There are enough details in Hewlett Packard Enterprise Co.’s new Cyber Risk Report to induce a headache in all but the most dedicated security wonks, but that isn’t a bad thing. Rather, it’s a testament to the scope and depth of analysis in this 96-page document released today by HPE Security Research.

HPE summarizes the rapid changes in the security landscape in the form of seven key themes that dominated 2015 and will set the agenda for the security industry moving forward.

One of the most intriguing is the researchers’ designation of last year as “the year of collateral damage.” In other words, attacks affected people who had no expectation or even knowledge that they were at risk. Beginning with the Sony Pictures Entertainment Inc. breach in late 2014 and continuing through the attacks upon the United States Office of Personnel Management and Avid Dating Life Inc.’s Ashley Madison website, information was disclosed that had devastating – even life-threatening – consequences on those affected. While it’s hard to feel much sympathy for the Ashley Madison victims, their plight signifies the end of the illusion of privacy on the Internet.

Legislative and judicial actions on both sides of the Atlantic have had impacts far beyond the courtroom, most of them bad. The entire tech industry is being whipsawed by the debate over where personal privacy ends and national security begins. There are no winners in this argument, the researchers conclude. “While the intent to protect from attack is apparent, the result pushes legitimate security research underground,” they state. “To be effective, regulations impacting security must protect and encourage research that benefits everyone.”

Action in apps

Research has never been needed as much as it is now. Traditional attack prevention methods such as patches and perimeter security controls are proving less and less effective, the researchers say. Attackers are beginning to turn their focus away from servers and operating systems and toward applications, which they see as the fastest route to valuable data.

And they aren’t just going after credit cards anymore. Medical records, for example, can fetch ten times the price of financial data on the black market,  and the use of those records for insurance fraud ends up costing us all.

Attack vectors have also changed. “The perimeter of your network is no longer where you think it is,” the report states. “With today’s mobile devices and broad interconnectivity, the actual perimeter of your network is likely in your pocket right now.”

Your pocket isn’t a very safe place, judging by the report’s findings on mobile security. Researchers are now discovering an astonishing 10,000 new mobile threats every day. About 75 percent of the mobile applications that were scanned exhibited at least one critical or high-severity security vulnerability, compared to 35 percent of non-mobile applications. Attackers are seeking to exploit users’ false sense of security about mobile devices and their tendency to store unencrypted personal data there.

Some of the more interesting mobile exploits use text messages to prompt users to launch webpages that then infect the phone. Of course, there are lots of nasty things a compromised phone can do that a PC can’t, such as recording voice conversations and even video without the user’s knowledge. This is a whole new area of vulnerability that researchers are just beginning to understand.

Money machines at risk

The report also features an interesting section on automatic teller machine (ATM) exploits, which are increasing in frequency and severity. While ATM malware attacks have been around for a decade, “they have risen exponentially in frequency in the past few years,” the report says. One surprising fact: 95 percent of ATMs use a locked-down version of Windows XP, which Microsoft stopped supporting nearly two years ago. Although bank ATMs are never connected to the Internet without strong encryption, that isn’t always true of the kiosks you find in convenience stores. Some even use dial-up telephone lines for communication and many are vulnerable to infection by credit card or other physical device after hours when no one is looking.

A security report wouldn’t be complete without a look at the human oversights and negligence that are the biggest culprit in security breaches. Disappointingly, HPE reports that the top 10 vulnerabilities exploited in 2015 were more than a year old, and 68 percent were three years old or more. Almost 30 percent of all successful exploits in 2015 used a 2010 Stuxnet infection vector that has been patched twice.

The blame doesn’t necessarily fall on users. “The most common excuse given by those who disable automatic updates or fail to install patches is that patches break things,” the report notes. “Software vendors must earn back the trust of users—their direct customers—to help restore faith in automatic updates.”

One interesting sidelight in the report is a section on “ransomware,” or software that renders a device or data useless until the user pays a fee. Ransomware has been around on desktop PCs for some time, but it’s finding a new and flourishing playground on mobile devices. Typically, the user is tricked into installing an app that appears to be useful but which then attempts to encrypt documents, images and multimedia files. It then typically displays a warning that appears to come from law enforcement agencies instructing users how to pay to get their data back.

While HP doesn’t provide any estimates of the growth in ransomware infections, it does present an impressive laundry list of examples and points to a lot of background information on the forms this type of malware takes. The best protection is to keep up-to-date backups so the ransoms, which can run as much as $600, don’t have to be paid.

There are also interesting sections on vulnerabilities in Adobe Flash and Adobe Reader, as well as extensive analyses of threats by platform and much more. The scope of the report is impressive, and more than a little scary.