Even the most cyber secure states didn’t score above a C average, which means there’s more work to be done

Security and IT managers all over the globe have had to scramble during the last month to rearrange workforces into largely remote office setups amid the COVID-19 pandemic. But even with the best tools in place, end users still face severe cyber risks as hackers have upped their game to take advantage of pandemic chaos. And a new study finds user awareness continues to be severely lacking, cautioning security managers to be on guard more than ever before.

 Webroot’s fourth annual ranking of U.S. states based on consumer security behavior looks at 2020’s most and least cyber-secure states and the results call out some concerning user trends.

“The findings of this report are very timely, especially since the COVID-19 pandemic is not stopping hackers,” said Webroot security analyst Tyler Moffitt. “Overall, cybercriminals are likely to view this time as an opportunity to gain a higher return and we will only see an increase in attacks. Webroot recently saw that 2% of the 20,000 websites created with ‘COVID’ or ‘Coronavirus’ as part of the name in the past two months were malicious.

“The need for employees to incorporate best practices and become more aware has never been more important, especially as they work remotely and are not under strict IT supervision,” he added.

Webroot worked with Wakefield Research to field an online survey to 10,000 U.S. consumers to gauge secure behaviors and habits.

The least cyber-secure states are:

1. New York
2. California
3. Texas
4. Alabama
5. Arkansas

The most cyber-secure states are:

1. Nebraska
2. New Hampshire
3. Wyoming
4. Oregon
5. New Jersey

However, Moffit noted, the cybersecurity in each state was lackluster and no one state scored a particularly impressive grade. There was a mere 15-point difference between the riskiest state (New York, 52%) and least risky state (Nebraska, 67%), he said. No state scored a “C” grade or higher.

“There is very little difference between the most secure and least secure states, which brings to light the larger need for better cyber hygiene practices and education across the United States.”

Thinking and Doing: Two Different Things

The report also found that while nearly all (89%) Americans say they’re taking appropriate steps to protect themselves online, there is a general lack of understanding when it comes to cybersecurity. Few Americans met what Webroot determined to be key protection benchmarks, including using anti-virus software, backing up data and keeping social media profiles private. The average American scored a 58% on the Webroot index, which was an “F” grade. Only 11% scored 90%.

Poor hygiene and a lack of understanding about risks also were prevalent in the findings. Almost half (49%) of Americans use the same password across multiple accounts and only 37% keep their social medial accounts private. And while 83% of Americans said they use anti-virus software and regularly back up their data (80%), only half know if their backup is in an encrypted format and only 18% back up their data online and offline. A majority of Americans say they are familiar with malware (78%) and phishing scams (68%), but only about a third feel confident they can explain the concept of malware or phishing.

“A large component of the high levels of consumer cybersecurity misunderstanding is related to a lack of education but also Americans having unwarranted overconfidence when it comes to the steps they are taking to protect themselves,” said Moffit.

Mixing Work Devices With Personal Use

Americans are also using work-issued devices for personal use, which typically rubs up against policy. More than half (55%) of Americans said they routinely use their employer-provided work device for personal use. Over one-third (38%) consider an employer-provided work device to be their “primary” device for use at home. Almost half (48%) have never looked into the security of their work devices, and only a third have taken any steps to improve its security.

Education, Extra Support More Critical Than Ever

Regardless of which state your employees are located in, now is not the time to scale back on education and awareness amid a difficult a stressful and unusual time for American workers. Moffit said instead, companies need to take more steps to better prepare their employees and provide cybersecurity education.

“By providing information and training on best practices, employees are less likely to fall for a cybersecurity threat and are likely to carry these practices over into their personal lives as well,” he said. “It is important for CISOs and security managers to remember that not all employees are versed in security practices and by providing tools to employees to protect themselves and their companies they are better prepared should a cybersecurity threat arise.”