The first, best, and most powerful security defense for journalists is to understand what phishing is. Everyone I talk to says this is how reporters are hacked in the real world. 0-days, encrypted comms... none of it matters if you're going to click on phishing links.
http://www.mcclatchydc.com/news/nation-world/national/article98200687.html
Mexican investigative journalist Rafael Cabrera didn’t take the bait.
Mysterious text messages would pop into his iPhone but he refrained from clicking on the links they contained. It saved his phone from turning into a surveillance tool, a digital ankle bracelet transmitting his every move, email and contact list entry.
...
Cyber experts revealed this week that an Israeli firm, NSO Group, had created spyware that allowed remote operators to seize virtual control of iPhones and iPads, listening to all conversations, intercepting all data and activating the cameras and microphones at will.