The CSIS study also found that the public sector remains the most common target, but key enforcers aren't sure legislation is the solution.
The world lost an estimated $600 billion to cybercrime in 2017, according to a report from McAfee and the Center for Strategic and International Studies.
"It's changing everything we do," said Howard Marshall, deputy assistant director for the FBI's cyber division, at a Feb. 21 CSIS event releasing the report, which surveyed about 20 percent of the world's countries.
"We are learning very quickly that our organization chart in the FBI -- that's been around for decades -- may not be prepared to handle the problem as its expanding," Marshall said, adding that the cyber division is spreading laterally across other divisions, such as criminal investigations, counterterrorism, and counterintelligence.
Cyberattacks cost the U.S. between $57 billion and $109 billion in 2016, according to the White House's Council of Economic Advisers report released February 16.
The public sector was hit hardest by far in 2016 with 21,239 cyber incidents -- 20,751 of which targeted large organizations -- and 239 known breaches, the CEA report found.
But the McAfee-CSIS report also found that North America's economic losses trailed behind Europe's and Asia's.
The report comes as policymakers grapple with how to best regulate cybersecurity and ensure individuals are protected by the government and private companies that collect their data.
But Marshall said that while the U.S. hasn't quite figured out the answer, he isn't sure a punitive legislative effort like the European Union's General Data Protection Regulation, which will be implemented in May and carries a 4 percent global revenue penalty, is the right solution.
"We don't have that in the United States. A highly punitive legislative attempt at convincing people that data protection is important. I don't think anybody thinks legislation is the right way to go," Marshall said "If we wait around long enough and the industry doesn't somehow figure out how to police itself, my fear is that's going to be the response."
"We're all standing around trying to figure out what to do," he said.
That's also true to some extent for government, which faces cultural challenges among its workforce. John Felker, the director of the Department of Homeland Security's National Cybersecurity Communications Integration Center, said government organizations must share information with the private sector and prepare their workforce for a bad day.
"Most of the attack vectors that we see are human generated," Felker said. "It's no longer the idea where the bad guys are going to hack into from some really highly technical means. It's usually a phishing email and someone who clicks on the wrong link."