A recent Lastline survey of 134 Black Hat USA 2017 attendees found that almost 55 percent of respondents' organizations have suffered a cyber attack -- and 84 percent of those whose companies were hit attribute the breaches at least in part to human error.
Forty-three percent of respondents said technology detected the attack but their security team took no action, and another 41 percent attributed the attack to a combination of technology and human error.
Twenty percent of respondents said their organizations have been hit with ransomware. Among those that were hit, just 8 percent paid the ransom, while almost two thirds refused.
Only 1 percent of respondents think ransomware is the most profitable form of cybercrime with the lowest risk of being caught, while 43 percent think the same of cyber espionage, followed by financial fraud/embezzlement (31 percent) and online banking fraud and identity theft (25 percent).
Just 28 percent of respondents said they completely rebuild a computer's software after a malware attack, while 46 percent manually erase and 24 percent rely on anti-virus software to identify and clean the malware.
Notably, 42 percent of respondents said they have no helpful resources for understanding and mitigating attacks. Fifty-two percent seek information online from experts and vendors, and 19 percent turn to peers.
When asked if black hat hackers should be hired for penetration testing of security systems, six out of ten respondents were open to the idea, while 43 percent said they absolutely shouldn't be.
Separately, recent UK government research found that 68 percent of boards at FTSE 350 companies haven't received training to deal with a cyber incident, despite 54 percent saying cyber threats present a leading risk to their business.
Ten percent of FTSE 350 companies are operating with no cyber security incident response plan, and just 31 percent of boards receive comprehensive cyber risk information.
"Cyber attacks continue to pose a growing threat to business," Paul Taylor, UK head of cyber security at KPMG, said in a statement. "While cyber security has cemented itself onto the board's agenda, they often lack the training to deal with incidents."
"This is hugely important, as knowing how to deal confidently with an incident in the heat of the moment can save time and money," Taylor added. "The aftermath of a cyber attack, without the appropriate training in managing the issue, can result in reputational damage, litigation and blunt competitive edge."
Still, High-Tech Bridge CEO Ilia Kolochenko told eSecurity Planet by email that it would be a mistake to shift all the responsibility to C-level management.
"Top management should unquestionably be involved into cybersecurity strategy, data protection and privacy," Kolochenko said. "But we tend to shift the entire burden on them, forgetting that C-level managers have much bigger and vital problems to take care of, from vigorous competition with China to disruption of usual business processes with emerging technologies such as AI or blockchain."