Global cybercrime costs are expected to surge from $9.22 trillion in 2024 to $13.82 trillion by 2028. The United States, in particular, faces an escalating threat from cyberattacks, as a recent study names Colorado the most vulnerable state.
In 2023, three in four U.S. companies were at risk of a material cyberattack. According to Statista, the costs associated with cybercrime are projected to surpass $452 billion in the U.S. in 2024 alone.
Responding to these trends, cybersecurity and compliance expert Kiteworks conducted a study to identify the U.S. states where businesses are most at risk of cyberattacks.
The study, which analysed factors such as annual victim counts, financial losses, and the types of cyberattacks experienced, revealed that Colorado is the state most vulnerable to cybercrime.
We consulted industry experts for their insights on the findings and what they mean for businesses in the most at-risk states.
Colorado: a mid-sized state with big cybersecurity challenges
Despite its mid-sized population of nearly 5.9 million, Colorado has experienced a significant rate of cyberattacks since 2017. According to the study, the state has reported 10,776 annual victims from 2020, and financial losses from cyberattacks have surged by 58.7% since 2017, amounting to over $104m.
Anna Pham, senior threat intelligence researcher at Warburg Pincus-backed cybersecurity firm eSentire, attributes Colorado’s vulnerability partly to its ageing population.
“Older individuals are more prone to falling victim to cybercrimes multiple times,” she explains. “They may be less familiar with the latest cybersecurity practices and are more susceptible to threats like phishing, social engineering, and malvertising.”
Malvertising spreads malware through sponsored Google or Bing ads, redirecting users to harmful websites. There, they can unwittingly download malicious software onto their devices.
According to Pham, this demographic shift in Colorado, combined with increasingly sophisticated cyber threats, underscores the urgent need for tailored cybersecurity strategies that address the unique risks faced by different groups.
She advises that efforts should focus on raising awareness of common scams and educating older adults on basic cybersecurity practices.
She adds that the focus for younger, more tech-savvy populations should “shift toward data privacy and advanced threats”, such as sophisticated phishing schemes that exploit social media and other digital platforms.
New York and Nevada: cybercrime hotspots on the rise
The fourth most populous state, New York, reported 27,205 annual victims between 2020 and 2023. The Empire State’s financial losses totalled $440m during that period — a 75.7% increase since 2017.
Nevada ranks third on the list, with a risk score of 7.62, and has experienced a 27.6% increase in cyberattack victim counts over the past four years.
These trends point to the growing sophistication of cybercriminals. “Ransomware will continue to be a major problem, with attacks becoming more frequent and advanced,” says Pham.
“Artificial Intelligence (AI) enables attackers to automate many aspects of their operations, from identifying vulnerabilities to crafting highly personalised phishing emails almost indistinguishable from legitimate emails.”
As AI technology improves, these phishing emails will become even more convincing, making it easier for people to fall for them, she says.
In contrast, Virginia stands out as the only state to report a decrease in cyberattack victims since 2017, with a 10.8% reduction.
Pham attributes Virginia’s success to robust cybersecurity measures, likely bolstered by the presence of federal agencies and a robust cybersecurity workforce.
“Virginia’s decrease in cyberattack victims could be attributed to public-private partnerships, increased investment in cybersecurity training, and more effective cybersecurity standards,” she suggests.
The financial toll of cybercrime: Most costly and common attacks
The financial impact of cyberattacks in the U.S. is staggering, with certain types of attacks proving particularly costly.
Keith Jarvis, senior security researcher at Secureworks, explains, “Over the last several years, we’ve watched the underground marketplaces for stolen credentials grow and mature to the same point those for payment card information did in the early 2010s.”
Business Email Compromise (BEC) tops the list, causing losses exceeding $1.7bn since 2020. BEC attacks involve fraudsters impersonating business executives or employees to deceive victims into transferring funds or revealing sensitive information.
“Stolen credentials already fuel a huge part of the cybercriminal ecosystem, from BEC to ransomware to ordinary fraud, and we expect that to continue,” Jarvis adds.
BEC attacks are especially damaging because they exploit trust within organisations, leading to significant financial and reputational harm.
Credit card and check fraud rank second, with total losses of over $516m, followed by malware attacks, which have caused nearly $237m in damages.
These attacks typically involve unauthorised use of payment information or malicious software that can hinder business operations.
On the other hand, non-payment/non-delivery attacks are the most common cyber threat in the U.S., with 60,113 incidents since 2020. This type of attack involves fraudsters tricking victims into paying for undelivered goods or services.
Personal data breaches involving unauthorised access to sensitive information are the second most prevalent, with 40,523 incidents reported. These breaches can lead to identity theft and other forms of fraud, further compounding the financial and personal damage.
“We expect cybercriminals to improve in more traditional areas of fraud by accessing payroll, benefits, and tax portals of both individuals and businesses in higher volumes. This has been happening for many years but has much room to grow in scale,” informs Jarvis.
The Human Element: a critical factor in cyber-defence
While technological defences are essential, the human element remains critical in cybersecurity.
“The key problem in the U.S. is that most responses to escalating cyber threats involve increasing investment in technical defence infrastructure — which doesn’t solve the problem,” argues Alan Calder, CEO of GRC International Group.
“The issue is fundamentally human. Until organisations prioritise staff training and awareness, together with policy enforcement and discipline, they will continue to fall victim to cyberattacks,” he says.
Businesses in the most vulnerable states should prioritise comprehensive employee training to address this. “Since human error is often a major factor in successful cyberattacks, ongoing training can help staff recognise and avoid common threats like phishing and social engineering,” Pham adds.
Strategic cybersecurity investments
According to Jarvis from Secureworks, U.S. law enforcement is known for not pursuing cases where relatively small amounts are lost. “These attacks can be devastating for individuals, even if the absolute sums aren’t large.”
Given the significant financial losses reported, experts agree that businesses must strategically prioritise their cybersecurity investments.
Patrick Spencer, spokesperson at Kiteworks, commented: “Our study reveals a concerning trend: cyberattacks are on the rise, both in frequency and financial impact.”
He suggests businesses adopt a “content-defined zero trust approach” to secure sensitive communications.
“By consolidating email, file sharing, SFTP, managed file transfer, and web forms into a private content network protected by a hardened virtual appliance, organisations can ensure that sensitive content is only accessed by authorised users,” he says.
Pham recommends adopting Endpoint Detection and Response (EDR) products, which provide real-time monitoring and automated threat response across all devices within a network. “These tools are crucial in detecting and remediating threats before they cause significant damage,” she notes.
Additionally, partnering with managed security providers can offer businesses broader threat intelligence and help them avoid emerging risks. “This partnership can keep businesses informed about new threats and ensure they are equipped to handle them,” eSentire’s Pham advises.
Newsletter
Share
