Report reveals that 78% of organizations identify legacy systems as their greatest quantum security risk, yet most are doing little to address it.
Certes, a leader in data-centric security and Post-Quantum Cryptography (PQC), has released new research highlighting a disconnect between quantum risk awareness and organizations’ ability to act on it. The Emerging PQC Imperative report reveals that 78% of organizations identify legacy systems as their greatest quantum security risk, yet most are doing little to address it. These environments remain difficult to secure and even harder to upgrade, leaving critical data increasingly exposed.
The report also found that nearly three-quarters (74%) of organizations view edge and IoT environments as a major quantum security risk, highlighting the growing exposure across distributed infrastructures. These environments are often difficult to upgrade or standardize, which can make them a critical weak point when it comes to implementing the cryptographic changes required for post-quantum readiness.
At the same time, 73% of organizations are actively evaluating the impact of “harvest now, decrypt later” attacks, recognizing that data stolen today could become a future breach once quantum capabilities mature. While evaluation is commended, it stops short of actually protecting the data at risk.
Despite near-universal recognition of the threat posed by quantum computing, just 11% of organizations are confident they can achieve post-quantum readiness within expected timelines, highlighting a significant execution gap as businesses struggle to move from planning to meaningful action. While awareness is high, many organizations still lack the confidence, funding, and practical path required to respond effectively. And with legacy applications being the Achilles Heel for most companies – a weak point that can be simply rectified with the right security solutions – these statistics highlight that there is a huge gap in terms of understanding the problem at hand and actions being taken to protect critical data from exposure, and in turn helping protect businesses from massive financial, judiciary and reputational penalties.
The study independently conducted by Freeform Dynamics and commissioned by Certes, is based on responses from 200 senior IT and security leaders across the UK and US, including CISOs, CIOs, and other decision-makers from large organizations spanning sectors such as financial services, healthcare, manufacturing, and the public sector.
Other key findings from the report include:
- Only 2% are fully confident in achieving full crypto agility – Most organizations lack the ability to adapt cryptography at scale, leaving them exposed to both current and future threats.
- Nearly all respondents (97%) said they are not fully confident they can meet crypto agility timelines – Despite widespread awareness, confidence in delivering long-term quantum resilience remains critically low.
- 91% cite mitigation of material business risk as a key driver – Quantum risk is now firmly viewed as a core business issue, not just a technical or security concern.
- Just one in four (25%) have a dedicated budget to act on quantum security – Strategic intent is in place, but without funding, most initiatives are failing to progress beyond early-stage planning.
Quantum computing is widely expected to render much of today’s encryption ineffective. While timelines remain debated, regulators and standards bodies are already setting milestones, with expectations for initial quantum-safe readiness by 2030 and broader transition by 2035. At the same time, the growing threat of “harvest now, decrypt later” attacks means sensitive data is already at risk today, as adversaries collect encrypted information with the intention of decrypting it in the future.
Paul German, CEO of Certes, comments,“Most security and IT leaders understand the threat quantum computing poses; they know the timelines, and they recognize what’s at stake, but the challenge is that comprehending the problem and being equipped to solve it are two very different things. When only 11% of organizations feel confident they can meet initial post-quantum readiness targets, and the majority admitting that legacy systems are their biggest risk, it suggests a serious gap between intent and execution. We are looking at a systemic readiness crisis, not isolated pockets of unpreparedness, and what keeps me up at night is that this isn’t something organizations can afford to kick down the road.
“Harvest now, decrypt later attacks are happening today, which means data that feels secure right now will be compromised years from now when quantum capabilities catch up. The 2030 milestone sounds like it’s a long way off, but when you factor in the sheer scale of complexities and cryptographic transition, the runway is much shorter than it looks. The window to act is narrowing, and time is running out faster than most organizations realize.”
Simon Pamplin, CTO of Certes, adds, “What this research confirms is that the organizations making real progress on PQC are the ones treating it as a business risk problem, not just a compliance checkbox. The hardest challenges lie in legacy environments, custom applications, and edge and IoT infrastructure; these represent both the greatest exposure and the most complex remediation work, requiring careful prioritization rather than a blanket approach. The case for acting now is not precautionary; it is entirely practical, and the organizations that build strong cryptographic foundations early will be in a significantly stronger position as the window narrows.”
Dan Panesar, CRO of Certes, says: “What we’re seeing is a growing realization that current approaches to security simply don’t scale to the quantum challenge. You can’t solve this by layering more controls onto already complicated environments or by planning another multi-year migration cycle. Organizations need a more practical path forward, one that delivers quantum-safe data protection and crypto-segmentation for any application, over any infrastructure, anywhere. That’s how you move from theory to execution, reduce risk immediately, and give customers confidence that their data remains protected both today and in a post-quantum world.”
Certes Launches v7 to Bridge the Quantum Readiness Gap
To help organizations move from awareness to action, Certes recently launched v7, a powerful extension of its Data Protection and Risk Mitigation (DPRM) platform. Designed to deliver quantum-safe data protection and crypto-segmentation for any application, over any infrastructure, anywhere, v7 marks a new era of future-proof data protection, enabling PQC today for legacy applications, hybrid cloud, AI, and the edge, while keeping data protected even when infrastructure and identities are compromised. Unlike traditional tools that demand network redesigns or application rewrites, v7 can typically be deployed in days rather than months, without requiring application refactoring or major infrastructure changes.
Centralized, per-flow policies are automatically enforced across hybrid, multi-cloud, on-premises, and edge environments, designed to deliver quantum-safe protection at scale while minimizing additional operational complexity. For organizations looking to close the execution gap, v7 delivers six strategic outcomes: faster deployment, simplified operations, stronger breach resilience, regulatory compliance, future-proof cryptography, and automated policy enforcement across distributed environments.
v7 is available as part of the Certes DPRM platform. For more information visit: https://pages.certes.ai/v7-blueprint-for-quantum
