If someone points a gun at you, your brain recognises the danger instantly and your body reacts — ducking, running, freezing. The trouble with digital threats is that they often arrive without obvious warning; the default response is often to do nothing at all.
“There is a disconnect between the digital skills and the digital knowledge that someone can have from the physical aspect,” online security specialist Luis Assardo said at a recent workshop for IJ4EU grantees. “In our digital life, there is no instinct developed, and there is zero experience.”
Assardo, a Berlin-based open-source intelligence (OSINT) researcher and disinformation investigator who trains journalists for Reporters Without Borders and other groups, teaches from an unusual vantage point: that of the attacker.
His central message was that safety begins not with software but with an honest inventory of what a journalist stands to lose. Here are some of his top tips.
Know what you are protecting
Assardo urged journalists to list their assets — email accounts, cloud drives, devices, contacts and source material — and rank them by sensitivity, because this is the same inventory an adversary may try to exploit.
He calls it a menu. The danger, he warned, is concentration: Most people pile their most sensitive material into a single phone or drive. Once that is breached, the exposure is total and irreversible. Backups protect access, not secrecy. Whatever leaks, leaks for good.
Plan for your devices, not just your trip
Journalists plan holidays in obsessive detail, but rarely plan what happens to their phones at a hostile border, Assardo said. His own solution is a near-empty travel handset.
“This is my personal phone and I have a working phone. So if I’m going to travel for working purposes, I will just take the working phone” — a device carrying little more than tourist photos. Any phone taken out of his sight, he added, he treats as compromised and replaces.
Profile the attacker
A crude extortion email demanding money with no proof is a scam to be ignored, Assardo said. But a message containing a photograph of a reporter meeting a source signals something far more serious. Such threats reveal that the adversary is watching in person.
“The threat actor is close to you. It’s not a teenager in the other part of the world asking for money.”
You cannot defend against a threat you have not identified — and without profiling, journalists either underreact or tip into paranoia, he said.
Assume your wifi can be cloned
In a striking demonstration, Assardo showed how a phone’s habit of silently reconnecting to saved networks can be turned against its owner.
Using a widely available tool, an attacker who has followed a target can clone a previously used network, rebroadcast it, and quietly intercept unencrypted traffic — email, messages, banking sessions — while supplying working internet so nothing seems amiss.
His advice: Delete old saved networks, enable “ask before joining” settings, and be alert when a network from a distant country you once visited suddenly appears nearby. Mobile data, he cautioned, is not immune either.
Stop memorising passwords
Assardo likened passwords to house keys: Nobody can draw the exact shape of their own key from memory, yet it opens the door every day. Passwords should work the same way — long, unique, random, and managed by a tool rather than the mind.
He favours the open-source, locally stored KeePassXC, uses browser integration for one-click logins, and warns that reusing a single password lets one breach cascade across banking, social media, and other accounts.
To demonstrate the stakes, he displayed his own genuine passwords from years ago, pulled from data breaches via OSINT platforms — a reminder, he said, that the same tools journalists use for research can be turned against them.
Keep a standing date with your devices
No single fix exists, Assardo warned — the aim is to stack protections: encryption, backups in multiple locations, hardware-based multi-factor authentication and passkeys rather than easily intercepted SMS codes, and stored recovery codes.
He rounds it off with a weekly ritual he only half-jokingly calls a “date with his devices”: clearing out unneeded files, backing up, and installing updates to close the window attackers exploit between a vulnerability’s disclosure and its patch.
Useful resources
URLscan: Check suspicious links before opening them.
VIRUSTOTAL: Scan suspicious files or links before opening them.
Have I Been Pwned: Check if your email address has appeared in a data breach.
Secure Messaging Apps: Compare the security of different messaging apps.
KeePassXC: A free, open-source password manager that can store passwords safely and auto-fill them for you.
CVE: An online catalogue of publicly disclosed cybersecurity vulnerabilities
VeraCrypt: Free, open-source disk encryption software
CryptPad: Provides a full-fledged office suite with tools for secure collaboration, including rich text, spreadsheets, code/markdown, kanban boards, slides, whiteboards and forms. No email is needed.
Nextcloud: An open-source content-collaboration platform
Tresorit: Secure file exchange and collaboration. It is not free, but is highly regarded.
Tella: A tool for documenting and protecting sensitive material, including by sending it to platforms such as Uwazi rather than leaving it only on your phone. It can be a lifesaver if, for example, a journalist is detained: quick-delete features can help protect sensitive files.
Shira: Take the Shira quiz to practise identifying phishing attacks on email and messaging apps.
Wireshark: A free, open-source network protocol analyser that helps inspect network traffic for leaks.