Many with security budgets up to $1m had been infected with virus at least once in past one year.
More than two-thirds of finance and energy firms predict that their organisation could be targeted by Advanced Persistent Threat (APT) targeted malware attacks or other sophisticated cybercrime in the next year.
A survey carried out by Opinion Matters on behalf of ThreatTrack Security found that 38% believe an attack is either a "certainty" or "highly likely."
Between the both the industries, about 44% of the energy firms said that an attack is "a certainty" or "highly likely" while 31% of the financial services companies believed it so.
The survey of 200 IT security managers or IT security administrators found that the biggest threat to the energy companies is hacktivists while the biggest threat to financial services companies is organised cybercrime syndicates.
About 61% of energy firms believe that email is the biggest threat carrier of malware, while 42% of financial services cited the web as the biggest vector.
A further 39% said email was another big vector of malware.
The researchers said that many of the companies may be overlooking malware threats as only 3% of respondents said mobile is the biggest threat vector.
ThreatTrack Security president and CEO Julian Waits Sr said given the importance and value of the data that energy and financial services firms have access to, it is no surprise that they are being targeted aggressively by hackers.
"The question is, what can these organizations do to better stabilize their cyber defenses, in both their own self-interest, and to protect critical U.S. infrastructure?" Waits said.
"It's good to see these firms are planning to train their IT teams on the latest cybersecurity technologies and strategies, and that they are going to invest in advanced malware detection. The time to act is now, or the next big data breach could be one that doesn't just affect our wallets."
About 34% of those surveyed said that their endpoints have been infected in the last year with a threat that was not detected by traditional signature-based defences such as antivirus, email security or firewalls.
About 70% of respondents said firms with security budgets between $500,000 and $1m had been infected with virus at least once in the past year.
12% of the energy companies anticipate hacking attacks from foreign governments, while less than 10% of energy firms or financial services firms fear insider threat.
Half of the companies planned to get their existing IT employees trained on new technologies, and 35% said that they will revamp their policies limiting network access and educate their employees.
Another 34% plan to invest in advanced malware detection technologies.