This is partly due to security and business executives getting their threat information from public sources, which the survey said, "vary greatly in quality, accuracy (and) timeliness."
And it is partly because, "many of the companies who lack or fail to test a cybersecurity plan are likely the same ones who report they don't know what government agency to contact when a cybercrime is suspected."
The FBI declined to comment on the report, but furnished a link to testimony before Congress by Richard A. McFeely, executive assistant director of the agency's Criminal, Cyber, Response, and Services Branch, promising better cooperation with the private sector.
"In the past, industry has provided us information about attacks that have occurred, and we have investigated the attacks, but we have not always provided information back. We realize the flow of information must go both ways," McFeely said. "As part of our enhanced private sector outreach, we have begun to provide industry partners with classified threat briefings and other information and tools to help them repel intruders."
But even that requires readiness to respond by the private sector. The survey quoted a retired FBI official saying that the agency is sharing information as quickly as it gets it, but most companies dont have response plans in place to take advantage of it.
Finally, companies must address their "technology debt," which the survey estimated will soon reach $1 trillion.
"Companies are spending their IT budgets on emerging business technologies while allowing their IT infrastructure to age and atrophy to the point that systems can't support basic data security functions," it said, comparing it to the neglect of transportation infrastructure in the U.S.
It recommended inspecting firewalls, identity management systems, operating systems, hardware, enterprise applications, routers and switches, to make sure they are current.
While deferred maintenance is nothing new, it noted, "What is new is that adversaries have raised the risk for many corporations."
Burg said that analysis of cyber incidents often finds that attackers gains entry to an organizations infrastructure, "through known vulnerabilities in older operating systems, hardware, and software on which maintenance, upgrades and retirements have been delayed to meet near-term budget pressures. In effect organizations are increasing their attack surface."
Sign up for Computerworld eNewsletters.