Cyber attacks via cloud-based applications and spam are on the rise this year, according to Cisco’s 2017 Annual Cybersecurity Report, released Tuesday.

Some 27% of connected third-party cloud applications introduced by employees into enterprises in 2016 posed a high security risk, the report found.

And, after dropping to their lowest level in a decade in 2015, spam attacks are on the rise once again, Cisco stated. Today, nearly two-thirds of emails are spam, with 8-10% marked as malicious, according to the report. Spam’s resurgence is due in part to the rise of large and spreading botnets, the report said.

Why the rise in attacks? In part, it’s because enterprise security departments are growing in complexity: 65% of businesses surveyed use anywhere from six to more than 50 different security products, which increases the potential for security gaps, Cisco noted. In order to take advantage of these gaps, cybercriminals have increased “classic” attack vectors via adware and email spam to new levels.

SEE: Cybersecurity: Two-thirds of CIOs say threats increasing, cite growth of ransomware

Security breaches come at a high cost: More than one-third of businesses that experienced a security breach in 2016 reported customer, opportunity, and revenue loss of more than 20%.

Nearly 3,000 chief security officers (CSOs) and security operations leaders from 13 countries participated in the Cisco report.

Just 56% of security alerts are investigated, Cisco found, and less than half of legitimate alerts are remediated. Budget concerns, poor compatibility of systems, and a lack of trained talent were the largest barriers to advancing enterprise security, the CSOs reported. Indeed, 57% of businesses recently reported major issues finding and recruiting talented IT security staff.

The vast majority of organizations (90%) that experienced a cyber attack are working to improve threat defense technologies and processes, the report found. Common tactics include separating IT and security functions (38%), increasing security awareness training for employees (38%), and implementing risk mitigation techniques (37%).

To better prevent, detect, and mitigate threats, Cisco recommends the following tips:

1. Make security a business priority: Executive leadership must own and evangelize security and fund it as a priority.

2. Measure operational discipline: Review security practices, patch, and control access points to network systems, applications, functions, and data.

3. Test security effectiveness: Establish clear metrics. Use them to validate and improve security practices.

4. Adopt an integrated defense approach: Make integration and automation high on the list of assessment criteria to increase visibility, streamline interoperability, and reduce the time to detect and stop attacks. Security teams then can focus on investigating and resolving true threats.

“In 2017, cyber is business, and business is cyber–that requires a different conversation, and very different outcomes,” said John N. Stewart, Cisco’s senior vice president and chief security and trust officer, in a press release. “Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk.”