A Multidimensional Approach to Journalist Safety – Latin American News Center

Written by: Brooke Lynn Weenig, Senior Director of Product Marketing, and Rona Sandvik, Granitt Foundation.

The security community is constantly changing, growing and learning from each other to better position the world in the face of cyber threats. In the latest post in the Community Voices blog series, Brooke Lin WingSenior Product Marketing Manager Microsoft Securitytalk to me Sandvik RonD., a former senior director of information security for The New York Times and a member of the CISA Technical Advisory Board. She was recently interviewed about her new startup Granitt on TechCrunch.¹ The ideas below reflect Rona’s views, not those of Microsoft, and should not be considered legal advice. In this blog post, Rona talks about the security of journalists and media organizations.

Brook: How did you get into cybersecurity?

rune: I got my first computer when I was 15 years old. I studied a degree in computer science at a university in Norway, where I belong. One of the things that I really enjoy in this industry is that within IT and cybersecurity, there are many different challenges that have to be dealt with. There are a lot of problems you can work on and a lot of things to pique your curiosity and I’ve always loved that.

During the summer of 2009, before the last year of my bachelor’s degree, I worked out . project As part of Google Summer of Code. After my internship ended, I stayed on the Tor project and volunteered to continue my project. Over time, Tor offered me a part-time contract and later a full-time one.

A lot of the work I do today has been shaped by my four years on the Tor Project. When I first heard about Tor, I thought it was cool to be anonymous online by using a piece of technology. I didn’t think about who was using it or for what reason. But during the four years with Tor, I was able to meet not only other people who work in the same place, but also people from all over the world who told me about their experiences with the tool and what I let them do, which was a great experience. It was very positive for me.

Brooke: What are you most excited about protecting journalists?

rune: Around 2011, four projects got funding to train reporters how to use the Tor Browser and I ended up as the lead for that project. We developed a curriculum and soon felt that there was no point in teaching someone how to use Tor Browser to stay safe online if they weren’t familiar with general security best practices like passwords and Two-factor documentation The importance of software updates. So, we built a curriculum around that. Later, I brought this experience with me to the Freedom of the Press Foundation and the New York Times.

The work I did with journalists was something I found, but looking at it now, I think investigative journalism has a lot of the same issues as security research. It has the same puzzles, the same challenges, and the same pits that pique my curiosity and interest. He also has this very important mission behind him.

Brook: What do you do to protect journalists and groups or organizations at risk?

rune: For someone to work safely or securely, I consider digital security, physical security, emotional security, and legal issues. Journalism safety really needs to go beyond all four sections, so part of my job has been one-on-one conversations with reporters who want safety guidelines every day, helping them figure out what they can do to improve it. They are usually in the process of preparing for a particular research project or a trip to a danger zone.

I worked closely with groups of people in media organizations that are a mix of reporters, IT, security and law to prepare a security plan based on the challenges they face and the type of support the newsroom needs. Years ago, if you were a big company like the New York Times, Washington Post, Microsoft or Google, there were many large and complex cybersecurity frameworks to help you have a baseline and steps for improvement in the future.

If you are someone looking to improve your security, there are guides from the Electronic Frontier Foundation and Freedom of the Press Foundation that provide information like “This is how to use a password manager” and “This is how to set up two-factor authentication.” Ford Foundation Matt Mitchell has found that if you are a small organization or a small team, there is no good option available. Ford Foundation Cyber ​​Security Assessment ToolIt is designed for small businesses. It’s a really effective way of knowing where I am today and where my focus should be in the next year or two.

Brook: What are the biggest threats you’ve seen in your industry?

rune: If we talk about the security issues that a journalist may face as an individual, we can talk about online account takeovers and phishing scams. I gave a talk recently at Paranoia in Oslo about how the media is hacked and the root cause of all these problems. If we talk about the organization the journalist works for, it is about the lack of stuffing of two-factor authentication credentials, weak passwords, phishing and outdated systems.

Over the years my work has focused on the individual, but 10 years ago, Tor was highly accurate and complex. We had a VPN. We had tools to encrypt the entire drive on your laptop, but they were hard to use. There was a long script of steps to get it all set up and running. People needed a lot of help to use it. These days, we have all the tools and they are free or not very expensive. What is now lacking is leadership support to create processes and workflows to ensure that all of these tools are available in newsrooms. Nowadays, it has become more of a challenge to build bridges. I don’t think we lack any tools. We just have to figure out how to put it together.

Brook: What are the biggest security challenges for journalists?

rune: A journalist is a journalist all day, every day. This isn’t just a job, it’s an identity. They are journalists, whether they are in the cinema on their personal phone or at work on their company laptop. No matter what device they’re using, time of day and location in the world, they’re still journalists and will report if there’s something they’re reporting on. Historically, in the corporate context, we’ve focused on protecting corporate accounts, corporate systems, and corporate devices, but for roles like journalism and other activist groups, it’s starting to slip a bit. I think there should be a bigger conversation about how to secure identities rather than just 9 to 5 things to the company.

Another big challenge is generating enough support from the business to be able to provide adequate support to the newsroom. The journalists I spoke to don’t doubt that they need to be safer and that they need processes or tools. Once it’s provided, they’re more than willing to try things out. You just need to build that bridge and help the business side understand the challenges in the newsroom and the potential challenges for the business, whether it’s from a physical, digital or legal point of view, and then come up with ways to address that.

Supporting work in the newsroom means developing products, developing a content management system, publishing stories, producing new ways to report, retaining subscribers, funding roving reporters, and research. All of these things are very important and sometimes even more important than safety. The challenge is where do I spend my resources if I know everything is so limiting?

There are many different ways you can improve security in your organization, and even if you don’t currently have the resources for the biggest and best product, there are still little things that can be done. It’s about knowing how to focus on that one thing you need to focus on, even if it’s one or two people or a small team. At this point, focusing on cybersecurity is not an option.

learn more

For more information about Microsoft security solutions, visit our website website. add to favourites Security Blog To stay up-to-date with our expert coverage of security matters. Also follow us on MSFTSecurity for the latest cybersecurity news and updates.

¹Runa Sandvik’s new startup Granitt protects vulnerable people from hackers and nation statesZach Whitaker. 15 July 2022.

Tags: Multifactor authenticationAnd the cyber security