The study was conducted by the Rating Sociological Group on behalf of the NGO Internews Ukraine. The report was prepared based on the results of in-depth interviews with journalists, representatives of civil society organisations, and digital security experts.

Since the start of the full-scale invasion, threats in the information space have intensified. On the one hand, informants note a significant increase in the number of cyberattacks on media resources, the spread of fake information on social networks, and information and psychological special operations (hereinafter referred to as IPSO) in general. On the other hand, cybersecurity experts and representatives of civil society organisations often speak not so much about the emergence of qualitatively new threats as about the growing interest and intensity of malicious actors in hacking resources and conducting IPSO.

An obvious factor in the increase in threats is the armed and information aggression on the part of the Russian Federation, whose special services are most often mentioned by informants among the beneficiaries of cyberattacks. Other attackers mentioned include individual representatives of the Ukrainian authorities (more often as figures in anti-corruption journalistic investigations), Ukrainian special services (as tools in the hands of unscrupulous Ukrainian officials), and fraudsters (in particular transnational groups). In addition to the intensification of the war itself, respondents note the development of technologies, in particular artificial intelligence (hereinafter referred to as AI), which lead to a quantitative and qualitative increase in fake information, as well as an intensification of cyberattacks.

Another factor is the spread and penetration of social networks among the Ukrainian population, resulting in a relative decline in the average level of information literacy, an increased risk of hacking into the accounts of relatives and acquaintances of journalists, and, accordingly, an increase in threats to personal digital security. Among the particular dangers, journalists mention increased pressure on them and, as a result, the spread of self-censorship due to fears about the possible consequences of publishing certain materials. These processes are leading to the erosion of journalism as a whole due to a general decline in trust in the institution, which in the long term will threaten the functioning of democratic institutions in Ukraine.

‍

The increase in threats is leading to stricter digital security requirements, for which media and civil society organisations are unprepared. Over the past 2-3 years, informants have faced DDoS, phishing and virus attacks, resulting in the hacking of access to website admin panels, social media pages and servers storing data, including sensitive data.

Despite measures aimed at strengthening digital security, informants note the relevance of threats such as personal data leaks, the creation of fake channels on social networks and messengers that mimic real ones, the construction of high-quality deepfakes using AI, eavesdropping and external surveillance, including GPS tracking, and massive cyberattacks. Only a few respondents believe that their organisation has a high level of protection.

‍

According to digital security experts, the state of an organisation's digital protection directly depends on the intensity of personal cyber hygiene practices. The study showed that informants mostly say they are familiar with the basic rules, among which they most often mention those related to passwords for websites and pages (generating and regularly updating complex passwords through managers, two-factor authentication), and are cautious when receiving messages via electronic means of communication. Only a few respondents add to this list the use of antivirus software, VPNs, creating backups of information, and reading technical documentation when installing programmes (which remains largely selective), using and regularly updating licensed software, preventing documents from being downloaded to personal devices, and transferring work exclusively to the Internet. Despite general awareness of the existence of digital security rules, informants note that they and their colleagues often do not fully comply with them. Among the reasons most often cited are that the implementation of changes leads to a disruption of the usual way of life and work, which initially causes aversion, a feeling of lack of strength and time; lack of motivation, exacerbated by the unwillingness to identify oneself as a potential victim of attackers who are supposedly not interested in the activities of local organisations; lack of funding for programmes and devices that provide more reliable digital protection, as well as isolated cases of technical problems with generated complex passwords due to power outages and/or malfunctions in gadget operating systems.

A weak point in the organisation of personal digital security remains the fact that journalists unconsciously distinguish between services that are necessary for their professional activities and those they use in their free time (mostly for entertainment). Accordingly, they do not apply digital security rules to such programmes and applications. Some of the organisations surveyed have a separate digital security policy, while others do not have a formalised policy but take individual measures to implement digital security. There are various ways of familiarising employees with digital security rules, including direct communication between the security service and individual departments (divisions) of the organisation and/or system administrators, familiarisation during onboarding, regular training and instruction on information security (both internal and external), and sending instructions through organisational communication channels (both one-off and regular). Information security rules are usually limited to basic instructions on how to handle the resources and services that the organisation works with. Only some organisations have enhanced security rules, including protocols for responding to account or server hacking, restrictions on access to organisational resources and working from personal devices, and the use of backup clouds and closed servers. Some organisations have a dedicated security service responsible for preventing digital security breaches and responding to such incidents. Only a few organisations attempt to combine technical and social (organisational, personal) aspects of digital security.

‍

A separate vulnerability in cybersecurity is the services used by journalists for internal communication. Some organisations do not have a policy that defines an exhaustive list of such services, so their employees can use several at the same time. In large companies, employees can use corporate email, Google Drive, Trello, Notion, and various messengers, which creates additional problems and threats. Among messengers, informants most often mention Telegram (while emphasising their understanding of the risks associated with the origin of this resource) and WhatsApp, and less often Facebook, Signal, and Slack messengers. Only some organisations divide communication into work-related communication, which involves the use of documents (mostly via corporate email), and non-work-related communication (mainly via messengers). The reluctance to switch to more secure communication services is related to convenience (the need to send large amounts of information, including photos and videos, limits the range of services available) communication with employees who may be located, in particular, in occupied territory leads to attempts to simplify communication methods) and the costs required to use them.

According to informants, employees in their organisations are usually familiar with phishing protection algorithms. Some respondents noted that they learn about such rules during training sessions conducted either by their own organisation or by a partner organisation specialising in digital security. A smaller number of respondents are not sufficiently familiar with such algorithms, so they solve phishing problems by consulting with the security department or representatives of partner organisations, which usually leads to unnecessary time consumption. Individual technical departments and divisions are more often responsible for organising security measures in organisations. Their competence mostly extends to the organisation of technical parameters and the application of solutions aimed at countering planned mass attacks. In small media and public organisations, individual employees are responsible for security measures: the relevant technical specialist, HR, office manager, department head or head of the organisation. To strengthen digital security in organisations, it is common practice to conduct training (more often in-house, less often with invited organisations specialising in digital security). In some organisations, instead of joint training, individual sessions are organised with the involvement of partner organisations. Opinions on the level of complexity of such training courses were divided: on the one hand, many informants responded that they did not consider such training courses to be complex, while on the other hand, some reported that their colleagues were not personally interested in such events. However, despite the prevalence of personal lack of motivation, all respondents indicated the relevance of the knowledge and skills acquired during such training. According to them, the routine nature of work processes leads to a loss of vigilance, so it is important to regularly remind people of the basic rules of digital security.

According to some informants, the existing measures are sufficient to achieve digital security in general. Other informants mentioned the relevance of such steps, which have been implemented only in some organisations:    

• drawing up an internal security protocol;    
• forming a security department whose task would be to monitor compliance,    
• availability and implementation of automatic security solutions, primarily to prevent threats of mass cyber attacks;    
• increasing the responsibility of individual employees for their own actions;
• allocating funds to improve the security level of the site;
• introduction of periodic training sessions, which would additionally cover practical cases and the potential consequences of non-compliance with certain cyber hygiene rules;
• separation of work and personal digital spaces.    

Some of the informants expressed personal interest in regular training to monitor threats arising in the information space. Accordingly, the main need of the respondents is to maintain the current level of awareness of information threats, preferably using materials with specific cases.

‍

Only a few informants have specific requests:  

• information about types of VPNs;    
• ways to protect media sites, including cloud-based ones;    
• ways to store sensitive content;    creating secure channels for information transfer;    
• protection against illegal surveillance, methods of identifying eavesdropping via devices;    
• features of data encryption protocols in messengers;    
• the use of AI to produce fakes and methods of recognising deepfakes;    
• features of IPSO;    
• methods of identifying individuals who complain about content on social networks, leading to the blocking of an organisation's pages (individuals, groups of people, competitors, etc.).

‍

According to respondents, for users who are just beginning to learn the basics of digital security, it is advisable to use a training format where they can get answers to common questions, while individual consultations are optimal for more advanced users.

Participation in offline training is considered more effective because it allows participants to ask more questions and focus their attention, which is key to effective learning, as well as minimising the impact of power outages. During training in any format, it is advisable to pay attention to specific cases, ideally from the organisations themselves; focus on a single programme used in the organisation; use homework assignments, which together allow for a better understanding of the nuances; and conduct training on different topics for different representatives of the organisation. Only some of the informants require digital security services. Most often, they mention security audits of servers, website admin panels, corporate email, etc. Some respondents emphasised the need to use additional software, in particular cloud storage, which requires more funds. One of the informants mentioned the need for a hotline that can be contacted in case of a breach of the organisation's resources. However, potential barriers to conducting an audit may include a high level of distrust of the organisation conducting it, as well as unwillingness to incur the associated financial costs.

‍

Only a few informants expressed interest in creating an online platform that would bring together digital security initiatives. First of all, they do not understand the purpose of their involvement, since journalists prefer to contact specialists personally for relevant services when needed. Cybersecurity experts and representatives of civil society organisations showed greater interest. To increase their interest, it is worth explaining how such a platform would work, the conditions for joining it, the sources of funding for the platform, the terms of cooperation, and the degree of its security. According to informants, the platform could perform the following functions:

• round-the-clock support, posting contacts of specialists in various fields;    
• a place to develop training programmes and checklists for organisations that want to solve digital security problems on their own;
• rapid exchange of experience on the latest threats, risk areas, and ways to ensure the digital protection of organisations;    
• publication of digests on trends in the field of information security (current threats, case studies on the consequences of breaches, ways to determine the level of risk to resources, methods for recognising deepfakes, changes in social media policies, software that will help secure an organisation, etc.).

‍