American firms are wasting $1.3m (£860,000), or 21,000 hours a year, on false positive security alerts, according to the Ponemon Institute.
A survey by the research group found companies were receiving 17,000 alerts a week on average, yet only a fifth were thought to be reliable.
Brian Foster, CTO of security firm Damballa, which commissioned the research, said: "These findings confirm not only the sheer scale of the challenge for IT security teams in sifting out the real threats from tens of thousands of false alarms, but also the huge financial impact in terms of time."
"The severity and frequency of attacks is growing, which means that teams need a way to focus on responding to true positive infections if they are to get a firmer grip on their security posture."
Only two-thirds of those surveyed said they had a structured approach to malware containment, even though 60% agreed that the severity of malware infections had risen.
A mere 41% were using automated intelligence tools, which cybersecurity companies such as Intel Security and Darktrace are now pushing as the solution to the growing threat online.
"It’s more important than ever for teams to be armed with the right intelligence to detect active infections to reduce their organization’s risk exposure and make the best use of their highly-skilled, limited security resources," Foster added.