Even if one third of the companies are protected, if two thirds of the utilities, government agencies and global corporations (like, say, the phone/network infrastructure companies) fail, it is doubtful the remaining third will be able to continue regardless of the work they have done.
I ran a security team at IBM and the security service at Giga Information group years ago, and I'm going to enhance the recommendations made in the survey with some of my own. (We put up a slideshow of the survey's recommendations if you want to share it with your people.)
The importance of strong security has to happen from the top. Executives and board members need to understand that they will be the ones explaining to customers, investors and government enforcement agencies why they didn't adequately protect their firms, especially given a third of their peers are.
Make sure security rules and requirements are in place and set from the top. Internal audit should be commissioned in firms where they are not (and it was part of my mission when I was an auditor in charge) to confirm adequate protections are in place and to report to the board on the adequacy of security. This should be done no less than annually and the board should receive progress reports no less than monthly on any open critical exposures until they are mitigated.
Boards should ask for and receive regular reports (at least quarterly) on known threats and whether the firm is mitigating them adequately.
The security budget should be broken out of the CIO's budget, aggregated and both physical and electronic methods assured. This is not a "discretionary" expense anymore than insurance is and it must be adequate to protect against a catastrophic event. And this also means that actual insurance against related loss should be in place as well.
Finally, disaster recovery plans should include the likely failure of key portions of the firm's infrastructure from utilities to suppliers should a regional or national attack be successful. These plans shouldn't just include the site, either, but what employees should do if telephones and Internet services go down or their work sites become non-viable.
Wrapping Up: Out of Sight Shouldn't Be Out of Mind
With governments moving to cyber attacks, which can expand beyond their intended targets, Anonymous-like organizations picking broad targets and criminal attacks becoming more prevalent (and expensive), boards and executives ignore this risk at their, and their firms', peril. This survey showcases that the time to get moving to mitigate these exposures was years ago and that if companies don't come up to speed they may not be around to regret their lack of focus. It also suggests that an attack, were it collectively damaging, could wipe out businesses and infrastructure on a national, if not global, scale. This suggests our very survival may depend on companies and governments becoming more serious about making sure they don't become part of the coming catastrophe.