3

This is a screen shot of the DigitalBoost home page

The programme delivers free services, including;

• up to 21 hours of 1:1 specialist digital support – subject to your application

being authorised by a Business Gateway Adviser. You can apply by
calling you local Business Gateway office, contacts are on our web site
• workshops are all webinars at the moment – you just book your place on
our web site
• online guides on 21 digital topics and video tutorials on 9 digital topics
• your local area Business Gateway team may also run smaller coaching
sessions where you can complete a digital task together with expert
support. They may also run surgeries, where you can speak to an expert
for an hour or so.

4
Here is a representation of the scope of the current DigitalBoost webinars.
The actual titles are more detailed but come under these wider subject
headings. For example ‘social media’ is covered by these titles;

• Facebook for Business

• Linkedin for Business
• Pinterest for Business
• Instagram for Business
• Twitter for Business

Each event (for all subjects here) one is free and typically lasts about 90
minutes, including 15 to 20 minutes for audience participation.

These have been developed from the previous DigitalBoost workshop

material, which has been updated and re-vamped to suit the webinar format.

5
Audiences are likely to have diverse levels of understanding on this topic.

Please keep this in mind so the content can be delivered at the appropriate
level.

The workshop structure should cope with quite a broad range of audience
expertise and you can be selective about the depth of material you cover.

Please remember to tap into the knowledge and experience that may exist
amongst the delegates. Sharing experience is one of the strengths of our
workshops.
8
9
10
11
12
13
14
15
16
17
18
19
The graph demonstrates the impact on the number of likes a page received
that demonstrates a sudden dramatic impact as many clients suddenly loose
confidence in you, then an extended period when you try to recover the
situation, and finally you can start to recover the number of people that like
and follow you.

20
OSX is unix based, which is inherently more secure than Windows based
computers. However, as the trend to access online content through mobile
devices – and particularly smartphones (already over 50%) continues, these
are increasingly the main entry-point for attack, including iOS (Apple) devices.
Android devices are still more vulnerable, due to the software (apps) they run
being less well regulated than their iOS equivalent on an iPhone / iPad.

The key take-away is: all platforms and devices are vulnerable unless
protected: Windows, iOS, Android or other.

21
22
The link takes you to the actual guide and the main points are summarised in the bullets.
Everybody should read this guide. It could save a business from disaster.
The Cyber Essentials scheme has been developed by Government and industry to fulfil two
functions. It provides a clear statement of the basic controls all organisations should implement
to mitigate the risk from common internet based threats. It also offers a mechanism for
organisations to demonstrate to customers, investors, insurers and others that they have taken
these essential precautions.
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of
organisations can implement and potentially build upon. Government believes that
implementing these measures can significantly reduce an organisation's vulnerability. However,
it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to
address more advanced, targeted attacks and hence organisations facing these threats will
need to implement additional measures as part of their security strategy. Cyber Essentials does
define a focused set of controls which will provide cost effective, basic cyber security for
organisations of all sizes.
It is likely that CE will become a mandatory requirement for the supply chain to many public and
private sector bodies: the Scottish Government’s Cyber Resilience for Scotland: public sector
action plan, and corresponding private sector action plan, reference this specifically.
https://www.gov.scot/publications/cyber-resilience-strategy-scotland-public-sector-action-plan-
2017-18/
https://www.gov.scot/publications/private-sector-action-plan-cyber-resilience-2018-20/pages/3/
Cyber Essentials Scheme Overview
The Scheme Requirements Document focuses on Internet-originated attacks against an
organisation’s IT system. Many organisations will have particular additional services, e.g. web
applications, that will require additional and specific controls beyond those provided by Cyber
Essentials. Cyber Essentials concentrates on five key controls.

23
There are 5 Quick Steps in the National Cyber Security Centre guide for
small businesses to secure their information systems.
This is the overview of the first of these steps.
Slides 25-29 Provide more detail on what is important to ensure you have
effective back-ups.

24
A Back-up is a spare copy of your information that you can use if anything
goes wrong with the original or live version of your date. The first step is to
know what information you have and use, as well as knowing where that
information is normally kept.

Knowing this will allow you to keep a spare copy of it (Backing up)

Also bear in mind that oif information is updated regularly, how often do you
need to take back-ups to make sure your spare copy is sufficiently up to date?

25
This slide illustrates the best practice of how many copies to keep and where
to keep them to ensure that you are able to cope with the widest possible
range of risks to your information.

The risks can be from hackers, Ransomware, Technical failure (the computer
broke!!) or it can be from external circumstances such as fire or flood.

26
Cloud Back-ups are easy and very flexible, as you personally never have to
actually hold any media that contains your data.

27
It is important to remember that backing up is not just something that you can
ignore. If you set them up and then assume that is a completed task, over
time, the effectiveness of those back-ups will become less and less useful, to
the point where business critical information may no longer be being copied.

If something were to go wrong with your main systems at this point (e.g. a
hardware failure) you would have lost all that information – Permanently.

28
Some more thoughts on back ups.

29
There are 5 Quick Steps in the National Cyber Security Centre guide for
small businesses to secure their information systems.
This is the overview of the second of these steps.
Slides 31-39 Provide more detail on how to protect yourself from Malware

30
It may be worth noting that there is a DigitalBoost Coaching session that
goes into a grat deal more detail on the subject of Anti-Virus tools and how to
get the most from the existing software.

31
A much overlooked subject is to educate the users of your information
systems not to undertake inappropriate activity – This is not limited to
malicious or unsavoury website browsing, but can be as simple as readily
clicking on links in spam email.

The bad guys are always trying to exploit every vulnerability in your
organisation, and if your technical defences are well set up (like you have a
strong safe door on your bank vault) they will try to exploit the users by
getting them to help them break in (Like convincing the bank manager that
they are allowed to gain access to that vault with the big safe door on the
front)

Your staff can not only help by avoiding harmful activity, but if they are
knowledgeable about what to look out for, they can act as extra eyes and
ears watching out for the signs that something might be about to go wrong
and stop it from happening.

32
It is important to remember to include your router and other attached
hardware – such as NAS drives - within the update checks, and to install
these as swiftly as the software running on the devices. Also…patches apply
equally to smartphones, tablets too.

33
It should be noted that non-Microsoft updates and upgrades do not
necessarily appear in the main notifications area of your computer shown
here.

Some do automatically notify when an update is available, but many do not,

and it is prudent to periodically check for updates individually through the
application when it is run.

34
Windows 10 now has the default setting of automatically updating the
software – normally this happens when the computer is switched off and on
again, but sometimes when it is a critical update it will try to force the user to
install and reboot as soon as possible.

Older versions of Windows still have the options to choose when to update.

It is wise to check these settings in all software and applications, not

forgetting anti-virus software settings and smartphones/tablets.

35
37
It should be considered mandatory to have your firewall switched on,
particularly if your device has access to the internet.

When it comes to the difference between public, private, and domain

networks, the default settings on these options are different, because you
need to be extra careful if you are accessing the internet via a local network
that is itself not trusted. You have to protect your machine against the
dangers that are on the web, but also the dangers that are on the machines
sharing the same local network as your own. Generally the firewall settings
are more restrictive for public networks.

It may be useful to explain that a firewall on an individual device controls the

communications traffic to and from that device. The device may be
connected to a local network, and that network is then connected to the
internet. The different network settings represent three different types of
network that a device may be logged on to.

N.B. A user may not see the option for a domain network, as this option will
only be visible if the user of the device is logging on to a network domain as a
domain user. This is normally the case when a domain has been set up by
an organisation to control the kinds of shared domain resources which any
given user is entitled to access, such as printers scanners, or other users
devices.

Note that there are two main types of Firewall: Host (as described above) on
the computer, and Boundary – typically located in a router, or a dedicated
firewall device. Having both active is preferred.
The link takes you to a video on setting a Windows 10 firewall.

38
Remind the audience that Apple devices also need to have firewalls and Anti-
virus software operational: it is an urban myth that Apple devices are secure
or not a target of virus writers and hackers: whilst they are certainly less
susceptible, the threat to them remains real, too.

This slide shows how the firewall can be accessed through the “System”
“Security and Privacy” and selecting the “Firewall” option.

39
There are 5 Quick Steps in the National Cyber Security Centre guide for
small businesses to secure their information systems.
This is the overview of the third of these steps.
Slides 41-45 Provide more detail on how to protect your mobile devices and
protect your organisation from the specific risks the use of mobile devices
creates

40
The most obvious risk from a mobile device is that it is used where other
people can gain access to it and it might be accidentally left somewhere or
stolen from you. The first and most obvious line of defence is to make it hard
for someone who gets your phone to use it. They might be able to reset your
phone, but they will loose the data on the phone and therefor not b able to
get access t our business information. You might lose the phone, but yoru
will keep your business.

41
Before you write off the phone however, there are methods by which you can
track your phone, as it may genuinely be lost and not stolen, and getting it
back is the easiest way to recover from this loss.

42
As with desktop and laptop devices. Mobile devices require to be update to
make sure they are able to resist the latest threats and vulnerabilities the bad
guys are constantly working on.

43
Remember that the devices may appear just to be an access mechanism for
cloud based systems to be used by the browser on the phone, but remember
the browser is an app, and you will likely have many other apps
installed. Without being updated, these apps will create opportunities for the
bad guys to get what they want.

44
Mobile devises allow you to "connect" in different places. That connection
might be insecure. Let me rephrase that – THAT CONNECTION IS
INSECURE. If you are sharing a connection to the web with other people, it is
like they are in the same room as you and can overhear what you are saying.

VPN software created a secure tunnel between your device and the device at
the other end, so that the people in the room with you cannot listen in to what
you are doing online.

45
There are 5 Quick Steps in the National Cyber Security Centre guide for
small businesses to secure their information systems.
This is the overview of the fourth of these steps.
Slides 47-54 Provide more detail on how to make most effective use of
Password

It should be notes that the subject of passwords and the technologies

associated with "authentication" (the process of proving to the system that
you are who you are and that you are allowed to do what you want to do) is
covered in a DigitalBoost Coaching Session

46
Password protection (and the biometric equivalent) are available at various
places in your information systems, from firat accessing a device, to
accessing a website of information system, or accessing an application, or
even a file or a folder.
If you do not switch it on, it cannot protect you.

47
What you know – 1 factor
What you know & what you possess – 2 Factors

If the system requires you to demonstrate that you know something (user
name and password) and that you possess something (your mobile phone or
a specialist device) This makes it much harder for someone else to prove
"your / their" identity to the system.

2 Factor Authentication is becoming much more popular as it is significantly

more secure than even a complicated user name and password

48
Even though 2 Factor authentication is better, it still depends on a good
password as one of those factors. Do not fall into bad password habits even
when using 2 Factor Authentication.

49
When choosing a password manager it is important to remember that it is
only rally useful if it can fit in with all your needs.
Does it only work on a browser
Does it work with your locally installed Apps
Does it work on your desktop, laptop and mobile?
Does it accommodate 2 factor authentication as well?

51
It is just simple – ALWAYS CHANGE DEFAULT PASSWORDS – the bad
folks know the defaults passwords, so they might as well not be there at all.

52
Further information can be found about good password practice from the
NCSC at https://www.ncsc.gov.uk/collection/passwords/updating-your-
approach

53
The majority of people use very weak passwords and re-use them on
different websites. How are you supposed to use strong, unique passwords
on all the websites you use? The solution is a password manager.

Password managers store your login information for all the websites you use
and help you log into them automatically. They encrypt your password
database with a master password – the master password is the only one you
have to remember.

Some of them are free, others a paid monthly or yearly subscription

54
There are 5 Quick Steps in the National Cyber Security Centre guide for
small businesses to secure their information systems.
This is the overview of the fifth of these steps.
Slides 56-60 Provide more detail on how to avoid being duped by scams

This picks up on the theme that the users of your information system can be
a great vulnerability to be exploited, but they can also be a valuable defence
against the risks if properly informed as well as supported by technology and
organisational processes.

55
Settings on your devices and software can be adjusted to minimise the risk of attack
on your information systems. The process of planning and making sure these
settings prevent risks and allow your business to function effectively is secure
configuration.
It is good practice to ensure that you do not use an admin (administrator) user
account, as these are able to access and change all aspects of the device. If you are
logged on as an administrator and you are compromised by an attack, the device can
be reconfigured, software can be installed, and ALL the data on that PC is
compromised.
With a user account, there is limited access to the PC, software cannot be installed
(reducing the chances of an attack having an impact on your device) and if an attack
was to compromise the account, it would only be able to access the information
which was accessible by that user account. This would exclude any other user’s
information and information which was not shared with all users.
As a consequence, it is good practice to have an admin account which is used to
make changes to the configuration of a device and to install software, but for
everyday use, to have a standard user account.
For the DigitalBoost audience, which often includes people operating businesses
from home, it would be good advice to have an admin account for controlling all
aspects of a device, a user account for work activity, and another account or
accounts which would allow family and other users to use the device without the risk
of compromising the work account information.
Optional Video - https://www.youtube.com/watch?v=TpJh-om0rvI - How to create a
standard user Account in Windows10.
https://www.youtube.com/watch?v=_CgEf0DEzmg - This is another version of

56
adding and managing user accounts in Windows10

56
57
Theer is a DigitalBoost Coaching session on the subject of how to identify
and avoid Phishing Scams if you wish to go into more detail on this particular
subject.

58
Some attacks you are legally obliged report – such as attacks which result in
personal data being compromised to the extent that the Data Protection Act
2018 requires you to notify either the Information Commissioner's Office or
the Data Subject (See DigitalBoost Guidance on GDPR).
Some Attacks are worth reporting, for example to the company they appear
to come from, or to the ISP or phone company, as they can help to take
steps to avoid these attacks being as common in the future.
It is sometimes worth reporting attacks to the law enforcement
authorities. Not merely in order to seek some form of criminal investigation
or redress, but to ensure theer are accurate statistics about the scale of the
cyber security threat, so that future government policy might focus more on
solving it. (The public authorities cannot address what they don't know
about, so reporting attacks through official channels can be useful) Do
consider the reputational implications of this, as many businesses who rely
on a reputation of reliability and security may not wish to disclose that they
have been attacked, much less have been successfully attacked.

59
It is easy to let slip information that can be used against you. Think twice
about what you divulge online.
Remember with Big data, just like Amazon and Facebook can cross
reference information between different sources, the hackers can do exactly
the same.

60
61
62
63
64
This is a screen shot of the DigitalBoost home page

Please remember, the programme delivers free services, including;

• up to 21 hours of 1:1 specialist digital support – subject to your application

being authorised by a Business Gateway Adviser. You can apply by
calling you local Business Gateway office, contacts are on our web site
• workshops are all webinars at the moment – you just book your place on
our web site
• Online guides and video tutorials on a wide range of digital topics

65
The Scottish Government has sponsored an interest free loan for businesses
to improve their digital capabilities.

See the web site for more details.

66
Don’t have your business ruined by random hackers!

Small businesses are MORE vulnerable: They are just as likely to be

attacked – it’s usually a random approach – and the impact is so much
WORSE when your data is corrupted/abused/deleted.

There are SIMPLE measures that reduce the risk and you can find a simple
guide at this website.

67
68