Corporate proactivity on cyber-security is picking up, but companies don’t have much confidence in their ability to prevent an attack, according to the results of a recent IT survey by consulting firm Protiviti.

Of more than 700 senior IT managers at U.S. companies, 28 percent said they saw a high level of engagement and understanding of cyber-security risks by the board of directors, and 32 percent reported a medium level of engagement. That’s a bit off from 2014, when the survey found 30 percent reporting high engagement levels and 41 percent medium engagement levels, but still an increase over prior years, says Cal Slemp, managing director at Protiviti.

In their work with companies in the field, Protiviti says it sees top management getting more involved. Board members are trying to understand complex technical issues, the investments necessary to address problems or weaknesses, and how effective proposed solutions will be. “It’s just gathering steam,” says Slemp.

As companies learn more, they increasingly believe a cyber attack is likely, the survey suggests, but are not well prepared yet to face it or respond to it. In 2015, 56 percent of IT executives said their company has a formal, documented crisis response plan that would be activated in the event of an attack, while 24 percent said they did not.

While two-thirds of organizations report being more focused on cyber-security as a result of high-profile breeches, most do not have a high level of confidence that they can monitor, detect or prevent a targeted attack. One in three companies lack policies for information security and data encryption, the survey says. “The results are far better for top-performing organizations, a strong majority of which have such plans in place,” the study says.

Slemp says he sees in the marketplace a kind of exasperation over looming cyber threats. “Organizations are saying yes, we’ve put things up there to make sure it’s not easy for these guys, but whatever we invest is probably not satisfactory,” he says. “That’s become the prevalent conclusion in the marketplace.”

Some see that as discouraging, Slemp says, but he doesn’t see it in the same way. “It’s not a defeatist attitude,” he says. “It’s ‘I need to prepare for this, so let’s be proactive.’ I don’t think that’s a bad thing to see organizations taking that perspective.”