The bad news: cyber attacks are a legitimate concern for businesses. Even worse news: Your IT department does not think it is prepared for the attacks.

These are the findings of a new study by security solutions provider Bit9, which surveyed nearly 2,000 IT and security professionals worldwide earlier this year. Of those surveyed, 66 percent worked in organizations with more than 500 employees.

The study found that almost two-thirds of IT professionals surveyed felt that their company would be targeted for a cyber attack in the next six months, according to the study. Cyber attacks are not just media hype, according to IT professionals.

At the same time, however, many in enterprise IT do not feel that their organization is sufficiently prepared for a cyber attack.

“IT and security professionals are not confident that their current cyber security is highly effective at protecting their most important and most vulnerable machines,” noted the study, citing infrastructure servers as the biggest concern.

Where security is most lax, at least in the eyes of the IT professionals surveyed, is endpoints such as laptops and desktops; roughly 74 percent of respondents feel their endpoint security is ineffective.

The most anticipated method of attack is malware; nearly half of all those surveyed cited trojans, rootkits, worms, viruses and other malware as the chief threat.

“The next most cited attack was spear phishing at 16 percent,” wrote Bit9 in the study. “Both of these methods are common components of advanced attacks. It was a spear phishing attack that targeted an executive at RSA, a division of EMC (News - Alert), in the recent SecurID token hack. Zero-day malware then leveraged a flaw in a desktop application to install a backdoor.”

Anonymous hacktivists are the culprits that keep IT up at night, among those questioned, with state-sponsored cyber terror being a particular concern.

At least in the eyes of enterprise IT professionals, the solution is improved security policies and beefed-up best practices; it isn’t a radical new approach that is needed, just attention to implementing good security policies by and large.

“The majority believe that the implementation of best practices and better security policies will have the biggest impact on improving cyber security against advanced threats,” noted Bit9.

Legislation to improve security, while nice, is not going to help according to those surveyed.

“Despite all of the cyber security legislation, IT and security professionals do not have faith in regulated solutions; only seven percent cited governmental legislation as having any impact on improving security,” the study noted.

So while businesses may be at risk, safety is just a matter of due diligence.