An alarming number of cloud-based apps used by enterprise employees don’t encrypt data at rest or require two-factor authentication.

And an astounding number of employees are still uploading highly sensitive data to the cloud and sharing files on unsecured platforms, according to the Cloud Adoption Risk Report Q4 2014 from cloud security vendor Skyhigh Networks.

The recent breach of 80 million records at health insurer Anthem was an example of how cloud services that don’t encrypt data leave personal records exposed to savvy cybercriminals.

The Q4 report was based on usage data from 15 million employees at 350 companies worldwide. It found that the average company used 897 cloud services in the fourth quarter of 2014, up from 626 the year before.

Data at risk

While the number of cloud providers that have invested in key security features more than doubled last year, still only 11 percent encrypt “data at rest” − inactive files stored in data bases. Only 17 percent have multifactor authentication.

“In light of the recent breaches, that’s alarming,” says Kamal Shah, Skyhigh’s vice president of products and marketing.

“The Anthem breach is a great example of how, if you’re not careful, cloud services can be used to exfiltrate data out of the organization,” he says.

More than a third of users uploaded at least one file with sensitive information to a file-sharing cloud service, Skyhigh found. Some of that information included customer Social Security numbers (SSN), date of birth, credit card or bank account numbers and personal health records.

Skyhigh also found that 22 percent of files uploaded to cloud-based file sharing apps had sensitive or confidential information. At the same time, 11 percent of documents were shared outside the enterprise, and 18 percent through third-party email services like Gmail, Yahoo and Hotmail, which don’t encrypt data at rest.

File sharing exposure

The growing trend in file sharing is driven by the limitations of email, Shah says. Besides having size constraints as files get larger, email is a static environment.

“File-sharing is much more active—a living, breathing space,” he says.

Less surprising in the study was the number of compromised identities—especially given the record number of breaches and vulnerabilities in 2014. Skyhigh found that 92 percent of companies have compromised credentials, with 12 percent of users affected, on average, at each company.

“A lot of people use the same passwords for their work life as they do for their personal life, and when they’re compromised, those credentials can be used to steal corporate data,” Shah says.

The trends driving the rapid cloud adoption are driven by legitimate business needs, Shah notes. Which means the old way of doing business—by simply restricting app usage—no longer works for IT managers.

“Shadow IT is not bad because employees are using these cloud services for the right reasons,” he says. “The old way of blocking services is no longer effective.”

What that means for IT administrators is the need to educate their employees about the risks of apps that are not enterprise-ready, he says. (Skyhigh’s definition of enterprise-ready includes cloud services that rank one to three on a scale to 10 based on attributes like encryption, two-factor authentication, legal condition of service, and so on.)

Despite all the breaches, the use of cloud adoption will continue to accelerate rapidly, Shah says.

“For enterprises, there’s urgency to take action before it’s too late,” he says. “If you don’t act now, the problem will get bigger and bigger.”

This article originally appeared on ThirdCertainty.com and was written by Rodika Tollefson.