In addition, most organizations do not understand who are their attackers and have not determined the most effective defensive mechanism for bringing risk to a comfortable level.
"Companies that spend more on cyber resilience do not necessarily manage cyber resilience risks in a more mature way -- many are simply throwing money at the problem," the report said.
Almost all chief information officers and chief information security officers agree that they cannot build adequate defenses against cyberattacks by themselves. Instead, they favor establishing a system for collaborating with technology providers, regulators, law enforcement and other related institutions.
"However, views vary widely on the responsibilities and effectiveness of several possible public-sector actions," the report said.
Efforts are underway for private-public cooperation in battling cyberattacks against organizations of national importance, such as financial institutions, the oil and gas industry, defense contractors and utilities.
The U.S. Department of Homeland Security is leading the Obama administration's cybersecurity initiative, which includes establishing a framework of standards and policies for mitigating risks and having government agencies share cyberattack information with the private sector.
Sign up for CIO Asia eNewsletters.