Nearly 3 in 5 (58%) organisations admit that they currently only respond to threats as they occur, or after the damage has already been done.