Nearly half (46%) of British businesses discovered at least one cybersecurity breach or attack in the past year, a government survey has indicated.
That proportion rose to two-thirds among medium and large companies.
Most often, these breaches involved fraudulent emails being sent to staff or security issues relating to viruses, spyware or malware.
The survey was completed by 1,500 UK businesses and included 30 in-depth interviews.
The government said a "sizeable proportion" of the businesses still did not have "basic protections" in place.
While many had enacted rudimentary technical controls, only one-third had a formal policy covering cybersecurity risks.
Less than a third (29%) had assigned a specific board member to be responsible for cybersecurity.
Businesses' susceptibility to cyber-attacks was a known issue, noted Prof Andrew Martin at the University of Oxford.
"A lot of businesses have responded to the problem with a box-ticking exercise or by paying an expensive consultant to make them feel better - it's far from clear that what people are doing is protecting them very well," he told the BBC.
He added it remained difficult for most people to distinguish malicious emails or websites from safe ones.
"It's all very well to say don't open emails from an unknown source - but most of us couldn't do business if [we] didn't do that," he added.
The government's survey indicates, however, that fewer businesses in 2017 consider cybersecurity to be of "very low priority". It said 74% now agreed it was a high priority issue for senior management.
The report also highlighted some unusual cybersecurity cases.
It said a large materials supplier for the construction industry faced "significant and ongoing" attacks, despite not having any e-commerce activities of its own.
"This included over 3,000 phishing emails a month and various ransomware attacks," the report noted.
Phishing is a form of cyber-attack in which emails with malicious links or attachments are disguised as genuine.
The most damaging case of ransomware at the firm in question caused its IT team to lose "around two weeks" of productivity.
Since then, the business has reviewed its cybersecurity policies.