More than two thirds of companies say their directors have no training in responding to cyber-attacks, according to a government survey.
Of 105 businesses in the FTSE 350 questioned, one in 10 revealed they have no plan to cope with hacking.
Digital Minister Matthew Hancock said May's NHS attack showed the "devastating effect" of breaches.
He urged companies to take advice and training from the National Cyber Security Centre.
The Cyber Governance Health Check - an annual survey - found that 54% of company boards said computer hacking was one of the main threats to their business.
But 68% of them had no specific training to deal with a hacking incident.
The survey found some progress, however, with 31% of boards receiving comprehensive information about computer security risks, compared to 21% in 2015-16.
Mr Hancock said: "We have a long way to go until all our organisations are adopting best practice."