Despite recognizing the seriousness of the threat, enterprises have continued to respond slowly to warnings that existing systems must be updated to address the risks of the advent of quantum computers.
Quantum computers threaten the security of existing public-key cryptography systems. Government agencies such as the US National Institute of Standards and Technology and the UK’s National Cyber Security Center (NCSC) are recommending the adoption of post-quantum cryptography (PQC) ahead of the 2030 deadline to account for the expected depreciation of weak cryptographic algorithms.
However, five years from this deadline, PwC’s Global Digital Trust Insights Report Paints a general lack of preparation for the introduction of quantum resistant cryptography.
“Although quantum computing ranks one of the top five threats organizations are least prepared to address, less than 10% have made it a priority in the budget and only 3% have implemented all of the key quantum deterrent measures included in the survey,” the report said.
It added, “Some organizations are making initial progress, with 29% in the piloting and testing stages. However, only 22% have progressed beyond piloting, and nearly half (49%) have not considered or begun to implement any quantum-resistant security measures.”
industry readiness
The majority of independent experts polled by CSO say the PwC report’s findings reflect a real gap between industry awareness and operational preparedness for PQC.
jason sorokoThe senior partner at automated certificate lifecycle management firm Sectigo tells CSO that sectors of the economy that are already cryptographically mature are leading the way with PQC projects, leaving other sectors even further behind.
“Uptake is not limited to banking, yet financial services are leading the way as they are highly regulated, risk averse and exposed to longer-lived data risks,” explains Soroko. “Many banks and payment networks have large cryptographic inventories, established key management and compliance drivers, which motivates them to move forward first.”
“Other sectors with long data lifetimes and extensive device estates such as government, telecom, cloud and critical infrastructure are also active,” says Soroko.
According to cybersecurity vendor Forescout, financial services and professional services lead the way, but manufacturing, oil and gas, mining and healthcare lag far behind, with PQC adoption rates in some cases at just 2%.
chris hickman, The CSO of digital identity management firm KeyFactor says most organizations are waiting “either for the risk to be felt immediately or for others to make the first move.”
“That delay will be costly,” Hickman predicts.
Hickman says barriers to widespread adoption range from a lack of skilled personnel, limited time and competing priorities, and slow adoption of existing standards.
migration status
Encryption underpins the security of everything from health care records to government data and e-commerce transactions.
But currently only 8.5% of SSH servers support quantum-safe encryption.
Adoption of TLS 1.3 – currently at 19% – is also lagging behind older, quantum-insecure versions, according to a Recent study by Forescout,
Other experts have since painted a more optimistic picture of PQC deployment. NIST finalizes first post-quantum cryptographic standards In August 2024.
“Google, Apple, Signal and Zoom have implemented PQC,” says duncan jonesHead of cybersecurity at integrated quantum computing firm Quantumum. “Government orders like CNSA 2.0 Set hard deadlines. Financial services are moving forward – asc x9The 2025 Readiness Assessment outlines concrete steps from a cryptographic inventory through a migration plan.
Barriers to adoption
The main barriers to widespread adoption of PQC include cost, uncertainty of standards, and organizational inertia. This last issue is important because preparing for a quantum threat requires a phased approach to crypto agility.
“The barriers to widespread adoption are very real,” says KeyFactor’s Hickman. “Lack of skilled personnel, limited time and competing priorities, and slow adoption of existing standards are the top challenges slowing progress.”
Hickman adds: “Additionally, risk perceptions vary, particularly between security teams and executive leadership, making it difficult to align strategies.”
Kevin Hilsher, senior director of product management at Digicert, says time horizon is playing a key role in the PQC preparation gap. “Companies are prioritizing other projects because, let’s say, 2030 is still more than four years away and other projects are being prioritized,” he says.
Furthermore, security teams find themselves increasingly at risk due to growing threats in the here and now.
“Organizations often lack the expertise or resources to prioritize PQC when dealing with everyday threats,” says Dr. Katrina RoseniA cyber security expert at Ascendant Group. “Standards are still evolving, and deploying quantum-resistant algorithms requires careful testing to avoid breaking critical systems.”
Yet, delaying PQC adoption not only leaves organizations vulnerable to future quantum threats, but also amplifies vulnerabilities already being targeted by attackers, Dr. Roseni warns.
Uncertainty, complexity, and difficulties in mapping cryptographic assets are also putting the brakes on the PQC rollout.
“Budgets compete with near-term threats and not everyone is yet aware of NIST’s 2030 deprecation of RSA/ECC, so planning and investment are being delayed,” says Sectigo’s Sorocco. “Standards and vendor support are still evolving, and some algorithms introduce performance overhead or compatibility issues for legacy systems and restricted devices.”
Sorocco says: “Skills are scarce and dependencies run through supply chains and cloud services, so end-to-end migration planning and governance leads to slow adoption.”
Dr. Roseni also notes that legacy systems and infrastructure can make it difficult to implement new algorithms.
Benjamin MouradThe DMI senior director and solutions architect sees the main barriers to widespread adoption as education about quantum computing risks – such as the threat from “harvest now, decrypt later” attacks – and funding.
In contrast, improvements in technology over the past year have made it much simpler to implement and scale cryptographic systems, Mourad argues.
“Technological improvements over the past 12 months have improved capabilities and reduced the cost of moving to PQC at scale with containerized, lightweight applications,” explains Mourad. “The reduced need for significant investment in hardware and software will make PQC more scalable.”
Navigating quantum uncertainty
Analysts estimate that quantum computers will be able to break existing encryption within five to 20 years.
This uncertainty can be distracting, says Dr. Roseni. “There needs to be a focus on preparedness and resiliency,” she advises. “Organizations need to inventory sensitive assets, assess system readiness, run pilot programs, and secure key management.”
The PwC report should serve as a warning, says Dr Roseni.
“Organizations that treat PQC as a strategic security initiative will now be positioned to reduce risk and strengthen resilience,” she says. “Those who wait risk exposing themselves to both present and future threats.”
