Ninety-four percent of large businesses in the U.S. have a cybersecurity policy, according to the 2017 Cybersecurity Survey by Clutch, and most of them have had a policy for more than three years. U.S. enterprises are more likely to have a cybersecurity policy than most global organizations (two-thirds of which lack a formal cybersecurity policy), and policies most commonly include required security software, backups, scam detection and security incident reporting protocols.

Phishing attacks loom large in IT decision-makers’ minds, as 57 percent of those surveyed said their company has experienced a phishing attack in the last 12 months. Only 21 percent reported a ransomware attack on their company in the past year.

One challenge lies in getting buy-in from employees about strict cybersecurity policies. CompTia’s 2016 International Trends in CyberSecurity report cites “general carelessness” as the top source of human cybersecurity error, and the growing trend of remote working is tempting employees to circumvent or ignore cybersecurity policies to use unprotected public Wi-Fi or personal devices to access work-related data.

Seventy percent of large businesses plan to invest more in cybersecurity, according to the Clutch survey. Thirty-three percent of respondents said that investing in technology – security software, secure mobile apps – will improve their cybersecurity policy.