Webroot's fourth annual report reveals the most and least cyber-secure states in the U.S., and underlines the nation’s lack of cybersecurity education during the peak of remote work.

The report, “A Look at 2020's Most (And Least) Cyber-Secure States”, sheds light on the continued need for more security awareness education nationwide. At a time when people are working remotely more than ever, the report highlights a larger issue – the lack of understanding in cybersecurity best practices and Americans’ overconfidence in their ability to bounce back from a breach.

“This is the fourth consecutive year we’ve seen the same high levels of consumer misunderstanding and general overconfidence when it comes to cybersecurity practices and safety,” said Webroot security analyst Tyler Moffitt. “According to our report, there is very little difference between the most secure and least secure states, which brings to light the larger need for better cyber hygiene practices and education across the United States. More Americans than ever are working remotely and with cyber risks continuing to increase, consumers need to take the initiative to understand those risks and practice safer online behavior before it’s too late.”

Least Cyber-Secure States

1. New York (MOST RISKY)
2. California 
3. Texas 
4. Alabama 
5. Arkansas 

Most Cyber-Secure States

1. Nebraska (LEAST RISKY)
2. New Hampshire 
3. Wyoming 
4. Oregon 
5. New Jersey 

Notable Findings: 

Almost all (89%) Americans say they’re taking appropriate steps to protect themselves online, but there is a general lack of understanding when it comes to cybersecurity.

• Few Americans practice all key benchmark metrics (including using anti-virus software, backing up data and keeping social media profiles private) needed to protect themselves from cyberattacks – the average American scored a 58% on our index (an “F” grade) and only 11% scored 90% or higher (an “A” grade).There is a 15 point difference between the riskiest state (New York, 52%) and least risky state (Nebraska, 67%). No state scored a “C” grade or higher.
• A majority of Americans say they are familiar with malware (78%) and phishing scams (68%), but only about a third feel confident they can explain what malware or phishing is.
• 83% of Americans use anti-virus software and regularly back up their data (80%), but only half know if their backup is in an encrypted format and only 18% back up their data online and offline.
• Almost half (49%) of Americans use the same password across multiple accounts and only 37% keep their social medial accounts private.

More than three-quarters (78%) of Americans who have had their identity stolen have made changes to their online behavior as a result of them or someone they know being negatively affected by a cyber-related attack.

• Less than half (47%) of those who have not had their identity stolen have not changed their online behavior.
• Those who have had their identity stolen are more likely than those who have not to perform:
  • Regularly monitoring bank accounts (31% vs. 22%)
  • Regularly monitoring credit card statements (26% vs. 16%)
  • Keeping software up to date (26% vs. 16%)
  • Regularly checking credit reports (25% vs. 15%).
• Nearly three-quarters (73%) of employed Americans who have had their identity stolen have looked into the security of their work devices, while 59% of those who have not say the same thing.
• Those who have lost a device (71%) or discarded a device without wiping the data (71%) are the next most likely to have experienced or know someone who has experienced a cyber-attack and made a change to their online behavior.

More than half (55%) of Americans routinely use their employer-provided work device for personal use.

• More than one-third (38%) consider an employer-provided work device to be their “primary” device for use at home.
• Almost half (48%) have never looked into the security of their work devices, and only a third have taken any steps to improve its security.
• Only around a quarter (26%) believe their personal devices are more secure than their work devices.