Despite risks, businesses store sensitive data in the cloud unprotected

FORTUNE — Last spring, former National Security Agency contractor Edward Snowden revealed the agency’s use of secret “backdoor” vulnerabilities, setting off a string of international goose chases. In January, Target revealed that thieves stole credit and debit card information for millions of its customers. In March, Google announced that it would encrypt data between its data centers. In April, a bug called Heartbleed shook the foundations of the World Wide Web.

It’s fair to say that cybersecurity is high priority.

Yet most businesses are transferring confidential information to public cloud services without the safeguard of encryption, a new study reveals. Data stored without encryption are “readable,” meaning they aren’t concealed or coded. In other words, they’re as legible as this text.

“You would think that a higher percent of companies would have data encryption or a similar form of protection, because it does present a risk,” said Larry Ponemon, lead author on the study and founder of the Ponemon Institute, which conducted the research. “Especially if the data sent to them is confidential, as we found.”

The study, which surveyed more than 4,000 businesses in eight countries, indicates that the rate at which businesses are transitioning to the cloud has accelerated over the past few years. For them, the cost, ease of management, and scalability of cloud computing outweigh other concerns.

MORE: Kill the password. And the PIN number. And the car key.

“There’s a huge economic incentive to use the cloud, and it’s now at the point where people are sending even sensitive applications through the cloud even though they know that it makes them less secure,” said Richard Moulds, vice president of strategy at Thales e-Security, the company that commissioned the study. “That’s not a great to place to be.”

Holdouts against cloud adoption are rapidly diminishing. The percentage of organizations that said they have no plans to use the cloud for sensitive operations nearly halved to 11% from 19% two years ago, according to the study.

Roughly a third of respondents admitted that they believe their use of the cloud hurts their overall security. Just half that believe that outsourcing data to the cloud has improved their security. (The rest believe their transition to the cloud has had no impact on their security.)

George Kurtz, chief executive officer and co-founder of CrowdStrike, a security technology company, is one who believes that a cloud environment can improve a company’s cybersecurity protections. “If you outsource it to the right cloud provider, you can in many cases have greater security than you would have doing it yourself,” he said, “because you’ve got an army of people that are focused on the security of that property.”

Proper certifications and security standards can help businesses find the right provider, he said. With regard to encryption, corporations should “understand the sensitivity of the data and classify the data before they put it out in a cloud provider.” Such triage can help businesses determine what information should be encrypted vs. what need not be.

The study found, however, that the transparency of the cloud and use of encryption are on the rise. Thirty-five percent of study participants consider themselves to be knowledgeable about the security practices of their cloud providers, up from 29% two years ago. Similarly, encryption use for software-as-a-service (SaaS) users has increased to 39% from 32% during the same period of time, while encryption use for infrastructure-as-a-service/platform-as-a-service (IaaS/PaaS) users has increased to 26% from 17% during the same period.

MORE: It’s time for corporate boards to tackle cybersecurity. Here’s why

“I think the report shows that the trends are all pointing in the right direction,” said Moulds. “But there’s still a long way to go in terms of visibility and confidence about security.”

According to the study, uncertainties remain about who is primarily responsible for protecting data in the cloud: the service provider that stores them or the business that owns them? In SaaS environments, for example, more than half the respondents put the onus on the cloud provider to handle security responsibilities. In IaaS/PaaS environments, in contrast, almost half of respondents believed it’s a mutual duty.

Security is a shared responsibility, Ponemon said. “It is really incumbent upon the user of the services as well as the provider of the services to join forces,” he said. “You can’t just rely on one side or the other.”

The current state of security and encryption in the cloud, Ponemon added, is not yet fully mature. “These companies should seriously think about how [data] could be protected instead of leaving it in clear text,” he said. “It is a vulnerability that can be resolved.”

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.