Safety & Cyber Security: 8 Tips for Civil Society Digital Defense

The month of October is officially declared as CyberSecurityAwarenessMonth, and the digital age has ushered in a new era of human rights activism, journalism, and social justice. But it has also introduced new risks, such as hacking and surveillance. The ability to produce, share and disseminate information has empowered social movements in many countries to demand basic human rights. But it has also facilitated efforts by authoritarian regimes and the private sector to monitor citizens—such as using sophisticated facial recognition software—and identify those who pose a threat. For digital rights to be upheld, digital activists must develop strategies to protect their online presence from surveillance and hacking.

This guide provides some basic cyber security tips to help vulnerable internet users protect themselves online. It is intended for those who are not experts in the field but may be at risk because of their work. The 8 tips below will give you some basic knowledge and insight on what to do next.

1. Avoid Spear Phishing and Advanced Persistent Threats (APT) Attacks

Recent studies have found a surprisingly high number of journalists, human rights defenders, and activists who have experienced cyberattacks. Most of these attacks targeted those who received phishing emails and email attachments. These individuals are often targets because of the information they possess or distribute and their popularity. One needs to differentiate between authentic email addresses and authentic email. Remember that hackers can send you an email from your trustworthy friend or colleague through spoofing techniques, and victims mostly trust the mail content and perform action communicated as the email address is real. At the same time, it is been spoofed by hackers.

Recently researchers discovered an APT group based in China, tracked as TA412 or Zirconium, targeting U.S.-based journalists largely using spear phishing attacks.

Fake domains are another challenge in Spear phishing attacks where victims cant see a minor difference. e.g, and look the same, but one is google with small “l” while the other is with a capital “i.” The same Turkish alphabets (Ç, Ş, Ğ, I, İ, Ö, Ü) are used to create fake URLs that look trustworthy to victims who are unaware of technicalities. Make sure you read and confirm the URL you click via your emails or messages.

2. Safe Browsing and Social Engineering Attacks

Today we browse the internet regularly with our devices. As we browse, we leave a trail behind us. This trail can be collected by others and used for personal and targeted attacks on our digital selves. There are various ways to avoid this, such as not clicking on links from unknown sources or creating strong passwords that can't be easily broken.

Social engineering is the psychological manipulation of victims to perform actions. It is used to gain access to computer systems, networks, and physical locations to commit crimes such as espionage, sabotage, or data theft. Social Engineering attacks propagate via attackers guiding victims to install a malicious app, software, and device update, which can lead to monitoring and surveillance. Pegasus spyware is an example of social engineering, executed via URL click and monitors your phone activity, including camera, microphones, apps and gallery etc.

3. Data Backups and Encryption

You need to be very aware that there's a huge chance for someone in civil society to suffer an incident that can result in losing their phone and laptop, or someone can snatch your devices and retrieve data despite them being password protected; the data remains readable through data retrieval techniques. An attacker can easily remove the hard drive from your PC and install it in an external case to use with a new computer so that you don't have to log in. Encrypting the devices can help in this case which makes your data unreadable until valid secret keys match and decryption happens. Veracrypt is recommended by security experts, while TrueCrypt or Bitlocker is a service offered by Windows for encrypting drives, and FileVault is available for Mac devices in the same way. Phones have limited options in the same way, but few mobile companies offer encryption abilities. To protect the security of your iPhone, you can configure the device to delete all its data after several unsuccessful attempts at unlocking it. (see privacy settings)

4. Enable two-factor authentication and Rotation of Passwords

Having different passwords for each website is a good practice. Not only will it ensure that your personal information isn't leaked, but it can also help you remember what password you had last time and which site you used it on. Hackers have a multitude of different methods for breaking into accounts, and even strong passwords get compromised. 2-step verification will add a better layer of security to help keep your information secure. All social media and email platforms provide you with a 2-step authentication option which can be implemented easily with a phone number.

5. Caution for Fake & Malicious Apps

Hackers have become well-equipped to develop fake apps and malware, but being attentive is easy to identify them. These apps generally have some common features that are dead giveaways. These apps have good reviews (Hackers buy fake reviews to maintain a safe reputation) and good usability. They are simple to use to ensure they do not raise any alarms but ask for many permissions, which the apps don’t need to perform functions but to execute the real spyware or malware by using the privileged permissions. Sometimes authentic apps are also being developed by nation-state actors to monitor and retrieve data from users. So we never know how approved and the well-reputed app is accessing our data and how they are utilizing it. It is suggested to take precautionary measures and avoid any extra app installation especially cracked and nulled apps that offer premium services as free, and check the phone regularly for any unknown app existence (Settings>Applications) as there are FUD (fully undetectable) apps that don’t appear on phone menu but exist.

6. Secure Communication

Activists, Human Rights Defenders, Bloggers, and Journalists risk being spied on when they cover sensitive stories. This can lead to self-censorship, resulting in journalists limiting their journalistic output to avoid government surveillance. In E2E (End to End) encryption, conversations are protected from third-party surveillance and interference so that messages can be read only by the sender and recipient. The Signal app is the best encrypted messaging app offering custom security features, including metadata privacy, and doesn't share your data with third parties.

7. Digital Security Awareness and Drills

Digital security has become a growing concern over the past decade and is a topic that we are all likely to hear about on the news. The best way to keep safe is to be aware of new techniques used by hackers and conduct cybersecurity training and real-time attack drills to check your organization's preparedness and defensive approach. Cybersecurity training is an important aspect of keeping your information safe. When you are aware of the kinds of threats, it becomes easier to avoid them.

8. Final Defense Cheatsheet

  • It is important to use strong passwords, and it is also not effective to use the same password on all accounts.
  • It is important to always check the URL before entering a password.
  • Avoid clicking on any links that are irrelevant to what you're looking at or seem suspicious. If something sounds too good to be true, it probably is. These messages are often just a ploy by hackers to get into your system with malicious intent.
  • Encrypt the drives of all your computers
  • Avoid downloading attachments at all costs. If you do need to view them then make sure to do so in a well-protected environment.
  • Protect your accounts by enabling 2-step verification, a crucial defense in the battle against hackers.

About Author

Babar Khan Akhunzada is a cyber wizard and hack-o-preneur, Founder of SecurityWall and CIVICUS Solidarity Fund grantee-member. SecurityWall is a first-generation cyber security startup stacked on technology to help enterprises and individuals to enhance security capabilities through a hybrid audit approach, actionable threat prediction, and processed remediation. Babar also leads Civic Digital Security Forum, an Emerging secure digitalization forum for the safe civic community through cyber diplomacy and confidence building.

The author is a speaker who gives his thoughts and analyses on Cyber Security Operations, Cyber Warfare, Privacy, Cyber Policy, and OSINT. The author can be reached at



25  Owl Street, 6th Floor
South Africa,
Tel: +27 (0)11 833 5959
Fax: +27 (0)11 833 7997

CIVICUS, c/o We Work
450 Lexington Ave
New York
NY 10017
United States

11 Avenue de la Paix
Tel: +41.79.910.34.28