Only 31% reported including security provisions in contracts with external vendors and suppliers, and a mere 27% conduct incident-response planning with supply chain providers.
To counter, or even slow the growth of cybercrime, experts agree that a much larger percent of organizations need to implement those basics what most of them call "security hygiene." Tom Bain, senior director at CounterTack, said it is important to remember that much cybercrime is not all that sophisticated, such as SQL injection and basic malware, "like a Trojan that has been around in millions of variants for years. It doesn't always have to be a sophisticated attack, or executed with precision and stealth," he said.
But beyond that, Bain said companies could actually turn the tables by, "applying stealth methods of monitoring, and doing that at-scale, so that organizations can essentially spy on attackers."
Keanini recommended, "treating cybercrime as a business problem as a competitor or disrupter to one's business continuity is the first step.
"Attackers are more than anything beating defenders by their innovation and creativity," he said." It is time that defenders meet them on these terms and outplay them for once.
Healey believes that the market, not government regulation, has the best chance of making companies take cybersecurity seriously, and that the most effective way to achieve it is though shareholder pressure.
In a recent column in U.S. News & World Report, he argued that the road to real reform should start in Omaha, Nebraska, home to the iconic "Oracle of Omaha" Warren Buffett; and then proceed to Sacramento, Calif., home to one of the nation's most activist investor groups CalPERS (California Public Employees Retirement System).
If Buffett, famously risk averse, were to reject investments in companies that didn't take cybersecurity seriously, "every other investor, corporate board director and executive would take notice," he wrote. "Perhaps not even President Obama could command such attention on the issue."
CalPERS, he said, even when it is a minority shareholder, has been effective in a grassroots way in pressing companies to change policies or actions that they believe will hurt the long-term value of its shares.
"I think that's a great approach," Healey said. "Convince shareholders that they're at the risk of losing." Companies are much more likely to respond to that kind of pressure than to another round of government regulations, he said.
"I say let's start with market solutions," he said.
Sign up for CIO Asia eNewsletters.