8 Most Common Cybersecurity Mistakes Journalists Should Avoid

Humans have a natural tendency to protect themselves from danger: pulling a hand away from a hot stove, avoiding dangerous places, or running from physical threats.

But we don’t have these instincts fully developed when it comes to the digital world.

“In the case of the internet, many times we’re doing things and we don’t have the slightest idea of the danger we’re facing out of pure ignorance,” Luis Assardo, a digital security trainer and investigative data journalist, told LatAm Journalism Review (LJR). “Especially in Latin America, we don’t have the necessary knowledge, so that skill or instinct hasn’t yet developed.”

Assardo will be the instructor for the new course, Digital Security for Journalists in Times of Crisis, offered by the Knight Center for Journalism in the Americas and the Global Investigative Journalism Network (GIJN). The course will be free and held online from July 7 to August 3.

In a conversation with LJR, Assardo listed the most common mistakes he sees journalists make that they should avoid to maintain their digital security. Risks will always be present, he said, but it’s important to identify them to mitigate them.

1. Using Wi-Fi in Public Places

Luis Assardo, a digital security trainer and investigative data journalist, will be the instructor for a new course offered by the Knight Center for Journalism in the Americas and GIJN. Image: GIJN

Latin America continues to see a digital divide. Some 28% percent of Latin Americans live in areas with low mobile broadband coverage, according to GSMA Intelligence. For this reason, Assardo said, journalists tend to take more risks and connect to public networks in restaurants, plazas, hotels, or airports.

Ideally, public networks should not be used, but if there is no other option, Assardo recommends using a VPN — a virtual private network that creates an encrypted connection between the device and a remote server, thereby masking the IP address and routing internet traffic through that server.

It’s also important to avoid online purchases while using an unknown Wi-Fi and, once internet use is complete, immediately delete the Wi-Fi connection from the device.

“Perhaps this is one of the biggest problems I find when I open any journalist’s Wi-Fi. I find hundreds of past Wi-Fi connections that are no longer useful,” Assardo said. “That way, anyone can know that you were at ‘Pepito’s’ restaurant and clone that Wi-Fi’s information.”

2. Not Protecting Data Privacy

In Latin American media, the use of WhatsApp is widespread, not only as a way for journalists to connect with audiences but also with sources.

WhatsApp uses end-to-end encryption, so only the original sender and the final recipient can see the message. However, the privacy practices of WhatsApp and its parent company, Meta, are concerning, according to the Electronic Frontier Foundation’s Surveillance Self-Defense (SSD) guide.

Assardo explains that there is a difference between security and privacy. And while WhatsApp is secure, it is not necessarily private since it is possible to know who you talked to even without having access to the conversation.

“Meta, Google, Amazon, and all the large technology empires are data brokers. What they seek is to obtain data because that is basically what they trade with; it is part of their business model,” Assardo said. “We cannot fully trust them.”

According to Assardo, newsrooms should ideally use other more secure applications such as Signal, Threema, Session, or Wire.

3. Ignoring Device Updates

Software updates are essential for maintaining the security and performance of devices and applications. Updates provide protection against cyber threats, improve the user experience, and ensure compatibility with other software and hardware.

Not updating leaves an open window for vulnerabilities.

“I have met journalists who have had a device for two or three years and have never updated it,” Assardo said. “You can have a very secure password, but if you never updated the software, any attacker could access the device, take whatever they want, do whatever they want, leave, and you would never even know it.”

4. Not Backing Up Data

One of a reporter’s jobs is to go out to gather information or travel for a story. In this process, especially in countries where security or freedom of expression are at stake, a journalist’s devices can be compromised by theft or review by authorities.

Assardo said that backing up — creating a security copy — is an easy solution that allows journalists to navigate threats and reduce the impact of vulnerabilities.

“How long will it take me to do a backup? One hour, okay, I’ll leave it [backing up] and go to lunch,” Assardo said. “There are solutions. We can plan things in advance, even if we don’t have many resources.”

5. Falling for Attackers’ Distractions

Online harassment is a phenomenon used in a coordinated manner against journalists and can include confrontations and smear campaigns on social media.

Assardo said these types of attacks are not only used as a form of discrediting but also to distract the journalist from other problems that may be happening in tandem, such as legal harassment, surveillance, or financial harassment. Therefore, it is important to avoid acting or responding impulsively to attackers.

“Today, attacks on journalists occur not only with online harassment but also with legal harassment,” Assardo said. “They may be filing one or more lawsuits and need the journalist to be distracted, hooked with a troll, and not talking to their lawyer or with the defense they will need for their legal issues.”

6. Indiscriminately Downloading or Clicking

Microsoft says phishing is a way of tricking internet users into revealing personal or financial information through an email or a website. A common phishing scam begins with an email that looks like an official notice from a trusted source, such as a bank or credit card company. In the email, recipients are directed to a fraudulent website where they are asked for personal information, such as an account number or password. This information is usually used for identity theft.

Phishing can also be used with the intention of infecting a device with malicious software. A journalist who falls victim to phishing can lose confidential information about reports or sources.

Assardo said journalists should also be careful when using USB drives given by sources on their devices, as they could have hidden malicious codes.

“In a newsroom, there should be a computer that is not connected to the internet and is only for downloading information in these types of situations,” Assardo said.

7. Writing Down Passwords on Paper

Post-it notes are one of the most feared objects by digital security experts. Some people are accustomed to writing down their passwords on paper and leaving them accessible to anyone.

For Assardo, having a password written down on paper is a resounding no.

“In these workshops, I always ask attendees if they know the key they use to enter their house by heart, if they could draw it from memory,” Assardo said. “Everyone tells me they couldn’t even recognize it. That happens because it is part of a keychain. What the journalist needs is their keychain, a password manager that efficiently allows them to enter any door they need to enter.”

There are free and paid password manager options. Some options are LastPass, 1Password, or NordPass.

8. Storing Sensitive Information with Large Technology Companies

Assardo’s last recommendation is to try not to keep sensitive information on platforms owned by large technology companies, since, although they offer data encryption, there is a higher probability the data will be compromised.

“Suppose I am doing an investigation about gang members, and there is very sensitive information there from some sources. I would never put it on the drive,” Assardo said. “What I would do is use other tools like Cryptee or Tresorit, where I can have the information encrypted, and no one else will have access.”

Assardo concluded by saying digital literacy and security are not just for the few — but that knowledge can be adapted to the context, levels, and resources that are available.

This story was originally published by the LatAm Journalism review and is republished here with permission.

Katherine Pennacchio is a Venezuelan journalist with a master’s degree in Investigative, Data, and Visualization Journalism from Unidad Editorial and the Rey Juan Carlos University of Madrid. Pennacchio is passionate about data analysis and currently works as a freelancer.