Despite the abundance of services for managing and protecting business data kept beyond the firewall, a new report from Netskope Inc. reveals that cloud security is very much a work-in-progress for most organizations. The information governance startup has found that as many as 15 percent of enterprise workers have had their service credentials compromised at one point or another, many without knowing it.

Based on anonymized data collected from more than 100 of its mostly enterprise customers, Netskope estimates that up to half of cloud users in a typical company recycle passwords for multiple applications, which means that hackers can potentially access mission-critical systems with log-in information siphoned from lower priority services that don’t have the same level of protection. Given that other research suggests that cyber criminals are becoming more sophisticated, this trend should be concerning for information security pros.

The study says this vulnerability is one of the main reasons so many enterprise cloud accounts fall into the hands of cybercrminals. Netskope found that a massive 88 percent of services in use with customers score “medium” or below on its Cloud Confidence Index, which rates the security of managed applications based on criteria like whether the app enables auditing of access activities or supports multi-factor authentication.

Broken down by type, marketing services rank as the least safe with a full 98 percent of applications failing to meet Netskope’s standards for information governance and business continuity functionality. Following close behind is the finance and accounting category at 95 percent, while human resource management systems came in third with only seven percent qualifying as adequately secure.

Aggravating the problem is the fact that the explosive demand for off-premise services among business units is leaving many CIOs with more applications than they can handle. Netskope saw the average number of cloud services per enterprise climb to 613 in the fourth quarter of 2014 from 579 three months earlier. At the same time, the percentage of organizations using over 1,000 cloud services jumped past 20 percent. That rapid adoption is spreading IT departments thin and making it harder for practitioners to enforce governance policies, not only when it comes to so-called shadow services but sanctioned applications as well.

The study found that eight percent of files in corporate-approved storage applications violate leak prevention policies, a broad category encompassing both regulatory compliance requirements and organization-specific rules. Violations involving the unauthorized upload of data outnumber illicit downloads three to one, with 12 percent of outside users who possess access to company information having more than 100 files within reach.