Businesses Lag as Quantum Computing’s Deadline Nears
▼ Summary
– Most businesses understand the quantum computing threat to encryption but lack formal migration plans or technical groundwork for post-quantum cryptography.
– Despite over half of organizations expecting to adopt post-quantum algorithms by 2026, the required integration work is extensive and likely to take a decade or more.
– A major challenge is that 81% of respondents report their core cryptographic systems, like libraries and hardware modules, are unprepared for post-quantum integration.
– Budgets are shifting, with most organizations planning to spend 6-10% of cybersecurity funds on post-quantum projects, though US firms plan higher investments than the UK or Germany.
– Identity and access management systems are the top priority for early protection, followed by industrial control systems and intellectual property.
The race to secure data against future quantum computing attacks is intensifying, yet a significant gap exists between organizational awareness and concrete preparedness. A recent industry survey reveals that while most businesses understand the theoretical threat, nearly all lack a formal roadmap for migrating to post-quantum cryptography (PQC), leaving critical systems vulnerable. This disconnect poses a substantial long-term risk to data security across every sector.
The survey of security professionals found a surprising level of confidence, with three-quarters stating they comprehend how quantum computers could break today’s encryption. Industries like healthcare, legal, and education, which face frequent cyberattacks, reported the highest confidence levels. However, this assurance is not matched by action. A staggering 91 percent of organizations have no formal plan for adopting quantum-safe algorithms. Only a handful have draft plans or began early preparations, making them rare exceptions in a landscape of widespread inaction.
This confidence is further challenged by unrealistic timelines. More than half of respondents believe they will have at least one post-quantum algorithm protecting live data by 2026. This optimism clashes with the reality of cryptographic migration. The first official standards were only recently finalized, and experts note the journey from standardization to full integration within complex IT ecosystems often takes a decade or more. Organizations will need to overhaul public key infrastructure and update systems built around traditional key management, making a 2026 target highly ambitious for most. This suggests timelines are being set due to external pressure rather than a realistic assessment of technical readiness.
A core technical hurdle is that foundational security systems are not prepared. Eighty-one percent of respondents admitted their cryptographic libraries and hardware security modules are not ready for post-quantum integration. Many rely on legacy systems designed before quantum threats were considered, and retrofitting them is far more complex than a simple software patch, it requires fundamental changes to how cryptographic keys are generated, stored, and exchanged. This challenge is compounded by a significant skills shortage, as many security teams lack experience with PQC algorithms, and progress is often stalled waiting for third-party vendors to update their own products and services.
Leadership for these initiatives is inconsistent. In technology, telecom, and healthcare, CTOs, CIOs, and CISOs typically drive the effort. In sectors with less internal expertise, such as architecture or education, organizations rely more heavily on external consultants. This uneven ownership makes it difficult to build the sustained, organization-wide momentum required for a successful migration. While new government policies in the US, UK, and EU have spurred more discussion, the current level of activity falls far short of what will be necessary.
When prioritizing what to protect first, identity and access management (IAM) systems are the top choice for 35% of respondents, as they heavily depend on public-key cryptography vulnerable to quantum attack. Industrial control systems are also a high priority due to their long lifecycles and often outdated infrastructure. In the US and UK, protecting intellectual property remains a key focus, while educational institutions are particularly concerned about blockchain-based systems used for student records. Each of these priority areas rests on cryptographic foundations that must be replaced.
Budgetary intentions are shifting, with almost every organization planning to allocate funds to post-quantum projects within two years. Most anticipate spending between six and ten percent of their cybersecurity budget on related research, tools, or deployment. US companies are particularly aggressive, with over half planning to invest at least eleven percent, a rate much higher than in the UK or Germany. Despite these plans, a small but notable group in the US and UK stated they do not intend to dedicate any budget to this work, even while believing they will adopt an algorithm by 2026, highlighting uncertainty about how to initiate investments.
The primary forces expected to accelerate adoption are external. Contractual requirements from partners and customers are viewed as the strongest motivator, followed closely by new industry standards and upcoming government regulations. Interestingly, the fear of a security incident ranked relatively low as a driver, especially in the US, indicating that market and policy signals currently hold more sway than theoretical attack scenarios.
The concerns weighing on security teams are substantial. Integration headaches top the list, followed closely by security risks during transition, cost pressures, migration complexity, and the persistent skills gap. Professionals express deep uncertainty about how to retrofit legacy systems and the daunting task of coordinating PQC upgrades across hybrid environments that span cloud platforms and on-premises infrastructure.
(Source: HelpNet Security)
