While organizations are expected to be on the lookout for an increasingly wide variety of security vulnerabilities, almost one-quarter of all data breaches are still caused by compromised credentials, according to a report released Thursday by the Cloud Security Alliance and sponsored by Centrify.

The CSA found that insufficient identity, credential and access management ranked as the top vulnerability when it comes to cloud computing in its latest report called Identity Solutions: Security Beyond the Perimeter.

In the survey, 65 percent of respondents indicated that the likelihood their company would experience a breach in the future due to compromised credentials was medium to high, especially concerning since there was no difference in the types of security solutions used between companies that were breached and companies that were not.

“The survey results are insightful into understanding insufficient identity, credential and access management, as it relates to the evolving, increasingly cloud-based enterprise,” Luciano “J.R.” Santos, Executive Vice President of Research for the CSA said in a statement.  “We hope that organizations and cloud providers can use this information to help gain an understanding of how to protect themselves and their data beyond the perimeter, as they begin to adopt cloud environments.”

According to the report, 76 percent of internal access control policies extended to outsourced IT, vendors and other third parties, which highlights how critical due diligence is when selecting vendors and partners with appropriate security measures in place.

Read more: 7 Questions to Ask Your Cloud Backup Vendor

The report includes responses from more than 300 professionals across the Americas, EMEA and APAC regions.

“The survey findings reiterate that compromised credentials are a leading point of attack used in data breaches,” Bill Mann, Chief Product Officer for Centrify stated. “We hope that these findings will encourage organizations to leverage single sign-on, multi-factor authentication, mobile and Mac management, along with privileged access security and session monitoring, in order to minimize attack surfaces, thwart in-progress attacks and achieve continuous compliance. It’s also critical that companies secure internal and external users as well as privileged accounts – and it’s great to see that many organizations are already taking that step and extending access control policies to third parties.”

A separate study released last week by Softchoice found that an alarming number of employees – one in five – keep passwords in plain sight, including written on Post-It notes that they leave on their desk.