The cybersecurity risks confronting journalists have moved well beyond stolen passwords and hacked emails. At the International Journalism Festival 2026, a panel of reporters and security experts laid out a picture that was equal parts technical and deeply human: surveillance tools once reserved for criminal investigations are now being deployed against the press, and the consequences extend from digital compromise to physical danger. The session, led by Surfshark Research and Communications Lead Patricia Černiauskaitė, made one argument with particular force - this is not a technology problem. It is a press freedom problem.
When Digital Threats Become Physical Ones
Independent journalist Charlie Osborne described the moment she understood, in visceral terms, what it meant to be targeted online. A cyberstalker had obtained enough information about her to show up - or make it feel that way - at her home address. Her doorbell rang at 2:00 and 3:00 in the morning. "When the lines between what I was doing digitally and physically blurred, I knew it was an absolute problem," she told the panel. The experience forced her to relocate and, by her own account, damaged both her mental health and the quality of her work.
Osborne's case is not isolated. Journalists, particularly those working in conflict reporting, investigative work, or covering organized crime, routinely find that their digital footprints become liabilities. Personal data - home addresses, phone numbers, family members' identities - can be extracted from data breaches, public records, and social media oversharing. The result is that physical safety increasingly depends on digital hygiene, a connection that most reporters are not trained to make until something has already gone wrong.
State-Sponsored Spyware and the Accountability Gap
TechRadar news editor Chiara Castro drew attention to a threat that operates at a different scale: government-deployed surveillance software. She highlighted the Graphite spyware scandal in Italy, in which at least three journalists and four NGO activists working on Mediterranean Sea rescue operations received notifications that their devices had been targeted. Graphite, like the better-known Pegasus spyware developed by NSO Group, is capable of penetrating encrypted messaging applications, accessing cameras and microphones, and extracting data without any visible trace on the infected device.
"The Graphite scandal is emblematic of why democracies are increasingly getting comfortable using spyware against the press and civil society: a lack of oversight and accountability," Castro explained. This framing matters. When authoritarian governments surveil journalists, it is condemned. When democratic governments do the same - often through legal grey zones, with minimal judicial oversight and no public disclosure - the response is considerably more muted. The pattern, documented across multiple European countries over the past several years, suggests that the infrastructure of press surveillance is expanding, not contracting.
Why Modern Spyware Is Almost Impossible to Detect
Surfshark systems engineer Karolis Kačiulis addressed the technical reality that makes today's spyware so dangerous: it is effectively invisible. Older malware could be identified by symptoms - devices running hot, slowing down, or behaving erratically. Those indicators are now largely unreliable. "Today's CPUs are so efficient that it is really hard to notice anything because spyware is basically a really simple program," Kačiulis noted. The software runs quietly in the background, consuming minimal resources, generating no obvious disturbance.
The more significant point Kačiulis raised concerns how most compromises actually happen. They do not come from sophisticated zero-day exploits or brute-force attacks on encrypted systems. They come from social engineering - manipulating people into revealing credentials, clicking malicious links, or installing software they believe to be legitimate. This means that the weakest point in any journalist's security posture is not their device or their network. It is their own behavior, and the behaviors of the people around them.
What Journalists Can Do Without Technical Expertise
The panel closed with a set of recommendations that require no specialist knowledge to implement. They are worth taking seriously precisely because they address the human layer of security, not the technical one.
- Audit your own online presence. Osborne recommended spending 30 minutes searching your own name and using services such as Have I Been Pwned to identify which data breaches may have already exposed your information. Most people are surprised by what they find.
- Reduce what you store on your devices. Castro advised examining what sensitive material sits on your phone or laptop. If it does not need to be there, remove it - ideally to a physical, encrypted storage device that is not connected to any network.
- Reconsider your relationship with social media. Kačiulis urged journalists to identify contacts in their networks who overshare - tagging locations, posting about daily routines, revealing personal details - since that information can be used to construct a profile of someone who never posted it themselves.
None of these steps require technical training. All of them reflect the same underlying principle: in a threat environment where social engineering drives most attacks, awareness and behavioral discipline matter more than any single piece of software. For journalists in particular - whose sources, communications, and physical whereabouts carry consequences beyond their own safety - that discipline is not optional. It is part of the job.