Would you dub 2011 the "Year of the Security Breach?" That's what IBM (NYSE: IBM) is calling it because so far this year, the percentage of critical vulnerabilities it is detecting has tripled.

Last week the company put out its "X-Force 2011 Mid-Year Trend and Risk Report," which draws on public vulnerability disclosures in addition to IBM's own monitoring and analysis of an average of 12 billion security incidents a day.

Twelve billion security events a day? That sounds like it could be a headline unto itself--until you look at IBM's forecast. By year's end, there will be twice as many mobile exploit releases this year as last. New threats are continuously appearing, and the level of sophistication and planning behind them is escalating.

Smartphones and tablets are a source of growing security anxiety, and their vulnerabilities are well-documented. Many vendors are pokey in releasing security updates for mobile phones, and third-party apps have become a major distribution channel for malware.

"For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices," noted Tom Cross, manager of threat intelligence and strategy for IBM X-Force. "It appears that the wait is over." 

The rising sophistication of online attackers is also illustrated by the trajectory of email scams. The phishing scam in recent years morphed into the spear-phishing scam as attackers learned to target their schemes more closely. And now the targeting has become even more insidious as attackers go "whaling," in an effort to con an organization's biggest fish to give up access to highly critical information.

With an eye to netting strategic data, they study a target's online profile to come up with a sufficiently compelling email lure to trick even savvy users into biting.

IBM notes that there has also been an upswing in attacks by "hacktivists," who are out to make a political statement, rather than line their pockets. They tend to use "off-the-shelf attack techniques" like SQL injection. There have been more than four times as many anonymous proxies, which let individuals conceal potentially bad intentions, this year than three years ago.

The problem isn't that IT groups don't know what to do to protect their networks from these attacks--it's that users across the company aren't following best practices.

One glimmer of hope in the IBM report may be buried in the finding that security is "becoming a business-level issue." If you're reading this, it's unlikely that the trends uncovered by IBM come as a surprise. You've seen it all coming for years. The difficulty in combating the growing threats has been in trying to persuade the budget keepers. But now it appears that the threats are becoming more apparent to businesses, and the old adage that companies can't see the value in security investments until it's too late is no longer universal. Enough organizations have been hit with real business problems because of the growing security challenges that the risk to the bottom line is starting to be clearer.

By the way, if I'm spending too much time writing about security in this space, and you'd prefer to read less about that and more about other topics here, let me know. - Caron