It’s the end of the year, and time for the lists. We recounted SC Magazine’s top security breaches of the year (and what we haven’t learned from them); now it’s time for the top security threats of the year, according to CSO Magazine. There’s a big distinction – while the former deals with what happened, the latter’s considered with how it happened.

CSO interviewed a number of security pros about what keeps them up at night, and much of it seems to be evolutionary, rather than brand-new threats.

For example, phishing attacks have become more sophisticated. Once riddled with typos, grammatical errors and other dead giveaways, says John South, CSO at Heartland Payment Systems, which has had its share of high-profile security breaches.

And distributed denial-of-service attacks have become much more powerful’ while a 2012 DDoS attack might have slammed Web site with 3 or 4 Gbps attacks, new attacks have bursts of 100Gbps, making security schema designed around the smaller volume vulnerability, South says.

While many companies are focusing on protecting their systems from attackers outside the perimeter, the insider threat remains one of the most potent, according to Michael Cox of SoCal Privacy Consultants. Since they have trusted access to the most valuable information, their breaches can be the most damaging. And it’s often not even malicious; inadequate awareness and training programs are often the root, Cox said.

There are two other issues related to the insider-access problem. Third-party contractors aren’t always vetted and monitored adequately, and former employees often don’t have their access completely severed properly when they leave the company, according to Timothy Ryan of Kroll Advisory Solutions.

Vulnerabilities in applications themselves continue to be an issue, said South. And application vulnerabilities will only become more challenging with the BYOD (bring your own device), mobility and remote access schools in ascendancy. Pushing an application beyond the firewall and onto a device of insecure provenance exacerbates the problem, while bringing employee-owned devices inside the perimeter compromises it.

You can read more on CSO Magazine’s Web site.