When it comes to smart cybersecurity investments, most U.S. organizations dawdle.
FORTUNE — Cybersecurity is no longer just an afterthought; it’s a core part of any successful business strategy. Yet in the battle to secure cyberspace — where cybercriminals are becoming ever more adept at looting precious data — many U.S. organizations are not wisely defending themselves.
According to a new report from PricewaterhouseCoopers, most U.S. organizations are not prioritizing their security spending or appraising their digital assets. Of the more than 500 U.S. businesses, government agencies, and law enforcement services that responded to the survey, only 38 percent said they strategically invest in cybersecurity based on risk and impact to business. And just 17 percent reported taking steps to identify which business data are most important.
“Our respondents in the survey continue to fail to adequately allocate resources necessary to address the cybersecurity risks that we see out there in the marketplace. It’s disappointing,” said David Burg, Global and U.S. Advisory Cybersecurity Leader at PwC, which partnered with CSO magazine, the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service on the survey. “Unfortunately, we’ve seen this pattern manifest for a number of years.”
PwC’s findings are consistent with a survey it conducted last year that found an identical 17 percent of respondents who reported classifying the business value of data. (The earlier survey was far broader and collected responses from more than 9,600 senior leaders across the globe. It was also the first time the question was added to the smaller, U.S.-centric survey.)
“There’s a real large gap that needs to be filled in terms of companies all around the world — not just in the U.S. — taking the time necessary to actually have a smart cybersecurity strategy, and then to execute that strategy,” Burg said.
In the latest survey, more than three quarters of respondents reported a security incident in the past year, and the number of security incidents detected over that period averaged 135 per organization. Just over one-third of respondents said that the frequency of security events has increased since last year. Fourteen percent reported losing more money to cybercrime in the last year, estimated at an annual average of $415,000.
Perhaps most surprising: 67 percent of respondents who detected a security incident were unable to estimate how much it cost. Given the frequency of high-profile data breaches at Target TGT , eBay EBAY , and other large companies this year, it is perhaps unsurprising that three-fifths of respondents reported being more concerned about cyber threats this year than last.
“The increasing sophistication of cyber criminals and their ability to circumvent security technologies indicates the need for a radically different approach to cybersecurity,” said Ed Lowery, Special Agent in Charge for the Criminal Investigative Division of the U.S. Secret Service, in the survey’s press release. “A balanced approach that, in addition to using effective cybersecurity technologies, develops the people, processes, and effective partnerships in order to strategically counter cybersecurity threats.”
Other findings from this year’s survey include a lack of attention to the security practices of contractors, supply chain partners and other third-party business partners. Less than half of the group surveyed reported having a process for evaluating third parties before they launch business operations, and fewer than a third included security provisions in contracts with external vendors and suppliers.
Despite acknowledging that they spend 76 percent less on security incidents when employees are properly trained, less than half of respondents admitted that they do not offer security training to new hires. And though respondents acknowledged the rapid adoption of mobile technologies, “We don’t see investment in security or security capability really following that,” Burg said.
Burg called the current state of affairs “a strategic lagging problem” — meaning that senior executives are aware of security issues but need more time to execute the necessary changes within their organizations.
“This is a business transformation exercise,” Burg said. “Transformation takes time, and its takes focus, and it takes commitment, and it all begins at the top of the house.”