Survey Reveals Alarming Lack of Preparedness for Quantum-Enabled Threats
A recent survey conducted by ISACA has highlighted a concerning trend among organizations regarding their readiness to defend against threats posed by quantum computing. The findings indicate that most organizations are ill-equipped to handle the potential challenges that quantum-enabled technologies present.
According to the survey, a strikingly low 5% of IT professionals reported that their organizations have any defined strategy in place to combat potential threats from quantum computing. Furthermore, only 3% classified such preparations as a high business priority in the near future. Alarmingly, more than half of the respondents—59%—admitted that no measures have been taken to prepare for the onset of quantum computing capabilities.
Experts in the field have long warned that quantum computers will have the potential to dismantle existing encryption protocols such as RSA and AES, which are foundational to contemporary cybersecurity. The computational power needed to break these encryption standards is estimated to be around 10,000 qubits or more. Should this scenario unfold, sensitive data and the connections that organizations rely on will be laid bare, vulnerable to exploitation by malefactors.
Ramses Gallego, President of the ISACA Barcelona Chapter, articulated the gravity of the situation during a recent press briefing. He stated, “We are talking about a world with no secrets, a world with no barriers or borders.” Such a declaration underscores the profound challenges that quantum computing presents to cybersecurity as it evolves.
Quantum Computing’s Imminent Impact on Cybersecurity
Despite the evident lack of preparation, the survey’s respondents acknowledged the significant impact quantum technology is poised to have on cybersecurity. Notably, 56% expressed concern over the possibility of "harvest now, decrypt later" attacks—a tactic where malicious actors stockpile encrypted data currently with the intent to decrypt it at a later date using quantum capabilities.
Around 62% of IT professionals surveyed conveyed apprehension that quantum computing will effectively obliterate current Internet encryption methods, while 57% foresee the technology creating new business risks. Adding to this concern, 52% anticipate that the advent of quantum computing will necessitate a shift in the skills required within organizations, signifying the need for new expertise to counteract emerging risks.
Interestingly, a third of European respondents (33%) claimed they possess a solid understanding of quantum computing capabilities, a statistic that Gallego celebrated. However, this apparent progress is overshadowed by a worrying trend regarding knowledge of quantum cryptography standards.
Lack of Awareness Regarding NIST’s Quantum Standards
The survey also revealed a significant knowledge gap concerning the U.S. National Institute of Standards & Technology (NIST)’s post-quantum cryptographic standards, which were formalized in August 2024. A mere 7% of global IT professionals reported having a strong grasp of these standards, and the figure plummeted to just 5% among European IT professionals.
Worse, 44% of respondents indicated they had not even heard of the NIST standards. These standards aim to provide quantum-resistant frameworks for various systems and use cases, thereby shielding organizations from future quantum threats. They include algorithms for digital signatures that authenticate identities, as well as key-encapsulation mechanisms for establishing shared secret keys over public channels.
Jamie Norton, a board director at ISACA, emphasized the urgency for organizations to develop plans to navigate a post-quantum landscape. “Many organizations underestimate the rapid advancement of quantum computing and its potential to break existing encryption. They need to start examining whether they have the expertise to implement post-quantum cryptography solutions now, to ensure they are able to effectively mitigate its impacts,” he cautioned.
Roadmap for Transitioning to Quantum-Safe Encryption
In light of these findings, ISACA advises security leaders to develop a comprehensive roadmap for transitioning to quantum-safe encryption. This roadmap should include the following steps:
- Educate stakeholders about the risks associated with quantum computing and the urgent need for quantum-resistant encryption.
- Assess and identify where encrypted data is stored to determine vulnerabilities.
- Begin transitioning critical data and systems to robust quantum-resistant encryption solutions.
- Upgrade digital infrastructure and ensure that all internet-connected systems remain secure against quantum threats.
Anticipated Timeline for Quantum Threats
Despite the significant upheaval that quantum computing promises, Gallego remarked that these computers are “still in their infancy.” Currently, they face challenges related to costs and operation, including the need to maintain extremely low temperatures—15 millikelvin, a staggering 180 times colder than outer space.
Given these limitations, Gallego anticipates that most companies will not possess their own quantum computers. Instead, he foresees a "quantum-as-a-service" model emerging, whereby major technology enterprises will offer quantum capabilities as a service, managing the intricacies involved.
Gallego also predicted that this technology will reach a level of sophistication capable of breaking existing encryption within a timeframe of seven to 15 years. This forecast aligns with the survey findings, in which 61% of European respondents believe that such a dangerous scenario could unfold within six to 15 years.
The ISACA’s Quantum Computing Pulse Poll gathered insights from 2,685 IT professionals globally, including 529 respondents from Europe, revealing a wide array of concerns and highlighting the urgent need for organizations to prepare for the quantum computing revolution.
This fluid landscape demands immediate action, education, and infrastructure upgrades to ensure organizational resilience as quantum capabilities evolve and potentially threaten current security paradigms.