Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • 100% of web applications are vulnerable to attack. — Trustwave, 2018
  • Spam emails are on the decline, dropping from 87% of all incoming mail in 2009 to less than 40% in 2018. — Trustwave, 2018

Companies will spend an estimated $96 billion on cybersecurity efforts in 2018, but 100% of web applications remain vulnerable to attack, according to Trustwave’s eleventh annual Global Security Report, released Thursday.

The report examined how the cyber threat landscape has evolved in the past decade. In 2008, the largest cyber threats were opportunistic, with attackers trying to steal money, payment card data, and login credentials from as many people as possible by targeting a large, indiscriminate group. Today, hackers launch sophisticated, highly-targeted attacks to breach networks of their victims, the report noted.

Unsurprisingly, vulnerabilities saw a sharp surge over the past 10 years, ramping up in 2012, the report found. This is due in part to the number of internet users doubling in that time frame, and the fact that both security researchers and criminals now actively look for–and for the latter, sell–vulnerabilities on the dark web.

SEE: Incident response policy (Tech Pro Research)

All web applications that Trustwave scanned in 2017 displayed at least one vulnerability, the report found. The median number of vulnerabilities detected per application was 11. The majority–86%–of vulnerabilities found involved session management. Only 8% were considered high risk, according to the report.

Attacks on networked devices have also increased significantly over the past decade, the report found. Devices are particularly vulnerable due to a lack of hardening in their software, and the difficulty of distributing software updates.

In better news, spam appears to be on the decline, the report found. In 2009, more than 87% of all incoming mail monitored by Trustwave was spam. Today, that number has dropped to less than 40%. Today, a small number of criminal gangs using botnets to distribute malware control most spam, the report noted.

However, PDF files are gaining traction as a delivery method for phishing attacks, the report found. Attacks trick the victim into clicking a link in the PDF that leads to a malicious site. Indeed, PDF files are the most likely of any other file type to be weaponized, according to a recent Barracuda Networks report.

Business users and consumers alike must be extremely cautious when opening any unknown emails or links, even when they appear to come from a trusted source. Security professionals should also ensure that employee cybersecurity training is in place at their organization to decrease the likelihood of someone accidentally opening a malicious file or link on a work machine.