The CSTB, a part of the US National Academy of Sciences in Washington, also said software and computer vendors should be held liable for system breaches if they do not drastically improve the security of their products.
The panel asserted that many corporate users "tend to under-invest" in IT security measures.
The report's findings were drawn from information contained in National Research Council reports over the past 10 years.
"From an operational standpoint, cybersecurity today is far worse than what known best practices can provide," said the report. "Even without any new security technologies, much better security would be possible if technology producers, operators of critical systems and users took appropriate steps."
Many companies do not implement the necessary level of security because that can be expensive, the report said. The CTSB also acknowledged that the return on investment is uncertain "because serious cyberattacks are rare." However, skimping on security could be catastrophic for companies, warned the CSTB.
Eric Hemmendinger, an analyst at Aberdeen Group, said the concerns raised by the CSTB are not entirely new, though he agreed that many users still do not do enough to protect themselves from cyberattacks.
"Companies are more concerned with risk management than with risk elimination," Hemmendinger said, adding that IT managers need to "determine what their comfort zone is" when deciding how much to invest on security.
Some IT managers elect not to do more to protect their systems because such investments would consume money and personnel that are needed for other technology projects, said Pete Lindstrom, an analyst at Hurwitz Group. "It's hard, tedious work, and not everyone is willing to put in the effort," Lindstrom said. "It's easier to pay lip service to security."
As a result, he added, security considerations often take a back seat when companies set plans for developing and managing IT installations.