The research suggests that only 28 percent of cyberattacks against businesses were reported to the police, despite many police forces now having dedicated cybercrime divisions.
While it's likely that fear of damage to reputation is keeping many businesses from even alerting the authorities to incidents, the Institute of Directors argues that every crime "as a minimum" should be reported to Action Fraud Aware, the UK's national reporting centre for fraud and internet crime
However, businesses aren't even undertaking this minimal reporting of cybercrime, the report found, because 68 percent of respondents suggested they weren't even aware of the organisation.
That's just one example of a disconnect between how cybersecurity is described as a priority for many businesses, but only a fraction are actually taking action in order to properly react to and protect themselves from such an incident.
Indeed, the report finds that whilst nine in ten business leaders said that cybersecurity was important, only around half had a formal strategy in place to protect themselves and just a fifth held insurance against an attack.
"Cybercrime is one of the biggest business challenges of our generation and companies need to get real about the financial and reputational damage it can inflict. The spate of recent high-profile attacks has spooked employers of all sizes and it is vital to turn this awareness into action," says Professor Richard Benham, professor in residence at the National Cyber Skills Centre and author of the report.
Professor Benham suggests that organisations must act and take cybercrime as seriously as they would a real, physical theft in the real world; "No shop-owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don't seem to think a cyber breach warrants the same response," he says.
The answer that's often suggested, Professor Benham says, is that cybersecurity must become a companywide issue, rather than just something IT is expected to take total responsibility for.
"Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cybersecurity policy, educate their staff, review supplier contracts, and think about cyber insurance."
The report also demonstrates confusion about data storage, another factor which is potentially putting businesses at risk of data theft.
While 59 percent of organisations say they outsource their data storage, 43 percent of those have no idea where that data is physically stored. That in itself, says the report, creates risks as the data might fall under unknown requirements about disclosure.
Cloud companies, the report says, may seem like they offer greater protection for sensitive data which companies want to keep safe, but ultimately cloud is just someone else's server and "faces the same risks of being hacked, neglected or compromised by staff as other businesses".
Ultimately, the report concludes, businesses must work more closely with the authorities in order to reduce the risks of cyberattacks.
"Cybersecurity is a critically important national infrastructure requirement and the role of GCHQ, working with and protecting businesses from international threats, will increase," it says.