That was the consensus of a group of cybersecurity experts in a roundtable discussion at the Fortune Brainstorm Tech conference in Aspen, Colo., on Tuesday.

“I think people in the Valley are naïve to the foreign nation-state threat,” said Tim Junio, the co-founder and CEO of Expanse, a San Francisco-based startup that helps clients monitor and reduce their digital “attack surface” and whose investors include TPG Growth, Palantir Technologies co-founder Peter Thiel, and Michael Dell. “It’s incredibly rare—and late in the game—for companies to think about the fact that foreign actors are going to recruit people to penetrate their networks.”

The biggest companies are acutely aware that foreign governments are looking to access their networks through any means available—whether by hacking in from outside or planting a spy inside. But startups are much less likely to view themselves as potential targets of state-sponsored activity.

“I do think that in Silicon Valley the smaller companies are not as aware as they should be of the threat of insider breaches and foreign players like China,” said Michael Brown, former CEO of cyber security software company Symantec and now the director of the U.S. Department of Defense’s Valley-based Defense Innovation Unit. “Should that be,” he added rhetorically, “something that our government should protect?”

The relationship between Washington D.C. and Silicon Valley has been the subject of debate this week after inflammatory comments made by Thiel in a speech on Sunday. Thiel, a Facebook board member, criticized Alphabet subsidiary Google for its decision not to continue a contract that gave the Department of Defense access to its artificial intelligence capabilities.

But Brown said that the idea of a rift between the Valley and federal government was overblown. His Defense Department unit, he said, receives a lot of support from the tech community. “We see lots of companies that want to help,” said Brown. “When we send out a request, we typically get 30 to 40 responses inbound.”

One way to combat the threat from foreign governments and criminal hackers alike is for companies to focus on promoting and enforcing better cyber “hygiene” in their workforce.

Dorian Daley, executive vice president and general counsel of tech giant Oracle, said that the company has a security oversight committee of top execs that convenes on a quarterly basis to drill down on security issues. “We have what I call a ‘corporate colonoscopy,’” said Daley. “People need to be held accountable. They need to be called on the carpet.”

Vigilance from the top down is crucial, but it’s not going to make the threat go away, argued Dmitri Alperovitch, the co-founder and CTO of cybersecurity firm CrowdStrike, which held an IPO last month. Certain foreign governments, according to Alperovitch, pose an ongoing threat.

“There are only four problems in cybersecurity: China, Russia, North Korea, and Iran,” said Alperovitch, perhaps half joking. “It’s not just not the nation-state hackers. A lot of the criminals are operating out of those countries as well.” And if a network has a weakness they’ll find it eventually.

More must-read stories from Fortune Brainstorm Tech 2019:

—A.I.’s hidden biases continue to bedevil businesses. Can they be stopped?

—Land O’Lakes CEO: Big data is helping farmers deal with climate swings

—How Spotify “playlisting” turned an unknown artist into a star

—U.S. risks falling behind in crypto, warns ‘Crypto Mom’ SEC commissioner

—Verizon executive calls for federal privacy rules on 5GGet Fortune’s Eye on A.I. newsletter, where artificial intelligence meets industry