The vast majority of companies aren't ready for the security threats posed by quantum computing, according to new research.
Analysis from Bain & Company, which surveyed technology leaders at 180 companies, found 90% didn't yet have systems in place to defend against quantum security threats – despite widely expecting them to arrive within the next five years.
When quantum computers do arrive, they're expected to be able to crack existing encryption techniques used to protect everything from email to financial transactions.
The US National Institute of Standards and Technology (NIST) has been working for a decade on new algorithms that can withstand such attacks – but now companies need to roll them out, with NIST advising enterprises need to be ready by 2035.
That message has been heard, according to Bain. Nearly three-quarters (71%) of those surveyed expect quantum-enabled attacks within five years, with a third predicting them within three years.
Similarly, two thirds believe quantum computing will exacerbate cybersecurity challenges.
Yet despite that just one-in-ten believe their existing safeguards will be enough. The same number of enterprises have a roadmap in place to address the risks, with most waiting to see what happens and hoping a third party solves the problem first.
No time to wait with quantum security
Companies shouldn't wait, Bain warned, pointing to rapid progress made by IBM, Google, and other industry leaders on this front.
"At a certain threshold, quantum computing will be able to easily and quickly break asymmetric cryptography protocols such as Rivest-Shamir-Adelman (RSA), Diffie-Hellman (DH), and elliptic-curve cryptography (ECC) and reduce the time required, weakening symmetric cryptography such as advanced encryption standard (AES) and hashing functions," the company noted in a blog post.
In a separate report, analysts from Juniper Research echoed concerns that too many businesses still underestimate the danger of quantum-enabled attacks and aren't doing enough to get ready.
This is a burgeoning market, the consultancy found, with analysts predicting the post-quantum cryptography market will grow from $1.2 billion this year to $13 billion by 2035.
That growth suggests progress in preparing for what the analyst firm has dubbed "Q-Day" – which they define as when quantum computers can compromise existing encryption.
Juniper Research noted that governments are clearly considering milestones, as are "forward-thinking organizations". However, awareness of the danger remains a serious hurdle.
“Many businesses still underestimate the risk of quantum-enabled attacks; making clearer, more accessible education critical to securing internal buy-in,” said Louis Atkin, Research Analyst at Juniper Research.
That echoes previous research by KeyFactor, which found as many as half of companies are not yet prepared to deal with cryptography made obsolete by the arrival of quantum computing.
The risks of quantum decryption
Bain said quantum computing will render today's cryptographic standards obsolete.
The highest impact will be on secure keys and tokens, digital certificates, authentication protocols, data encrypted at rest, and even network security and identity access management (IAM) tools. Essentially, anything currently relying on encryption.
Beyond that, quantum computing could supercharge malware and make it easier to identify and weaponize "zero day" flaws, Bain warned.
Another risk highlighted by security experts is "steal now, crack later" techniques, whereby threat actors harvest data now to decrypt later.
"Beyond these new types of attacks powered by quantum computers on current controls, terabytes of sensitive data already harvested by nation states and criminal groups over the last several years – spanning defense designs, chip architectures, energy technologies, and state secrets – will also become accessible and exploitable," Bain noted.
What can be done?
To prepare, companies should roll out post-quantum cryptography using algorithms that are strong enough to withstand quantum-powered attacks, Bain noted. Companies that fail to do so risk "exposing decades of encrypted data and compromising real-time systems”.
However, the consultancy noted that most existing algorithms designed for that post-quantum world have already been compromised – without quantum computers, but using traditional exploit flaws.
Notably, not all suppliers or vendors will be on top of the problem, so security teams will need to develop their own workarounds to keep the corporate stack safe.
"Organizations that are heavy with legacy infrastructure may be particularly vulnerable—and more attractive targets for attackers," Bain added.
Companies need a board-led – and funded – roadmap to consider post-quantum risks across their business decision making, ensuring quantum resilience across their own suppliers, existing technology, and even their products.
But so far, the Bain survey revealed only 12% of companies are considering quantum readiness as a key factor in procurement and risk assessments.
Juniper's Atkin noted that the rise of standards and regulations around post-quantum security has helped, notably from NIST, and investment in algorithms for encryption once Q-Day has passed is steadily increasing.
However, Juniper warned that for these technologies to be effectively adopted, organizations will need to collaborate to ensure interoperability across infrastructure – and borders.
"Many countries have accepted NIST’s standardized algorithms as the de facto quantum-safe option, even in nations with limited understanding of the quantum landscape," Atkin said. "It is vital this continues and that different sectors consider how their systems interoperate when implementing quantum-safe solutions."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Open source project scraps bug bounty scheme over AI 'slop' submissionsNews Curl isn’t the only open source project inundated with AI slop submissions
-
Trade groups hit out at EU's proposed Digital Networks ActNews The European Commission has set out its proposals to boost the EU's connectivity, to some criticism from industry associations
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
