Do not leave devices unlocked and unattended in coworking spaces, conferences, and similar places. Make sure that they are protected by a strong password or passphrase and, when you do need to step away from your device for a moment (for example to fetch a drink or go to the bathroom), lock it so that nobody can scroll through it and get your data. Phones have a “lock” button. On Windows devices, the easiest way to lock them is to hold down the Windows key and press “L”. Once you have locked your device, you (or anyone else) need to enter its password to unlock it.

Make sure to back up the contents of your devices. That way, if your device is stolen, lost, or wiped by malware, you will still be able to restore your data.

The easiest way to back up the contents of your device is to your Google cloud. Check out this guide on how to do that. 

There are, however, two possible downsides from backing up your devices to Google’s cloud:

  1. The cloud has limited free storage space–once you reach it, you will need to pay monthly for additional storage

  2. If someone broke into your Google cloud, they could get access to your data. As such, it’s crucial to keep your account secured with a good, unique password and strong two factor authentication such as a security key

Install software only from authorized or official sources. When on Android, only install apps from the Google Play Store and on iOS and macOS, only install apps from the official App Store. Both check the software that is distributed through them to make sure that it is free of malware. If you are on Android, enable Google Play Protect as well, which constantly scans your phone for malware and disables any it finds. If you feel comfortable with sending details of your potentially malicious apps to Google’s security team, you can also enable the “Improve harmful app detection” option. Only install software from authors and organizations you trust and only ever get it from their official website. Do not use pirated (unlicensed) software if at all possible--that's a frequent source of viruses. If you are an NGO and need to run some commercial software, you could get in touch with a group such as TechSoup, which can support you in getting it. Alternatively, there are also many free alternatives to commercial software. While they might have slightly different features to paid-for software, it’s much safer to run them rather than use pirated (unlicensed) software and risk getting viruses.

Audit your apps’ permissions. Before an app that runs on Android or iOS can access your photos, microphone, camera, SMS, or other potentially sensitive data, it must first ask the mobile operating system for permission to do so. Make sure to only give an app the permissions that it absolutely needs to do its job, and do not install any apps that ask for excessive permissions (a flashlight app that asks for access to your microphone, for example, is clearly suspicious and should be avoided). Check out these guides on how to manage permissions in Android and iOS.

Video on how to manage app permissions in Android

Do not root or jailbreak a phone that you use for sensitive communication. Rooting or jailbreaking is a process by which a user removes some security mechanisms and restrictions in an Android or iOS device to modify the system or run custom software. While technical users sometimes root or jailbreak their phones, this removes some of the security mechanisms put in place by Google or Apple and makes the phone much more vulnerable to malware.

When running Windows, enable Windows Security. Microsoft Windows already has a fantastic built-in antivirus called Windows Security. Read a bit about it and make sure that all of its security features are enabled. We typically recommend Windows Security over other antivirus solutions since it's free, integrated tightly into the operating system, effective, and less likely to exhibit bugs or other weird behavior.

We are usually a little cautious about recommending that all users install antivirus: antivirus companies have been known to mis-sell or mis-represent products, while operating systems' built-in protections (like Windows Security, Apple’s Security and other in-built controls) are already quite effective. In practice, we observe that both systems with built-in protections and commercial-antivirus can be compromised.

We generally recommend running antivirus software in one of two cases: if your operating system does not contain features like Windows Security and if you have or suspect a piece of malware that you’d like to remove. For the latter scenario, MalwareBytes is likely the optimal solution.

If you'd like to learn more about device security, check out this page (though it focuses specifically on mobile devices): https://freedom.press/training/your-smartphone-and-you-handbook-modern-mobile-maintenance/

Make sure that your devices have a remote wipe capability enabled, which will allow you to delete all the content on them if they are lost, seized, or stolen. Do note that remote wipe will only work if the device is still connected to the internet, and some attackers will therefore remove the SIM card or put the phone in a room with no phone reception to frustrate attempts at wiping it remotely. Read about how to do this for Apple here and for Google here.

 

Last modified: Wednesday, 4 February 2026, 6:11 AM