart of a Zero Trust posture in a Microsoft environment. Requires Business Premium or Entra ID P1.
MICROSOFT INTUNE
Microsoft's mobile device management (MDM) and mobile application management (MAM) platform. Lets a business push policies, deploy software, enforce encryption, and wipe lost devices — for both company-owned and bring-your-own-device (BYOD) phones, tablets, and laptops. Included in M365 Business Premium.
MICROSOFT ENTRA ID
Microsoft's cloud identity provider, formerly named Azure Active Directory. Manages user accounts, authentication, single sign-on, MFA, and Conditional Access for Microsoft 365 and thousands of third-party SaaS applications. The identity backbone of every Microsoft 365 tenant.
MICROSOFT TEAMS
Microsoft's unified communication platform — chat, video meetings, channels, file sharing, and (with the Teams Phone add-on) full PBX-replacement business voice. Included in every M365 Business and Enterprise SKU. The most-used collaboration platform in the SMB segment.
MICROSOFT AZURE
Microsoft's public cloud infrastructure platform, separate from Microsoft 365. Hosts virtual machines, databases, AI services, networking, and developer platforms on a consumption-based bill. Where line-of-business apps and custom workloads live when they outgrow on-premises servers.
Networking & Infrastructure.
VIRTUAL PRIVATE NETWORK· VPN
An encrypted tunnel over the public internet. Site-to-site VPNs connect two office networks (e.g., headquarters and a branch) so they behave as one private network. Remote-access VPNs let an individual user securely connect to the office from home or travel. Increasingly being replaced by Zero Trust Network Access (ZTNA) for remote-access use cases.
VIRTUAL LAN· VLAN
A logical division of a single physical network into multiple isolated networks. Used to separate clinical workstations from guest WiFi, medical devices from staff laptops, or VoIP phones from data traffic — limiting the blast radius of any single compromised endpoint. A core piece of practical network segmentation.
QUALITY OF SERVICE· QoS
Network policies that prioritize certain types of traffic over others when bandwidth is constrained. Most commonly used to guarantee real-time voice and video traffic (VoIP, Teams meetings) over bulk traffic like file syncs and backups — preventing jitter, dropped calls, and frozen video during peak hours.
DOMAIN NAME SYSTEM· DNS
The internet's address book: translates human-readable names (simplyit.biz) into IP addresses (e.g., 76.76.21.21) that computers actually use to route traffic. Also a critical security control point — protective DNS filtering can block known-malicious domains before a user's browser ever connects.
DYNAMIC HOST CONFIGURATION PROTOCOL· DHCP
The protocol that automatically assigns IP addresses, subnet masks, default gateways, and DNS servers to devices joining a network. Without DHCP, every device would need manual IP configuration. Typically served by the office firewall, router, or domain controller.
FIREWALL
A network device (or software) that filters traffic between networks based on policy. A stateful firewall tracks connection state and allows return traffic; a next-generation firewall (NGFW) adds deep packet inspection, application awareness, intrusion prevention, and integrated VPN. Modern SMB firewalls include Sophos, SonicWall, Fortinet, and Meraki.
LTE / 5G FAILOVER
A cellular-based backup internet connection that automatically takes over when the primary wired internet (cable, fiber) goes down. Critical for businesses that lose money the moment they're offline — medical practices, retail, restaurants, accounting firms during tax season. Typically integrated into the office firewall as a secondary WAN interface.
Backup & Continuity.
3-2-1 BACKUP STRATEGY
The long-standing best-practice rule: maintain 3 copies of your data, on 2 different media types, with 1 copy stored off-site. The off-site copy is what survives a fire, flood, theft, or ransomware event that hits the primary office. Modern 3-2-1 implementations typically use local NAS plus immutable cloud.
IMMUTABLE BACKUP
A backup stored in a way that prevents it from being altered or deleted — even by an attacker who has compromised the network and administrative credentials — for a defined retention period. The single most important defense against modern ransomware, which routinely targets and deletes traditional backups before encrypting production data.
RECOVERY POINT OBJECTIVE· RPO
How much data loss the business can tolerate, measured in time. An RPO of 1 hour means backups must run at least every hour; if the system fails at 2:45pm, the worst-case recovery is back to 2:00pm. RPO drives backup frequency — tighter RPO costs more in storage and bandwidth.
RECOVERY TIME OBJECTIVE· RTO
How quickly the business must be back online after an outage, measured in time. An RTO of 4 hours means the recovery process — restore, validate, reconnect — must complete inside 4 hours. RTO drives the architecture: instant failover to cloud-hosted standby is expensive; nightly tape restores are cheap but slow.
BUSINESS CONTINUITY & DISASTER RECOVERY· BCDR
The combined discipline of keeping the business operational during a disruption (business continuity) and restoring full systems after the disruption ends (disaster recovery). A real BCDR plan covers people, processes, vendors, alternate work locations, and communications — not just data backup. Florida businesses should test BCDR against a hurricane scenario annually.
BARE-METAL RESTORE
Image-based recovery that restores a complete server or workstation — operating system, applications, configuration, and data — onto new hardware or a virtual machine in a single operation. Far faster than reinstalling from scratch and reapplying configuration after a catastrophic failure or ransomware event.
Compliance & Regulatory.
HIPAA
The Health Insurance Portability and Accountability Act of 1996, with the Security Rule codified at 45 CFR Part 164, Subpart C. Applies to covered entities (medical practices, hospitals, health plans) and their business associates. Mandates administrative, physical, and technical safeguards for protected health information (PHI). See also the HIPAA Cybersecurity Guide for Florida Medical Practices.
BUSINESS ASSOCIATE AGREEMENT· BAA
The written contract HIPAA requires between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on the covered entity's behalf — IT providers, cloud platforms, EHR vendors, billing companies, shredding services. Required under 45 CFR 164.502(e) and 164.504(e). The Microsoft 365 BAA must be activated in the admin console — it is not automatic.
PROTECTED HEALTH INFORMATION· PHI
Any individually identifiable health information held or transmitted by a HIPAA covered entity or business associate, in any form — electronic, paper, or oral. Includes the obvious (diagnosis, treatment records) and the non-obvious (an appointment-confirmation email, a photo of a patient sign-in sheet). Electronic PHI is abbreviated ePHI.
FTC SAFEGUARDS RULE
16 CFR Part 314, the Federal Trade Commission's data-security regulation under the Gramm-Leach-Bliley Act. Applies to a broad set of “financial institutions” — including CPA firms, tax preparers, mortgage brokers, auto dealers with financing, and many others — requiring a written information security program, encryption, MFA, vendor oversight, and an annual Qualified Individual report. See also the FTC Safeguards Rule Implementation Guide for CPA Firms.
WRITTEN INFORMATION SECURITY PROGRAM· WISP
A formal, documented security program covering policies, controls, roles, risk assessment, incident response, vendor management, and training. Required explicitly by the FTC Safeguards Rule and by the IRS for tax practitioners (IRS Publication 4557), and effectively required by every cyber insurance underwriter. A WISP is the proof the program exists.
QUALIFIED INDIVIDUAL
The named person the FTC Safeguards Rule requires every covered financial institution to designate as responsible for the information security program. Must report annually in writing to the board (or governing body) on the program's status. Can be an employee or a qualified third-party MSP under contract.
FLORIDA BAR RULE 4-1.6
The Florida Rules of Professional Conduct provision establishing a lawyer's duty of confidentiality — including, since the 2018 technology-competence amendments, the duty to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of” client information. Cybersecurity controls are now an ethics obligation, not just a business decision. See also the Florida Bar Rule 4-1.6 Cybersecurity Guide.
FLORIDA INFORMATION PROTECTION ACT· FIPA
F.S. 501.171, Florida's state-level breach notification law. Requires notification to affected Florida residents and to the Florida Department of Legal Affairs within 30 days of discovering a breach affecting 500+ Florida residents — significantly faster than HIPAA's 60-day federal timeline. For most Florida businesses, FIPA's clock is the binding constraint.
SOC 2
An audit framework from the AICPA covering security, availability, processing integrity, confidentiality, and privacy of customer data at service organizations. SOC 2 Type I attests to controls at a point in time; SOC 2 Type II tests those controls over a period (typically 6–12 months). The de facto vendor-security standard for SaaS providers.
PCI-DSS
The Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council. Any business that stores, processes, or transmits credit-card data must comply — including small businesses that accept cards. Compliance level is driven by annual transaction volume; most SMBs fall under Self-Assessment Questionnaire (SAQ) requirements appropriate to their payment workflow.
Communications & VoIP.
VOICE OVER IP· VoIP
Business phone service delivered over the internet rather than over the legacy copper phone network. Lower cost, richer features (auto attendants, voicemail-to-email, mobile apps, video conferencing), and easier to scale than traditional PBX systems. The dominant SMB phone architecture in 2026. See also the Business VoIP Phone System Buyer's Guide.
SESSION INITIATION PROTOCOL· SIP
The signaling protocol that establishes, maintains, and terminates VoIP calls. SIP trunks deliver dial tone to an on-premises or cloud PBX; SIP credentials register an individual phone or softphone with a hosted VoIP service. The lingua franca of business voice.
E911
Enhanced 911 — the system that delivers a caller's location to the public safety answering point (PSAP) along with the emergency call. VoIP services are required to support E911 with current registered location information, which the user (or administrator) must keep accurate as phones move between offices or home setups.
KARI'S LAW
A 2018 federal law requiring multi-line telephone systems to allow direct 911 dialing without any prefix (no “9 to get out”), and to send a notification — to a front desk, security, or central station — whenever a 911 call is placed. Named for Kari Hunt Dunn. Applies to systems installed, manufactured, or imported after February 16, 2020.
RAY BAUM'S ACT
Section 506 of the 2018 RAY BAUM'S Act requires that 911 calls from multi-line telephone systems deliver a “dispatchable location” — street address plus specific information like building, floor, suite, or room — sufficient for first responders to find the caller. Applies to fixed devices since January 2021 and non-fixed/softphone devices since January 2022.
TEAMS PHONE
Microsoft's PSTN voice add-on for Microsoft Teams, turning Teams into a full PBX replacement with inbound and outbound public phone-network calling. Sold as Teams Phone with Calling Plan (Microsoft provides the carrier) or via direct routing through a partner SIP provider. A natural fit for businesses already standardized on M365.
DIRECT INWARD DIAL· DID
A public phone number that rings directly to a specific extension, person, or department without going through a main switchboard or auto attendant. Modern VoIP services assign DIDs trivially — every employee can have a direct number printed on their business card at no marginal cost beyond per-number monthly fees.
INTERACTIVE VOICE RESPONSE· IVR
The automated phone-tree menu that greets callers (“Press 1 for sales, 2 for support…”) and routes them to the right destination. Modern IVRs support text-to-speech, business-hours-aware routing, voicemail boxes per option, and overflow rules to mobile phones — all configurable from a web admin console.
AI & Automation.
LARGE LANGUAGE MODEL· LLM
A type of AI model trained on enormous volumes of text to predict the next token in a sequence — the technology underneath ChatGPT, Microsoft Copilot, Anthropic Claude, and Google Gemini. LLMs can draft, summarize, translate, and reason, but they don't “know” facts — they predict plausible text, which is why grounding matters.
RETRIEVAL-AUGMENTED GENERATION· RAG
A technique for grounding an LLM's answers in a specific corpus of trusted documents — the company's SOPs, knowledge base, contracts, policies — rather than relying on whatever the model picked up during training. RAG is how a business gets an AI assistant that answers from its own data instead of guessing.
AI HALLUCINATION
When an LLM produces a confident, fluent answer that is factually wrong, fabricated, or invented — including made-up legal citations, fake statistics, and nonexistent product features. The single largest risk of unsupervised AI use in business workflows. Mitigation requires grounding (RAG), human review, and clear policies on which outputs require verification before use.
PROMPT ENGINEERING
The practice of crafting instructions to an LLM to produce reliable, useful, on-brand outputs. Includes role assignment, context loading, output format specification, and example-based (few-shot) prompting. A skill, not a job title — every knowledge worker using AI is doing some level of prompt engineering whether they realize it or not.
MICROSOFT COPILOT
Microsoft's AI assistant brand, spanning Copilot for Microsoft 365 (drafting and summarizing inside Word, Excel, Outlook, Teams), Copilot Chat (the web-based assistant), GitHub Copilot (code), and Copilot in Windows. The M365 commercial Copilot is sold at $30/user/month and is grounded in the tenant's own SharePoint and email content.
SHADOW AI
Employees using consumer AI tools (free ChatGPT, free Claude, browser-based image generators) on company work and company data without the employer's knowledge or sanction. The 2026 equivalent of shadow IT. Common, often well-intentioned, and a significant data-leakage and compliance risk — especially in regulated industries. See also AI for Small Business: Use Cases, Risks & Policies.
AI ACCEPTABLE-USE POLICY
A written workforce policy covering which AI tools are sanctioned, what kinds of company or client data may (and may not) be entered into them, whether outputs require human review before external use, and how AI-generated content is disclosed. The single highest-leverage AI governance step a small business can take in 2026.
POWER AUTOMATE
Microsoft's low-code workflow automation platform, included in Microsoft 365 and the Power Platform. Connects M365 apps, third-party services, and on-premises systems with hundreds of pre-built connectors — automating approvals, notifications, data movement, and repetitive office workflows without traditional coding. Recent additions extend Power Automate with AI Builder and Copilot integrations.
WE'LL TRANSLATE ANY IT PROPOSAL OR QUOTE FOR FREE.
Simply IT is a veteran-owned managed IT provider headquartered in Ocala, FL. If you've got an IT proposal in hand, a renewal coming up, or just a stack of acronyms you'd like decoded against your actual business, we'll spend 30 minutes on the phone with you at no charge. No obligation, no sales script.
Book a Free Assessment →