Post-quantum cryptography is now top of the priority list for cybersecurity leaders, but new research suggests some aren’t taking it seriously enough.
At some point, quantum computers are set to be able to crack the mathematical problems that underlie asymmetric public key cryptography (PKC), in what's known as 'Q-day'.
With attackers starting to adopt a 'harvest-now, decrypt-later' approach, industry experts are urging executives to make preparations and avoid falling foul of future threats.
However, a new report from Capgemini found that while 70% of organizations are assessing or deploying quantum-safe measures, only 15% of these early adopters qualify as 'quantum-safe champions', with mature governance and technical execution.
Meanwhile, 30% of surveyed organizations continue to downplay the urgency of quantum threats, running the risk of future data exposure and regulatory penalties.
More than eight-in-ten (82%) said a confirmed quantum computing breakthrough would increase their organisation’s urgency to adopt PQC.
“People don’t believe it will happen until it happens. The first public attack breaking encryption will trigger urgency," said Julio Padilha, CISO of Volkswagen & Audi, South America.
"Until then, it’s hard to justify investment in something we can’t yet see."
Around half of early adopters are running PQC pilots, often in partnership with cloud providers and specialist vendors, but most lack a clear roadmap for enterprise-wide transition.
"The hardest part is getting aligned on timelines and the whole ecosystem to agree on making sure the available solutions are secure against known threats and resilient against future code breaking," said Michele Mosca, CEO of evolutionQ and co-founder of the Institute for Quantum Computing at the University of Waterloo.
Capgemini said quantum-safe champions combine cryptographic inventory management, supply chain engagement, and hardware readiness to accelerate their transition.
They're conducting quantum risk assessments and maintaining a live cryptographic inventory, driving enterprise-wide education, and establishing a governance structure that keeps quantum security on the C-suite agenda.
Similarly, they're also designing for crypto-agility to adapt as standards evolve.
"We began our quantum-safe journey in 2023 with a cryptographic posture and maturity assessment," said Luciano Carolino, IT security specialist at Bradesco bank.
"It’s a long-term roadmap, starting with building a full inventory of cryptographic assets, using a risk-based approach for prioritization, across infrastructure and applications."
Four-in-five early adopters told the researchers that industry-wide collaboration with the likes of government bodies and technology consortia is critical to addressing quantum-related security risks.
Accelerating post-quantum cryptography timelines
Governments globally are taking the threat seriously, with the UK’s National Cyber Security Centre (NCSC) releasing a timeline for successful adoption of PQC in March this year.
By 2028, it said, organizations should have defined their migration goals, carried out a full discovery exercise and built an initial plan for migration.
By 2031, they should have made their highest-priority PQC migrations, and refined their plan to include a thorough roadmap for completing migration. Full migration to PQC should have taken place by 2035.
“If your organization hasn’t begun planning for quantum safety, you’re already behind," said Marjorie Bordes, group CISO at Capgemini.
"Migration to PQC is complex, cross-functional and time-consuming. Delaying action not only increases risk exposure, but also limits your ability to comply, compete and protect sensitive data in the years ahead."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
ExtraHop builds on APAC momentum with Singapore expansionNews The vendor said its increased presence will help enterprises across the Asia Pacific region better meet evolving compliance demands
-
Microsoft saved $500 million by using AI in its call centers last yearNews Microsoft’s chief commercial officer, Judson Althoff, revealed the tech giant has saved $500 million in its call centers alone by using AI tools.
