Despite an average of 69% of senior security leaders polled by the Ponemon Institute saying they expected such attacks, only 17% said their organization had a collaborative strategy that included other organizations in their industry.
Fewer still, only 15%, said they had a collaborative strategy that included other organizations and the government, according to US and European cybersecurity readiness study commissioned by Hewlett-Packard.
"An overwhelming majority expect something serious to happen, but the same majority are not really doing enough about it," said Peter McAllister, head of HP Vistorm's cybersecurity practice.
Just over half said they had a go-it-alone strategy and 17% had no coordinated strategy at all.
"While 21% recommended a collaborative strategy that includes other organizations in the same industry, in practice, those exist only in the loosest form and tend to rely on personal relationships," said McAllister.
"What leaps out of the page, is a total lack of co-ordination across market sectors and within government on how the core government functions and the CNI go about defending themselves," he said.
"What we want, is to encourage that same risk-based approach in government organizations and private corporations," he added.
A risk-based approach will enable organizations to understand their risks better and consequently where to put their investment, said McAllister.
"It is surprising how few organizations are doing it. Most are not doing that basic thinking before investing," he said.
On the positive side, McAllister said the Ponemon study highlighted several things organizations that are succeeding in mitigating cyber risks have in common.
More than 75% are using security information management systems, they understood what it meant to be part of the CNI, they made genuine effort to educate people and operate security controls rather than have a tick-box approach to audits, and they had adopted early-on the concept of the role of a chief information security officer (CISO), who is not a generalist or a technologist.
The most effective CISOs, the study revealed. had an intelligence or law enforcement background and had been brought in from outside.
"This indicated that they were probably going to be more successful at expressing the consequences of the technology risk they were addressing to a non-technical board because they had a better domain understanding of risk rather than a technical understanding," said McAllister.
CISOs that were successful were also either a full board member or a direct report to listening chief operating officer, he said.
Overall, the Ponemon study shows there is serious work to be done on co-coordinating government response and particularly where that touches CNI, said McAllister.
"Lots of people [are] doing good thinking about it and some good groundwork is being done in terms of maturity models and risk tools, but there is significant room for improvement," he said.
This story was first published by Computer Weekly