Certes, a leader in data-centric security and Post-Quantum Cryptography (PQC), has released new research highlighting a disconnect between quantum risk awareness and organisations’ ability to act on it, despite mounting pressure from government and regulators to begin transitioning to PQC within the next four years.
The Emerging PQC Imperative report reveals that 78% of organisations identify legacy systems as their greatest quantum security risk, yet most are doing little to address it. These environments remain difficult to secure and even harder to upgrade, leaving critical data increasingly exposed. For Australian organisations operating critical infrastructure, financial services, telecommunications, healthcare and government systems, the challenge is particularly acute given the prevalence of legacy technology environments and long infrastructure replacement cycles
The research findings come as the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) provides guidance to organisations to begin planning immediately for the transition to post-quantum cryptography. Current ASD guidance indicates that organisations have a refined PQC transition plan by the end of 2026, begin migration of vulnerable systems by the end of 2028, and complete the transition away from traditional asymmetric cryptography by 2030.
The report also found that nearly three-quarters (74%) of organisations view edge and IoT environments as a major quantum security risk, highlighting the growing exposure across distributed infrastructures. These environments are often difficult to upgrade or standardise, which can make them a critical weak point when it comes to implementing the cryptographic changes required for post-quantum readiness.
At the same time, 73% of organisations are actively evaluating the impact of “harvest now, decrypt later” attacks, recognising that data stolen today could become a future breach once quantum capabilities mature. While evaluation is commended, it stops short of actually protecting the data at risk.
Despite near-universal recognition of the threat posed by quantum computing, just 11% of organisations are confident they can achieve post-quantum readiness within expected timelines, highlighting a significant execution gap as businesses struggle to move from planning to meaningful action. While awareness is high, many organisations still lack the confidence, funding, and practical path required to respond effectively. And with legacy applications being the Achilles Heel for most companies – a weak point that can be simply rectified with the right security solutions – these statistics highlight that there is a huge gap in terms of understanding the problem at hand and actions being taken to protect critical data from exposure, and in turn helping protect businesses from massive financial, judiciary and reputational penalties.
The study independently conducted by Freeform Dynamics and commissioned by Certes, is based on responses from senior IT and security leaders from large organisations spanning sectors such as financial services, healthcare, manufacturing, and the public sector.
Other key findings from the report include:
- Only 2% are fully confident in achieving full crypto agility – Most organisations lack the ability to adapt cryptography at scale, leaving them exposed to both current and future threats.
- Nearly all respondents (97%) said they are not fully confident they can meet crypto agility timelines – Despite widespread awareness, confidence in delivering long-term quantum resilience remains critically low.
- 91% cite mitigation of material business risk as a key driver – Quantum risk is now firmly viewed as a core business issue, not just a technical or security concern.
- Just one in four (25%) have a dedicated budget to act on quantum security – Strategic intent is in place, but without funding, most initiatives are failing to progress beyond early-stage planning.
Quantum computing is widely expected to render much of today’s encryption ineffective. While timelines remain debated, regulators and standards bodies are already setting milestones, with expectations for initial quantum-safe readiness by 2030 and broader transition by 2035. At the same time, the growing threat of “harvest now, decrypt later” attacks means sensitive data is already at risk today, as adversaries collect encrypted information with the intention of decrypting it in the future.
Paul German, CEO of Certes, comments,”Most security and IT leaders understand the threat quantum computing poses; they know the timelines, and they recognise what’s at stake, but the challenge is that comprehending the problem and being equipped to solve it are two very different things. When only 11% of organisations feel confident they can meet initial post-quantum readiness targets, and the majority admitting that legacy systems are their biggest risk, it suggests a serious gap between intent and execution. We are looking at a systemic readiness crisis, not isolated pockets of unpreparedness, and what keeps me up at night is that this isn’t something organisations can afford to kick down the road.
“Harvest now, decrypt later attacks are happening today, which means data that feels secure right now will be compromised years from now when quantum capabilities catch up. The 2030 milestone sounds like it’s a long way off, but when you factor in the sheer scale of complexities and cryptographic transition, the runway is much shorter than it looks. The window to act is narrowing, and time is running out faster than most organisations realise.”
Simon Pamplin, CTO of Certes, adds, “What this research confirms is that the organisations making real progress on PQC are the ones treating it as a business risk problem, not just a compliance checkbox. The hardest challenges lie in legacy environments, custom applications, and edge and IoT infrastructure; these represent both the greatest exposure and the most complex remediation work, requiring careful prioritisation rather than a blanket approach. The case for acting now is not precautionary; it is entirely practical, and the organisations that build strong cryptographic foundations early will be in a significantly stronger position as the window narrows.”
Dan Panesar, CRO of Certes, says: “What we’re seeing is a growing realisation that current approaches to security simply don’t scale to the quantum challenge. You can’t solve this by layering more controls onto already complicated environments or by planning another multi-year migration cycle. Organisations need a more practical path forward, one that delivers quantum-safe data protection and crypto-segmentation for any application, over any infrastructure, anywhere. That’s how you move from theory to execution, reduce risk immediately, and give customers confidence that their data remains protected both today and in a post-quantum world.”
You can download ‘The Emerging PQC Imperative’ report here: https://pages.certes.ai/pqc-report
Certes Launches v7 to Bridge the Quantum Readiness Gap
To help organisations move from awareness to action, Certes recently launched v7, a powerful extension of its Data Protection and Risk Mitigation (DPRM) platform. Designed to deliver quantum-safe data protection and crypto-segmentation for any application, over any infrastructure, anywhere, v7 marks a new era of future-proof data protection, enabling PQC today for legacy applications, hybrid cloud, AI, and the edge, while keeping data protected even when infrastructure and identities are compromised. Unlike traditional tools that demand network redesigns or application rewrites, v7 can typically be deployed in days rather than months, without requiring application refactoring or major infrastructure changes.
Centralised, per-flow policies are automatically enforced across hybrid, multi-cloud, on-premises, and edge environments, designed to deliver quantum-safe protection at scale while minimising additional operational complexity. For organisations looking to close the execution gap, v7 delivers six strategic outcomes: faster deployment, simplified operations, stronger breach resilience, regulatory compliance, future-proof cryptography, and automated policy enforcement across distributed environments.
v7 is available as part of the Certes DPRM platform. For more information visit: https://pages.certes.ai/v7-blueprint-for-quantum
