Which States Are At Highest Risk For Cyberattacks?
Whether it’s the safety of our home computers and connected devices, exploits targeted at businesses or breaches of crucial federal systems, such the hacking that took place in the November 2016 election, cybersecurity is one of the biggest issues facing Americans today.
Large-scale cyberattacks are nothing new, but the crisis does seem to be growing. In both 2019 and 2018, the World Economic Forum listed mass data breaches and cyberattacks as two of the top five biggest risks facing the world, with such risks being seen as more likely in 2019 than man-made disasters like oil spills or water crises.
More than 6 in 10 American adults have been the victim of a major data breach, and it’s estimated that as much as 90 percent of logins to e-commerce sites are actually attacks. The total losses are in the billions, if not trillions, of dollars, not to mention the erosion of trust in businesses, organizations and government.
Pro Tip: You can learn to take your cybersecurity seriously in our Guide to Personal Digital Security & Online Safety.
Depending on where you live in the United States, you could be at higher or lower risk for cyberattacks targeting you personally, your business or even public infrastructure. In this guide, we break it down for you so you know your relative risk level based on our analysis of FBI cyberattack data (victim rate and trend), states’ who report to the National Governor’s Association for spending on cybersecurity and how safe each state’s election systems are.
The results paint a picture that indicates that where you live may well play a role in the level of cyber risk you’re exposed to every day.
Cyberattack Risk Index
When we first went through the data, we were really surprised by the results. We went into this analysis thinking most states would have relatively similar risk levels. After all, cyberattacks are not location dependent and rarely require an in-person attacker. But, after mulling through the data, we realized we were dead wrong. The state you live in massively impacts your risk of becoming a victim of a cyberattack.
Let’s take a look at which states are most at risk from cyberattacks, according to our index in which higher numbers equal greater risk that residents, businesses and public infrastructure will be exposed to cyberattacks:
10 Most At-Risk States
Topping the list, by a large margin, is Hawaii, scoring a risk level more than quadruple the lowest-scoring state, Rhode Island. The average score was 88, and 26 states scored over that level. Hawaii was the only state to break the 150s. If you live in a high-risk state, you might want to consider cyber insurance. Take a look at our cyber insurance statistics and data for 2024 to see if it’s worth it for you.
Let’s take a look at how the 10 most at-risk states got to where they are:
Cyberattack Reports
The numbers used to create the rankings related to cyberattack reports came from the FBI’s Internet Crime Complaint Center, which gathers reports from cyberattack victims, including the type of attack and how much money, if any, was lost.
We examined the figures from 2016 and 2017 to create a moment-in-time snapshot but also to determine how each state was trending to help predict which states were likeliest in the future to see improvements.
More than half of states saw an increase between the two years, though most were modest jumps. Nine states saw double-digit increases, and Hawaii, the state that performed worst in our study, had an incredible 136 percent jump.
Here’s a look at the 10 biggest increases and decreases in the victimization rate between 2016 and 2017:
Despite the huge increase, Hawaii does not have the highest rate of victimization. Here’s a look at the 10 highest and lowest rates of victims per 100,000 population, and because of the wide variation in some states between the two years, we’ve combined the two years to create these rates:
IC3’s study found more than $1.4 billion in losses were reported by victims in 2017, and the center receives more than 800 complaints per day. Losses rose with the age of the victims, though the number of victims in each age group was roughly similar.
Non-payment or non-delivery was the most common type of incident reported, followed by personal data breaches and phishing, while the incidents causing the most damage were email exploits, confidence scams and non-payment/non-delivery.
FYI: Want to learn more about the types of cybercrime impacting each state? Check out our State-by-State Breakdown of Cybercrime in America.
Cybersecurity Spending
While there’s no doubt all states spend at least something on cybersecurity, more than half of states don’t explicitly outline any spending in their budgets. The National Governors Association found only a handful of states do set aside money strictly meant for cybersecurity, whether those funds are in budgets for, education, homeland security and emergency management, law enforcement or business investment. Three years of budget line-items were examined in the association’s study.
In the states that do not outline cybersecurity spending in their budgets, you should err on the side of caution by making your cybersecurity your responsibility. We go through cybersecurity tips, facts & statistics to help you prepare your cybersecurity strategy based on the latest threats.
Election Security
It’s been widely reported that more than 20 states’ election systems were targeted by Russian hackers during the 2016 presidential election. While these figures and the intent behind the Russian interference are a matter for political debate in some corners, an objective analysis by the Center for American Progress issued in early 2018 found ample reason for concern.
>> Read More: Does Antivirus Stop Hackers or Provide Hacking Protection?
Analyzing everything from post-election audits to cybersecurity standards of registration systems, the center found most states are middling at best when it comes to securing the public’s faith in voting as well as the accuracy of the outcomes.
The study issued letter grades to each state, and the average grade equates to about a 57 percent, or a C-/D+ in most schools. No state received an A.
Conclusion
The average American spends several hours of every day online, either on a computer or via a connected device. Business is now done online all across the globe. Public infrastructure relies on the internet for smooth operations.
We are connected … all the time … to everyone. It’s no wonder that we are so incredibly vulnerable to those who would seek to exploit that connection for their own financial or political means through illegal methods.
As our world grows more connected by the day, it’s crucial each of us practice good online safety and bring pressure to bear on our elected officials to ensure the systems we rely on every day, and the ones we use to put those very officials in their jobs, are as safe as they can be.
About This Study
To create our risk index, we examined data from three sources:
FBI’s Internet Crime Complaint Center, which collects reports from individuals and businesses that have been the victims of online fraud. We examined data from the years 2016 and 2017 to create a picture of how many people had been victimized as well as how each state was trending over the two-year period.
A Center for American Progress 2018 report titled “Election Security in All 50 States,” which examined a variety of factors impacting the security of elections and assigned each state a letter grade.
A National Governors Association analysis of three years’ worth of state budgets that determined how much money each state devoted specifically to cybersecurity initiatives. Many states were listed as spending no money on cybersecurity, which is certainly not the case, but few states include line items in their budgets strictly for cybersecurity, and that’s what we examined.
Each state’s rank in the categories measured was then combined to create a numerical rank.
Fair Use
The material on this page is free to share for noncommercial use. When using the text or images from this page, we ask that you properly attribute it with a link back to the URL.