Despite recognizing the severity of the threat, enterprises continue to respond slowly to warnings that existing systems must be updated to address the risks of the approaching advent of quantum computers.
Quantum computers threaten the security of existing public-key cryptography systems. Government agencies such as the US National Institute of Standards and Technology and the UK’s National Cyber Security Centre (NCSC) are advising to adopt post-quantum cryptography (PQC) before a 2030 deadline, in time for the expected depreciation of vulnerable cryptographic algorithms.
However, five years from this deadline, PwC’s Global Digital Trust Insights report paints a picture of a general lack of preparedness for rolling out quantum resistant cryptography.
“Although quantum computing ranks among the top five threats organisations are least prepared to address, fewer than 10% prioritise it in budgets and only 3% have implemented all [the] leading quantum resistant measures surveyed,” the report states.
“Some organisations are making initial progress, with 29% in piloting and testing stages. However, only 22% have moved beyond piloting, and almost half (49%) haven’t considered or started implementing any quantum-resistant security measures,” it adds.
Industry readiness
The majority of independent experts quizzed by CSO say the PwC report’s findings reflect a real gap between industry awareness and operational readiness for PQC.
Jason Soroko, senior fellow at automated certificate lifecycle management firm Sectigo, tells CSO that sectors of the economy that are already cryptographically mature are pushing ahead with PQC projects, leaving other sectors even further behind.
“Uptake is not confined to banking, yet financial services tend to lead because they are highly regulated, risk averse, and exposed to long-lived data risks,” Soroko explains. “Many banks and payment networks have larger cryptographic inventories, established key management and compliance drivers, which push them to move earlier.”
“Other sectors with long data lifetimes and wide device estates such as government, telecom, cloud, and critical infrastructure are also active,” Soroko adds.
Financial services and professional services are furthest ahead, but manufacturing, oil and gas, mining, and healthcare remain significantly behind, in some cases with PQC adoption as low as 2%, according to cybersecurity vendor Forescout.
Chris Hickman, CSO at digital identity management firm Keyfactor, says that most organizations are waiting “either for the risk to feel more immediate or for others to make the first move.”
“That delay will be costly,” Hickman predicts.
Obstacles to widespread adoption range from a lack of skilled personnel, limited time and competing priorities, and the slow adoption of existing standards, Hickman says.
State of migration
Encryption underpins the security of everything from healthcare records to government data and e-commerce transactions.
But just 8.5% of SSH servers currently support quantum-safe encryption.
TLS 1.3 adoption — currently at 19% — also trails older, quantum-vulnerable versions, according to a recent study by Forescout.
Other experts paint a more optimistic picture of PQC deployment since NIST finalized the first post-quantum cryptographic standards in August 2024.
“Google, Apple, Signal, and Zoom have implemented PQC,” says Duncan Jones, head of cybersecurity at integrated quantum computing firm Quantinuum. “Government mandates like CNSA 2.0 set hard deadlines. Financial services are moving — ASC X9’s 2025 readiness assessment outlines concrete steps from cryptographic inventory through migration planning.”
Obstacles to adoption
The main obstacles to widespread PQC adoption including cost, standards uncertainty, and organizational inertia. This last issue is significant given that preparing for the quantum threat requires a phased approach to crypto agility.
“The obstacles to widespread adoption are very real,” Keyfactor’s Hickman says. “A lack of skilled personnel, limited time and competing priorities, and the slow adoption of the existing standards are the top challenges slowing progress.”
Hickman continues: “Additionally, risk perception varies, especially between security teams and executive leadership, making it harder to align strategies.”
Kevin Hilscher, senior director of product management at DigiCert, says the time horizon is playing a significant role in the PQC preparation gap. “Companies are prioritizing other projects because, let’s face it, 2030 is still more than four years away and other projects take precedence,” he says.
Moreover, security teams find themselves increasingly under fire from escalating threats in the here and now.
“Organizations often lack the expertise or resources to prioritize PQC while dealing with day-to-day threats,” says Dr. Katrina Rosseini, a cybersecurity expert at Ascendant Group. “Standards are still evolving, and deploying quantum-resistant algorithms requires careful testing to avoid breaking critical systems.”
Still, delays in PQC adoption not only leave organizations vulnerable to future quantum threats but also amplify the vulnerabilities already being targeted by attackers, Dr. Rosseini warns.
Uncertainty, complexity, and the difficulties in mapping cryptographic assets are also putting a brake on PQC rollouts.
“Budgets compete with nearer-term threats and not all people are yet aware of the 2030 deprecation of RSA/ECC by NIST, so planning and investment are delayed,” says Sectigo’s Soroko. “Standards and vendor support are still being operationalized, and some algorithms introduce performance overhead or compatibility issues for legacy systems and constrained devices.”
Soroko adds: “Skills are scarce and dependencies run through supply chains and cloud services, so end-to-end migration planning and governance slow adoption.”
Dr. Rosseini also notes that legacy systems and infrastructure can make rolling out new algorithms difficult.
Benjamin Mourad, senior director and solution architect at DMI, sees the main obstacles to widespread adoption being education about quantum computing risks — such as the threat from “harvest now, decrypt later” attacks — and funding.
Conversely, improvements in technology over the past year have made implementing and scaling up cryptographic systems more straightforward, Mourad contends.
“Technological improvements over the past 12 months have improved capabilities and lowered the costs to migrate to PQC at scale with containerized, lightweight applications that did not exist over a year ago,” Mourad explains. “The decreasing need for significant investments in hardware and software will make PQC more scalable.”
Navigating quantum uncertainty
Analysts predict quantum computers capable of breaking current encryption anywhere from five to 20 years away.
This uncertainty can be distracting, Dr. Rosseini says. “The focus has to be on preparedness and resilience,” she advises. “Organizations need to inventory sensitive assets, assess system readiness, run pilot programs, and secure key management.”
The PwC report should act as a wake-up call, Dr Rosseini adds.
“Organizations that treat PQC as a strategic security initiative now will be positioned to reduce risk and strengthen resilience,” she says. “Those who wait risk leaving themselves exposed to both present and future threats.”
No Responses