How to Stay Safe Online if You're at High Risk: NCSC's New Surveillance Guidance Explained

Written By Noel Bradford

We all know the internet isn’t exactly a privacy haven. But for some people, being online isn’t just risky — it’s potentially life-threatening. Enter the UK's National Cyber Security Centre (NCSC), who’ve finally acknowledged that certain communities face digital threats far beyond your average catphishing incident or email from a Nigerian prince.

So, they've done something wildly unexpected for a government body: they've produced guidance that's... actually useful.

Yes, really.

Aimed at people who might be actively targeted by hostile governments, extremist groups, or other unsavoury types with too much tech and not enough morals, this new guidance spells out how to stay safer online when the stakes are high.

What Is This New NCSC Guidance All About?

The guidance comes in three flavours:

  1. Advice for individuals — aka, "How not to get digitally stalked by a state actor."

  2. Guidance for organisations — for those supporting at-risk groups and want to avoid accidentally leaking everything.

  3. Technical standards and implementation guides — or, as it's commonly known, bedtime reading for your paranoid IT friend.

This isn’t about telling you to clear your browser cache. It’s about protecting yourself when someone is actively trying to break into your life through your screen.

Why This Matters: Real Risks, Real People

If you think this is all a bit dramatic, let’s recap what’s been going on:

  • Pegasus spyware turning phones into pocket spies.

  • State surveillance crossing borders like it's on a Contiki tour.

  • Location tracking used to out activists or hunt people down.

  • Data leaks that make people in already-dangerous situations even more vulnerable.

The world is a digital minefield. And some people are walking through it barefoot.

The NCSC guidance is designed to hand you some shoes. Preferably steel-toed, reinforced, and encrypted.

Who Is This For?

You might be thinking, "I’m not a journalist exposing corruption or a spy with a suitcase full of burner phones." Great. But if you’re:

  • A survivor of domestic abuse

  • An activist, dissident, or community organiser

  • A refugee with enemies in high places

  • A journalist, whistleblower, or someone who just really annoys powerful people

Then congratulations — the internet is now a threat vector.

This guidance is for you. And if you support people like this — guess what? You’re a target too. Don’t feel special.

What Are the Key Takeaways?

1. Control Your Devices

You know that thing in your pocket? The one that sends your exact location, listens to your conversations, and stores every photo you’ve ever taken? Yeah, maybe it’s time to rethink how you use it.

  • Turn off Bluetooth and location sharing. No one needs to know you’re in Greggs. Not even Greggs.

  • If your device no longer gets updates, it’s not vintage. It’s dangerous.

  • Watch for weird behaviour: random restarts, battery dying faster than your enthusiasm — these are red flags.

2. Use Encrypted Messaging and Storage

WhatsApp is nice, but Signal is better. It doesn’t sell your metadata to whoever’s buying.

  • Use apps that make surveillance harder.

  • Disappearing messages = good.

  • Cloud backups? Only if you control the keys. Otherwise, you’re just storing your secrets in someone else’s sock drawer.

3. Separate Identities and Data

If your Instagram, work email, and secret activist alias are all tied to the same mobile number, you’ve got bigger problems than spam.

  • Use different accounts for different aspects of your life.

  • Never reuse passwords. This isn’t 2006.

  • Use a password manager. Or enjoy playing data-leak roulette.

4. Be Wary of Links and Attachments

Phishing is still the king of digital compromise. And guess what? It’s not always some clumsy fake from “Micros0ft.”

  • Hover before you click. Or better yet, don’t click at all.

  • Attachments are Trojan horses. Sometimes literally.

  • Update your antivirus like you update your social media. Often.

5. Use Multi-Factor Authentication (MFA)

SMS-based codes? Cute. Until someone clones your SIM. Use app-based MFA. Or better yet, a physical security key.

Because nothing says "try harder" like a hacker being blocked by a £30 USB stick.

What Organisations Should Be Doing

If you're supporting people at risk and haven’t already read this guidance, pour yourself a coffee and fix that today. Because your good intentions won't matter if your IT practices are held together by hope and duct tape.

  • Train your team. If you wouldn’t trust them to reset a router, don’t trust them with sensitive data.

  • Only collect what you absolutely need. You can’t leak what you don’t store.

  • Encrypt. Everything. Twice, if it helps you sleep.

  • Ditch the charity-sector tech debt. Windows 7 is not a friend — it’s a liability.

Real-World Examples

This isn’t all theoretical:

  • A whistleblower avoids getting doxxed because they used burner devices and secure channels.

  • An NGO helps someone escape a domestic violence situation by providing a clean phone and encrypted comms.

  • A protest organiser doesn’t get outed by their own metadata thanks to basic digital opsec.

The difference between safety and disaster? Often a few simple decisions made early.

Why the UK Is Taking This Seriously

For once, a government agency read the room. The NCSC partnering with civil society groups is a move that says, "Hey, maybe we should help people before they get digitally obliterated."

While the guidance isn’t enforceable, it’s a solid framework. And let’s be honest — it’s more helpful than most GDPR pop-ups.

Final Thoughts: Everyone Deserves Digital Safety

You don’t have to be James Bond to need digital security. Sometimes, you’re just someone trying to live your life without being stalked online.

The internet doesn’t come with airbags. But this guidance? It’s a start.

If you or someone you work with might be at risk, treat this like the digital equivalent of locking your front door — basic, obvious, and essential.

Because in 2025, privacy isn’t just a right. It’s a survival skill.

If you work with vulnerable groups or run an organisation that supports them, it is time to make digital safety a core part of your mission. It’s no longer optional — it’s survival 101.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Windows 11’s April Update Quietly Installs Web Server Folder – Because Why the F*** Not?
Next

April 2025 Patch Tuesday: What You Need to Know