
Editor’s Note: The Knight Science Journalism Program has often found that the best resource we can offer science journalists is the opportunity to learn from each other. This piece is the first in an intermittent series written by former Knight Science Journalism Fellows sharing their expertise for the benefit of others in the field.
In recent months, an alarming number of journalists and activists have been stopped at borders, pressured to hand over their devices, or subjected to other forms of surveillance. Some have faced heightened scrutiny from state actors eager to access their data. Increasingly, governments and spies want to know what journalists are working on, who their sources are, and what stories they are uncovering. That’s why it’s more important than ever that we journalists take digital security seriously. Protecting our data isn’t just about personal privacy, it is about protecting the very foundation of democracy.
Protecting yourself also protects those around you. If an attacker compromises your email for example, they can send convincing phishing emails to your colleagues. Hackers who gain access to an account within a major media organization can often move deeper into the system, potentially spying on colleagues and causing even greater widespread harm.
The good news is that you don’t need to be a cybersecurity expert to protect yourself. Even a few simple, practical steps can make a huge difference. Good security isn’t about perfection. You don’t have to master technical jargon or adhere to long lists of security measures. I’ve been researching cybercrime for many years. Based on that experience, here are seven practical and realistic tips that can deliver a lot of protection with minimal effort. Want to go deeper? Look at one of the many resources linked in this article to delve into the details of digital security and learn even more ways to protect yourself.
1. Keep Your Device Lean and Up to Date
One of the simplest but most crucial rules is: Keep everything updated. When a company such as Microsoft or Apple releases a security patch for an app or parts of the operating system, the accompanying notes will typically explain vulnerabilities in the previous versions of the software. As a result, attackers know exactly which vulnerabilities they can target in outdated systems. I know of at least one major institution that fell victim to ransomware simply because they were a few minutes too slow to update a vulnerability in their operating system.
The next rule follows naturally: The fewer apps and programs you have, the fewer vulnerabilities you’re likely to have on your device. Every additional piece of software is a potential weak spot, so uninstall what you don’t need.

2. Use Secure Authentication
Passwords should be long — ideally, a full sentence. This makes them significantly harder to crack using raw computing power. If the system allows, write out an entire phrase. Always use a unique password for every service. A password manager can help.
Even more important is two-factor authentication, or 2FA. Yes, it’s an extra step, but using an authenticator app like FreeOTP or Google Authenticator makes it exponentially harder for attackers to take over your accounts.
3. Be Cautious with Emails and Attachments
Emails are still one of the easiest ways to get hacked. Just because an email appears to be from a trusted source doesn’t mean it actually is. Even if the sender’s address is an exact match, be cautious with attachments. Avoid clicking on links in unsolicited emails, and if a website asks you to enter your credentials, double-check the URL carefully — attackers often create fake login pages to steal passwords. When in doubt, I often verify a message’s authenticity with the sender through another communication channel, such as Signal.
If an attachment isn’t sensitive — a press release, for example — I sometimes upload it to VirusTotal, a Google-owned service that scans files with multiple antivirus programs. You can also paste links for them to check. But be careful — anything you upload to VirusTotal is accessible to others, including security firms and intelligence agencies and all other paying customers of Virustotal, who could also theoretically read the documents.
4. Use Secure Messengers (and Reduce Email Dependence)
Email encryption is complicated, and most people don’t use it. That’s why I rely more and more on encrypted messengers like Signal and Threema. They offer end-to-end encryption by default, and you don’t even need a phone number to register.
I also publish my Signal and Threema ID to make it easy for sources to reach me securely. This reduces reliance on email, which remains a high-risk tool. However, it is important to note that one major vulnerability of these apps is the people using them. For example, the usernames are not restricted, which means that if a high-ranking government official suddenly writes to you, it could be a scam — or a mistake on the part of the official, as in the case of Atlantic Editor Jeffrey Goldberg and then-National Security Advisor Michael Waltz. In addition, if attackers have infiltrated the smartphone hosting the app, they can intercept all communications. This is why particularly secure, controlled devices are usually used for highly sensitive communications, ideally in a tap-proof environment.
5. Avoid Public Wi-Fi (or Use a VPN)

Public Wi-Fi is risky, no matter how legitimate it looks. Attackers can easily create fake networks that look like “Free Airport Wi-Fi” or “Starbucks Guest Wi-Fi.” Connecting to one could give them access to your surfing data.
I personally use mobile data whenever possible. A large data plan (e.g., 30 GB per month) allows me to avoid public Wi-Fi entirely, even for video calls. If you must use public Wi-Fi, don’t let your device automatically connect to networks, enable “hide my device” mode, and use a trusted VPN (in my case Mullvad) to encrypt your traffic.
6. Protect Your Devices Physically
Digital security measures are essential, but physical access to your devices can undermine even the best defenses. In trains and other public spaces, I use a privacy screen to prevent shoulder-surfing. When I stay in hotels, I almost never leave my laptop in the room, to minimize the chances of someone gaining unauthorized access. If I must leave my laptop, I place a cable or other object in a specific position on the device and take a photo before I leave. When I return, I compare the scene to my photo to check if anything has been moved. Simple precautions like this can help you notice if someone has tried to access your equipment.
7. Turn Off Your Phone Regularly
In a typical attack, the malware that gives the attacker access to the phone operates in a device’s temporary memory, and if the victim restarts the phone, the attacker will lose access. Of course, this won’t stop the most advanced attacks, like so-called zero-click exploits, which don’t require any action from the target, such as clicking a link or opening an attachment, because attacker can easily re-infect the phone after it’s rebooted. However, more sophisticated attacks are much more expensive to carry out, which makes them less likely.
If you will be crossing a border, that is another reason to shut off your phone. Just because your phone is locked, that doesn’t mean your data is encrypted. At border crossings, authorities often have tools to extract data. However, if your phone is switched off, the data is encrypted and harder to access with these forensic tools. It’s worth noting that authorities can still try to make you enter the passcode. Non-US citizens can be denied entry at US borders if they refuse to comply with requests to unlock phones or provide passwords, even without a warrant. Nevertheless, the Electronic Frontier Foundation recommends that travelers power off their devices and disable biometric unlocking methods before crossing the U.S. border to better protect their data from warrantless searches. The EFF offers various travel and pocket guides to help individuals safeguard their digital privacy when crossing international borders.
One Last Thought: Stay Vigilant, But Don’t Panic
When dealing with security, it’s easy to become paranoid, or worse, overwhelmed, which is especially dangerous because feeling powerless leads to inaction.
There is no absolute security. But if you follow these steps, you are already far ahead of most targets. And always trust your instincts — if something seems off, investigate. Organizations like Citizen Lab Amnesty International’s Security Lab, and Reporters Without Borders help journalists and media organizations targeted by digital threats. The goal of this article is to highlight the key steps that can significantly improve your digital security. While this guide is designed for everyday use, those in high-risk or conflict situations may want to seek out more specialized advice tailored to their needs. So most importantly: Don’t hesitate to ask for help.

More Cyber Security Guides for Journalists
Freedom Press Foundation: The 2025 Journalist’s Digital Security Checklist
Reporters Without Borders Helpdesk: Digital Security Guides
Global Investigative Journalism Network: Introduction to Digital Security
Center for News, Technology & Innovation: Journalists & Cyber Threats
ACOS (A Culture Of Safety Alliance): Digital Security Resource
Eva Wolfangel (KSJ ’20) is based in Germany.
You must be logged in to post a comment.