Emails to unleash malicious content, accidental and intentional insider threats, and advanced evasion techniques were among the chief cyber security concerns facing organizations outlined in a new report by Forcepoint, the cyber security segment of Raytheon [RTN].

The primary communication channels for cyber criminals are the web and email and there was a 250 percent increase in 2015 over 2014 in malicious content found in emails, says the reportForcepoint 2016 Global Threat Report, which was released on April 26.

The “reemergence of emails as one of the key tools that cyber criminals are using” was a “surprise to me,” Richard Force, chief scientist at Forcepoint, told sister publication Defense Daily in an interview on April 25 ahead of the release of the report. “You think of email sometimes as being a bit played out but apparently it’s not.”

Ford adds that email is a popular attack vector because “It works.”

The report says that the increase in malicious emails was driven by malware and ransomware, adding that ransomware is being more focused on targets where “a high ransom is likely to be paid.”

The report shows that spam email declined in 2015 to 68 percent of all email from nearly 89 percent in 2014, which was the high over the past five years. In 2011 spam accounted for 74 percent of emails, the lowest previously reported by Forcepoint.

Forcepoint was established in January following Raytheon’s acquisition in 2015 of Websense and the acquisition of two business lines from Intel [INTC] in 2016. Vista Equity Partners has a 20 percent stake in Forcepoint.

Another highlight from the report is that insider threats, both accidental and malicious, are the top threat to company security yet companies don’t feel well prepared for. It says that employee error or negligence accounted for nearly 15 percent of data breach incidents in 2015, adding that “organizations continue to use ineffective means to educate staff, and employees remain unaware of how to exercise good security practices at work.”

Forcepoint says that an insider threat program should combine communicating policies for how technology should be used, processes to segregate duties, technology controls, risk management, and auditing and monitoring.

The report discusses a case study by the company that is being disclosed for the first time describing a “typical insider threat scenario,” in this case an organization being downsized following merger and acquisition activity led to “a surprisingly large number of engineers” attempting to steal confidential data after being informed of impending layoffs that would include “a generous severance package” in return for intellectual property and assets remaining in-house.

The report is based on data gathered from more than three billion data points a day in 155 countries.

Ford’s office says in the report that with M&A activity rising, merging companies “increases the complexity in protecting an organization’s sensitive data.”

Forcepoint also focuses on the increasing use of cloud infrastructure and related security concerns. Interestingly, it says that even in cases where organizations are not adopting the cloud, a “shadow” information technology infrastructure exists as employees, groups and even divisions make use of cloud applications and infrastructure to be more productive even if these channels haven’t been approved.

“This creates the possibility for unsanctioned technology to disrupt an organization’s security and compliance posture, exposing it to unwanted an unplanned-for risks,” the study says. It adds that “only 8 percent of companies know the scope of shadow IT at their organizations.”