What is Digital Security?
Digital security is the practices, tools, and strategies used to protect people, devices, data, communications, and online activities from digital threats such as surveillance, censorship, targeted attacks, data theft, and unauthorized access.
This article services a primer for activists, journalists and nonprofits. It draws on years of knowledge and best practices developed within the digital rights community of practice, which has played a key role in creating security strategies and tools to support civil society.
As more of our daily lives move online, it plays an essential role in protecting privacy, safety, and freedom, and is essential for journalists, activists, and civil society organizations.
Digital security is not just a technical issue. It is about protecting people, sources, communities, and civil society in environments where adversarial entities weaponize technology to punish, repress, and silence dissent.
Learning digital security can feel daunting or intimidating—especially for people who do not come from technical backgrounds. The abundance of tools, jargon, and conflicting advice can make it difficult to know where to start or what actually matters
✨ Why Digital Security Matters
Journalists, rights defenders, and members of civil society are often intentionally targeted because of their work. These threats may come from governments, private companies, political groups, employers, or coordinated online actors, with the intention of monitoring, surveilling, or collecting intelligence on a specific person, organization, network, action/work, or communication for the purpose of:
Intimidating or silencing individuals or communities. For example, the rise of transnational repression by authoritarian governments has silenced dissent in diaspora groups.
Disrupting or stopping actions, such asorganizing efforts, or having a chilling effect on journalism investigations
Controlling information, including the loss, manipulation, censorship, destruction, or unauthorized access of data. This has been a rising threat for civil society organizations, who house a wealth of sensitive information yet many lack the resources needed to maintain strong organizational security.
Coordinating punitive measures, such as targeted attacks, doxxing, harassment, targeted online abuse, or real-world consequences like legal action, arrests, or job loss
In some cases these pressures are also exerted to a target’s family or friend network. Additionally, civil society organizations are also increasingly exposed to financially motivated cybercrime, including attacks designed to coerce payment through extortion or ransom.
Digital threats can have serious and far-reaching consequences in the real world
Journalists abandoning or delaying investigations out of fear of violence against themselves or their families
Members of minority groups being doxxed online for exercising their right to freedom of expression
Rights defenders having actions disrupted, monitored, or forcibly shut down, such LGBTQAI+ activists in Jordan, or civil society in Hong Kong
Human rights demonstrators being identified through online information—such as social media activity—and then subjected to penalties or retaliation.
Sexual minorities being outed in countries where their identities are criminalized, exposing them to legal punishment, detention, or physical harm
The digital threats you face will depend on your context. However, common threats include phishing attacks, spyware and malware, doxxing and harassment, data breaches, surveillance and monitoring, and account hacking, among others. See below for a list of common digital threats.
👁️ Common Digital Security Threats
As technology evolves, so do the threats and strategies used by adversaries. The following list highlights some common digital threats, though it is not exhaustive.
Targeted attacks are deliberately aimed at specific high-interest person(s), organization(s), or community(s), as they often require intense planning and resources. They can quietly compromise accounts, expose networks, and create cascading harm across movements and organizations—not just for the individual but for their broader network. They often combine multiple strategies listed below.
Phishing & Social Engineering
Phishing and social engineering are the most common ways accounts are compromised—especially during campaigns, crises, or events. Messages, usually sent via email, SMS, WhatsApp, DMs, etc, are crafted to trick the targeted user into revealing passwords, clicking malicious links, or installing malware. Example: you receive a fake “account warning” or a message pretending to be from a colleague or funder, prompting you to click on a link that results in the downloading of malware.
Phone Monitoring
Tracking or monitoring of mobile phones is used to collect information such as location, communications, contacts, or device activity. By design, mobile phones can show a lot of our personal information without our consent. Phones are deeply embedded in daily life, so monitoring can reveal movements, networks, and patterns of behavior, creating risks for personal, organizational, and physical safety. As an example, a government requesting that phone providers share data to track an individual’s movements, revealing their home location, or tracking their attendance to a sensitive meeting. Additionally, through the installation of malware or spyware, messages and calls can also be read/heard.
Account Takeovers and Data Breaches / Leaks
Unauthorized access to our email, social media, cloud storage, or messaging accounts, can expose our contacts, sensitive conversations, documents, and internal plans. This exposed data can put our entire network at risk, such as our sources, colleagues, community members, and partners.
Malware & Spyware
Through the unauthorized installation of malicious software, bad actors can monitor activity, steal data, or take control of devices. This can occur through deceptive actions, such as downloading a fake app, or using an infected USB drive—and in some cases, without any direct action from the target.
Doxxing, Harassment, and Online Abuse
Bad actors can publish private or identifying information online without an individual’s consent. This can lead to harassment, online abuse, physical threats, and the targeting of the individual’s family members and wider communities. Coordinated harassment campaigns, threats, impersonation, and disinformation attacks can have a chilling effect on freedom of expression, often forcing individuals to self-censor or withdraw from public participation.
Platform Risks
Dependence on commercial platforms can introduce serious risks. Platforms may censor content, cooperate with authorities, shadowban (limit visibility without notifying the user) accounts or specific types of information, or suspend accounts—actions that can erase years of work and disconnect communities. Additionally, social media can be used to “discover” people engaging in specific types of activism or work.
Data Aggregation & Profiling
Data aggregation involves collecting and combining information from multiple sources to build detailed profiles of individuals or organizations. These profiles can be used to predict behavior, target attacks, or justify surveillance and repression. As an example, an authoritarian actor combines public social media activity, leaked databases, and travel records to map a community organizer’s network.
Distributed Denial of Service (DDoS) Attacks
A DDoS attack overwhelms a website or online service with traffic, causing it to slow down or become unavailable. These attacks can disrupt communications, block access to critical information, and silence organizations during key moments such as campaigns, elections, or breaking news. For example, a human rights organization’s website being flooded with traffic and taken offline during a major advocacy campaign.
Surveillance via Internet of Things (IoT) Devices
Home smart devices (cameras, microphones, wearables), and public cameras and devices in “smart cities,” can be exploited to monitor people without their knowledge. They can reveal private spaces, routines, conversations, or movements. As an example, a malicious actor hacking into a smart home device to record a target’s conversations.
Disinformation & Manipulation
Disinformation refers to false or misleading information that is intentionally created and spread to confuse, discredit, or manipulate a target audience. It can undermine trust, isolate individuals from their communities, and create reputational harm. As an example, fake social media posts portraying a journalist as biased or corrupt to reduce credibility.
Physical–Digital Overlap
Holistic security recognizes that digital security and physical security are inseparable. Digital threats can lead to offline harm, including arrests, raids, and even physical violence.
🔐 Digital Security Practices and Culture
When individuals start their digital security journey, their instinct is often to research manuals or tools. While this seems helpful, it can actually be overwhelming, counterproductive, and in some cases, harmful. Here are some tips that will help you better understand how to navigate the wealth of information.
”Tech is not the path to security. Security comes from the way that you live your life, not the tools. The tools are simply enablers.” --thegrugq
🍃 Focus on a Security Mindset Before Tools
Security tools and approaches will change as threats and adversaries evolve. Early on, the most important step is to develop a security mindset rather than finding the “perfect” tool. Cultivating a security mindset takes time—it involves shifting how you analyze your environment and gradually changing daily habits. For example, curbing the instinct to share personal updates on social media, and instead using alternative ways to stay in touch with loved ones, can be a small but meaningful first step.
🍃 Understand Your Context
Security tools and approaches evolve as the threats and strategies used by adversaries change. In addition, threats are highly contextual - a journalist in Mexico may face very different risks than a Dalit woman in India.
Understanding your own context helps you identify the most realistic threats you face and decide where to focus your time, energy, and resources. This includes considering:
Where you live and work
The issues you organize or report on
Who may want access to your information
Your visibility and public profile
Your available time, resources and skills - implementing security requires both time and money.
🍃 Be Highly Selective With Resources
Not all digital security manuals or tools are created equally, and even well-intentioned organizations may struggle to keep guides updated, and in worse case scenarios, reflecting a threat landscape from years ago that no longer applies.
There is no formal educational path in the emerging field of digital rights/security, so advice from one expert or organization may differ widely from another. Additionally, some manuals are written for specific contexts that may not reflect your own.
🍃 Expect Emotional Reactions
It’s normal to feel overwhelmed, frozen, or anxious when you start recognizing how exposed you are. These feelings are natural, and they don’t mean you’re failing. The more you learn to anticipate threats and adjust your habits, the more empowered and in control you will feel.
🍃 There is No Formula to Be 100% Secure and Safe
The technological world has so many variables and each person has vulnerabilities unique to them, it is impossible to account for every risk/threat.
The best solution would be to never be online, never share information, and never touch devices like phones - however, not even this is full proof. For example, family and friends might share information about you online; if you purchase a home, your address may be listed online via public records, and other data about your life may exist outside your control.
🍃 Your Network Can Be Both Your Greatest Asset and Your Greatest Vulnerability
A community is often only as secure as its weakest link. For example, even if you follow best practices, your personal information could be exposed if someone in your network inadvertently shares sensitive data or leaves a shared database or virtual space unsecured. At the same time, learning to understand risks, identify vulnerabilities, and develop effective security practices is most effective when done collectively.
Working with your network—whether colleagues, fellow rights defenders, or trusted community members—helps ensure that everyone benefits from shared knowledge and protective measures.
🍃 Thread Modeling Should Be Your First Step
Digital security is an ongoing process. Threats change. Tools evolve. Political and social contexts shift. Digital security is not a one-time task, but an ongoing, continuous process of:
Identifying risks
Choosing proportionate responses
Learning from incidents
Adjusting practices over time
Your first step should be creating—and regularly updating—a threat model for yourself, your organization, and/or your community. This involves identifying potential threats, assessing how likely they are, evaluating the potential impact if they occur, and determining steps to prevent or mitigate them. It also helps you understand where to best invest your time and resources.
Importantly, starting small and building habits gradually is often more sustainable than trying to secure everything at once.
🍃 Technology Tools and Services
Who controls the tools, services, or platforms you use also controls access to your information. There is often no guarantee that their promises will be upheld, or that your data will not be shared with third parties. Keep the following in mind when choosing tools, services, or platforms:
🧩 Self-Hosted Open Source Tools
Self-hosted open source tools can offer greater security for several reasons, such as allowing you to have direct control over who uses the tool and who has access to the data it generates. Additionally, open source software makes the underlying code available for review, allowing you to check for unwanted features or potential backdoors—a hidden method of accessing a system that bypasses normal security protections.
Despite these benefits, self-hosted open source tools also come with risks. Running a server requires ongoing technical work, maintenance, and resources that may be difficult for low-resourced organizations to sustain. In some cases, relying on very trusted hosting providers may be a more practical option. Here are additional tips to keep in mind:
🔐 Download Apps and Tools From Frusted Sources
Only download software from official websites or other trusted sources to reduce the risk of malware or tampered versions.
There have been cases where adversaries make copies of trusted tools and services,” inject them with harmful code, and post them online in websites that look official.
🔒 Encryption Matters—But Know the Type
Encryption can protect your communications and data, but not all encryption is equal. Some protocols offer stronger protection than others, so it’s important to understand what level of encryption a tool provides.
⚖️ Be Realistic
Security practices that people cannot maintain, or tools and services that are not being used, are useless.
♾️ Examples of Digital Security Habits
The following are only examples of habits or approaches you may take when implementing digital security on a daily basis:
Using strong, unique passphrases, enabling two-factor authentication, and using a password manager. (Note, a passphrase is a longer, more secure, and easier-to-remember password, and also harder to crack.)
Encrypting your computer and devices and password-protecting them
Keeping devices and software updated
Being cautious with links, attachments, and downloads that may contain harmful code such as spyware
Choosing communication tools based on risk, not convenience alone
Thinking carefully about what information you share, with whom, and where
Even successfully adapting one of these examples can reduce your exposure to threats.
💻 Digital Security vs. Cybersecurity
While related, these two areas are not the same, but differences are not always so clean cut. Cybersecurity was mostly developed to protect systems, networks, and infrastructure within corporate or government settings. Digital security generally focuses on developing strategies, tools and educational models that respond to the specific security needs of rights defenders, journalists, and civil society.
The emerging Digital rights field often faces severe funding shortages and direct attacks, like any other rights-focused space. For this reason, its important to look for digital security manuals and tools that are being actively maintained, as threats, landscapes, and best practices change over time.
🌱 Resources and Tools to Improve your Digital Security
Digital security is about agency—the ability to make informed decisions about technology in environments that are not neutral. Digital security helps protect not only individual safety, but also sources, communities, and the work itself. Learning digital security is not about fear. It is about resilience. To get you started, we recommend the following resources:
Electronic Foundation’s tools, especially their surveillance self-defense toolkit designed for individuals to defend themselves from surveillance using secure technology and developing careful practices.
Ford’s Cybersecurity Assessment tool is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts.
Check out TCU’s Digital Rights and Security primers, geared towards activists, journalists, defenders, and civil society.
Frequently Asked Questions about Digital Security
What is digital security in simple terms?
Digital security refers to the practices, tools, and behaviors used to protect devices, online accounts, communications, and personal information from digital threats such as hacking, surveillance, phishing, and data breaches. It helps individuals and organizations stay safe while using the internet and digital technologies.
Who needs digital security
Everyone who uses digital technologies can benefit from digital security practices. However, it is especially important for the following groups, as they may face higher risks of surveillance, hacking, or targeted harassment.
Journalists
Activists
Rights defenders
Civil society organizations
Researchers
Is digital security only for people at high risk?
No. Everyone can benefit from having digital security skills and practices. In our ever day, citizens are exposed to risks such as data misuse, account compromise and harassment, among others. Educating ourselves - and our family and friends - is a responsible step, given how much our lives are conducted online.
Why is digital security important?
Digital security is important because many aspects of daily life now happen online, including communication, financial transactions, and data storage. Without proper security practices, individuals and organizations risk losing sensitive information, having accounts compromised, or being targeted by online harassment and surveillance.
Can digital security guarantee complete protection?
No digital security practice can guarantee complete protection from all threats. However, understanding your threat model and adopting strong security habits and processes can significantly reduce risks and help individuals respond effectively to digital threats.