Posted: July 8, 2015 | Tags: Workshop news
Icon by Sydney Ling, IRW
Cybersecurity is a bit of a balancing act. Employ too many tools, and you could end up with complicated workflows that make you more susceptible to unwanted attention. Do nothing and you could put yourself, or your sources, at risk.
To better understand this balancing act, I attended a cybersecurity training session offered at the National Press Club recently. Below I’ll share some key takeaways and easy steps we can all take to be more secure.
Know what you have
The first step on the path to cybersecurity: Stop and think about what information you have and what would happen if you were to lose it. Every assignment has different circumstances. This means not every assignment warrants the full throttle of cybersecurity measures other more complicated stories may require. Your story on a school district’s high use of suspension among minority students may not need a burner phone, but you could keep files containing confidential student information secure by encrypting them.
Be aware of what you have (whether it be interviews, contact lists, documents, photos) to be better equipped to protect it. Also, this exercise can help you realize that as journalists, we regularly handle information, some of it classified. If you’re not doing anything, perhaps it’s time to reconsider.
Keep it safe but keep it simple
Do you keep a note document stored on your iPhone with all of your important passwords and usernames? If so, don’t. Passwords are highly valuable entry points into your personal information. You need to ensure they’re strong.
Instead of mixing in random characters in a seemingly common word ($ for an S, 3 for an E, otherwise known as leetspeak), consider using a passphrase. Think of the answer to an easy-to-remember question that only you would know. For example, one question could be “What did you do on your birthday?” And you could come up with your specific answer, with special characters or an unusual word thrown in to make it even more difficult to crack. The longer the better.
Aaron Rinehart, cybersecurity expert and training leader for the session, strongly recommended using a password manager such as KeePass. The goal here is to not even bother to remember your passwords, but rather have the manager store them for you to use when needed. You can also randomly generate strong passwords of the maximum character length allowed per site or account. You wouldn’t even know what the password is. You can set up reminders to change your passwords (Rinehart advises at least every 90 days).
Rinehart also recommended using malware and antivirus software to keep your computer secure from attacks. For gmail users, consider setting up two-step verification. When you log into your account, you’ll enter your password and a code that will be texted to your cellphone. You can select not to enforce two-step verification on certain computers, so you won’t have to take the extra step every time you log into your main computer.
Your phone, your lifeline
Our phones have become an extension of ourselves, as well as a key reporting tool. Therefore, they should be treated as such. Instead of using a four-digit pin, opt for a longer password as you would for another account. If possible, encrypt your phone through your phone’s security settings. Be aware of the information stored on your phone, whether it’s recorded interviews, texts and emails with sources or photos. How do you back up this information in case you lose it? What would you do if someone accessed your information? As I mentioned before, evaluate your needs on a case-by-case basis. This may include setting up remote-erasing functions for your iPhone if it gets lost.
If you’re conducting a highly sensitive interview on your cellphone, apps like Signal (iOS) or Red Phone (Android) make private, encrypted calls as long as both parties have either app installed. Meaning, if you’re on an Android, you can make a secure call to someone on an iPhone. You can also use TextSecure (Android) or Signal to send encrypted text messages. Always download apps from verified app stores and don’t use apps from third-party vendors.
It’s also advised to turn off the location on your phone (a multitude of apps can access it) and to be careful when using public WiFi. As Rinehart said, “You don’t know where it’s been.”
Along with the digital, don’t forget traditional
Digital security isn’t completely foolproof. Sometimes the best way to keep you, your data and your sources secure is to forego the digital route and instead rely on more traditional methods. Burner phones, highly secure browsers and encrypted phone calls are much more effective if you know how to use each method properly. Rather than using something complicated incorrectly, opt for in-person interviews or document exchanges. If you don’t know what you’re doing, you could be attracting more attention to yourself by standing out from the masses.
Cybersecurity is an incredibly complex, ever-changing field. Before jumping ahead to complicated procedures that will make your life more difficult, do an assessment of what you have and what needs protecting. Build up to more secure processes by getting started with the tips I mentioned above. Also, there are plenty of resources out there for when you’re ready to wade into the deep end of digital security:
- Electronic Frontier Foundation: primers and overviews on how to use secure software
- Committee to Protect Journalists: technology security section on how to plan for safety and protect your data
Don’t consider cybersecurity a faucet that only gets turned on for particular stories. Rather, consider this a build-up for the big story that does require an extreme use of caution. That way, you’ll be ahead of the game.