Is your company exposed to significant cyber risk? If not, you’re in the minority, according to a new report from RSA.

For the second year in a row, RSA, The Security Division of EMC, found that 75 percent of 878 survey respondents across 81 countries have significant cybersecurity risk exposure.

There was, however, at least one significant positive change from the 2015 survey to 2016 edition: a dramatic increase in the number of organizations that have mature cyber security programs. According to RSA, the percentage of organizations reporting advantaged capabilities – the highest category – increased by more than half over the prior index, from 4.9 percent to 7.4 percent.

Still, organizations’ overall perception of their cyber security preparedness continued to lag.

The survey showed 45 percent of those surveyed described their ability to catalog, assess and mitigate cyber risk as “non-existent” or “ad hoc.” Only 24 percent reported being mature in this domain.

“This second round of cyber security research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing,” said Amit Yoran, president of RSA, in a statement. “We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action.”

The complete report is available from RSA.