Cybersecurity: The Riskiest and Safest U.S. States
For Webroot’s annual “Riskiest States” study, we partnered with the Ponemon Institute to analyze all 50 states and Washington, D.C., ranking them according to their cyber hygiene habits. Questions addressed several topics, including infection incidents, identity theft, password habits, computer sharing, software update habits, antivirus/internet security usage, backup habits, understanding of phishing, etc.
While our survey was commissioned to measure consumer behavior, its findings will nevertheless be both interesting and relevant for managed service providers. The general public’s cyber savviness directly impacts MSPs and their businesses. In an industry where margins can be tight, and businesses are always on the lookout to lower costs and drive revenue, end-user behavior is a critical variable.
The vast majority of workplace data breaches are enabled by user error—according to Verizon’s annual Data Breach Investigation Report, as much as 93% of successful breaches involved end users taking the bait in social engineering attacks. Understanding public perception of cybersecurity and how end users interact with technology can help MSPs anticipate trouble spots and focus on remediating risky behaviors, rather than infections.
In our study, Florida wins the dubious distinction of riskiest state with the worst cyber hygiene. But, rather than pointing fingers, it’s important to note that the average resident of any state in the nation has pretty poor cyber hygiene. Only 6 states in the nation had good cyber hygiene scores. This means MSPs’ clients are more likely than not staffed by end users with, at best, a shaky understanding of cybersecurity best practices.
Nearly 50 percent of Americans don’t use antivirus software
That’s right. Something as basic as installing internet security software is completely ignored by about half the US, illustrating exactly how low the bar is for cybersecurity savvy among end users. Some other very common (and very risky) online behaviors include:
- Sharing account passwords
- Using too-simple passwords or reusing the same password for multiple accounts
- Not using an ad or pop-up blocker
- Opening emails, clicking links, and downloading files from unknown sources
- Not installing security on mobile devices
While businesses have greater control over whether or not effective internet security measures are in place at the office, that’s less true for these other behaviors. MSPs need to go beyond security software to make sure bad habits aren’t brought from home to the workplace.
What Users in the Riskiest States are Doing Wrong
Stats from the 5 riskiest states (Florida, Wyoming, Montana, New Mexico, and Illinois):
- Identity theft had little to no impact on their cyber hygiene habits. That means even after learning the consequences first hand, very few people changed their habits.
- These states had the highest per-person average (28 percent) of having experienced 10+ malware infections in a single year.
- 50 percent+ of respondents in Florida, Illinois, Montana, and 45 percent of respondents from New Mexico and Wyoming said they don’t use any kind of antivirus or internet security.
- 47 percent of respondents never back up their data.
- An average of 72 percent share their passwords.
What Users in the Safest States are Doing Right
The 5 safest states had many behaviors in common that kept them ahead of the malware curve.
- Following cases of identity theft, nearly 80 percent of respondents from the 5 safest states reported that they had altered their online habits, and almost 60 percent changed their passwords.
- Only 14.4 percent of respondents the safe states experienced 10 or more infections a year.
- The safest states typically reported running paid-for antivirus/security solutions, rather than freeware, unlike their risky counterparts.
- Finally, nearly half (43 percent) of the 5 safest states automatically update their operating systems, and 35 percent of respondents regularly back up their data, either on a daily or continuous basis.
- And of the top 4, password sharing was hardly an issue (88 percent of respondents from those states reported they don’t share passwords at all.)
Impacts of Risky Behavior
When users engage practice poor cyber hygiene, they’re at risk for more than just infections and lost files.
In our research, we asked respondents who had suffered identity theft, “what were the main consequences of the identity theft incident?” Some of the self-reported fallout was both surprising and tragic, including responses like divorced spouse, bankruptcy, failed to obtain mortgage, had to get second job, had to sell house, increased alcohol consumption, delayed retirement, and diminished physical health.
When we consider ransomware as a subset of malware, something more than 35% of individuals admit to personally being negatively affected by in a given year, the risks to businesses are staggering. Considering a study by the Better Business Bureau, which found that more than half of small businesses would cease to be profitable in a single month if locked out of essential business data, it’s no exaggeration to call poor cybersecurity habits an existential threat to businesses.
Putting the Pieces Together
The results of our study, together with third-party research and the writings from experts in the field, suggest a fundamentally new approach to end user security training is desperately needed. End users can either be the first line of defense or the weakest link in a business’s cyber defenses. Programs like Security Awareness Training from Webroot, purpose-built for MSPs, are looking to address this cavernous gulf between end user habits and cybersecurity best practices. To learn more about Webroot, and its suite of security solutions, including Security Awareness Training, click here.