A recent survey conducted by ISACA has revealed a stark reality: a majority of organizations are unprepared to defend against the impending risks posed by quantum-enabled threats. Specifically, the data indicates that merely 5% of IT professionals report having a defined strategy to address these threats within their organizations. Alarmingly, only 3% of respondents consider it a primary concern for the near future.
The survey results are illustrative of a growing issue in the field of cybersecurity. Over half of the surveyed IT professionals—59%—admitted that their organizations have not initiated any preparations to counteract the potential implications of quantum computing technology. Experts have long warned that quantum computers will possess the capacity to dismantle existing encryption methods, such as RSA and AES, which could critically expose sensitive information across all sectors.
During a recent press briefing, Ramses Gallego, the President of ISACA’s Barcelona Chapter, highlighted the gravity of this situation. He stated, “We are talking about a world with no secrets, a world with no barriers or borders,” reflecting the profound transformation in cybersecurity landscapes posed by quantum technology.
Quantum’s Transformative Potential
Despite this unsettling lack of preparedness, the survey respondents acknowledged the significant ramifications that quantum technology could have on cybersecurity. For example, more than half (56%) expressed concern over "harvest now, decrypt later" attacks, a strategy whereby threat actors stockpile encrypted data today with the intention of decrypting it in the future when quantum computers become more prevalent.
Additionally, approximately two-thirds (62%) of participants believe that quantum computing will ultimately disrupt current internet encryption standards. Another 57% expressed worries that it would introduce new business risks. On an educational front, 52% of respondents anticipate a shift in the skill requirements needed to adapt to the emerging quantum landscape. Notably, 33% of European respondents claim to have a solid understanding of the capabilities of quantum computing, a sentiment Gallego found encouraging.
Gaps in Knowledge About Quantum Standards
The survey also unveiled a concerning gap in understanding regarding the post-quantum cryptographic standards established by the US National Institute of Standards and Technology (NIST). Only 7% of global IT professionals reported a strong understanding of these standards, which were formalized in August 2024. In Europe, this figure dipped even further to just 5%. Surprisingly, 44% of global respondents indicated that they have never even heard of the NIST standards.
These standards are crucial, as they encompass three post-quantum cryptographic algorithms designed to offer quantum-resistant solutions tailored for various systems and use cases, including digital signatures for identity authentication and key-encapsulation mechanisms for securely sharing keys over public channels. Jamie Norton, an ISACA board director, emphasized the importance of proactive planning, stating, “Many organizations underestimate the rapid advancement of quantum computing and its potential to break existing encryption.” He warns that organizations must assess whether they possess the necessary expertise to implement post-quantum cryptography solutions to effectively mitigate these imminent risks.
Recommendations for a Quantum-Resistant Future
To assist organizations in transitioning toward quantum-safe encryption, ISACA has proposed a strategic roadmap:
- Education: Stakeholders should be informed about the risks associated with quantum computing and the urgent demand for quantum-resistant encryption.
- Assessment: Organizations need to identify where their encrypted data is stored and recognize any existing vulnerabilities.
- Transition: Steps should be taken to begin moving critical data and systems toward quantum-resistant encryption.
- Infrastructure Upgrades: It is vital to bolster digital infrastructure to ensure that all internet-connected systems uphold the highest security standards.
The Timeline for Quantum Threats
Despite the significant risks posed by quantum technology, Gallego underscored that quantum computers remain in a nascent stage; they are currently costly and technically challenging to operate. One of the notable obstacles is that these machines must function at exceedingly low temperatures—specifically, 15 millikelvin, which is 180 times cooler than outer space. Consequently, he predicts that most organizations will not be able to own quantum computers in the near future. Instead, this will likely lead to the emergence of a “quantum-as-a-service” model, allowing large tech firms to harness and distribute quantum computational power to those in need.
Gallego estimates that quantum technology may advance to a level where it can break current encryption within the next seven to fifteen years, a timeline that resonates with the ISACA survey findings. A significant portion—61% of European respondents—mirrored this prediction, estimating that such disruptive capabilities could be realized in a timeframe of six to fifteen years.
Overall, ISACA’s study, which consulted 2,685 IT professionals globally and included 529 European respondents, highlights a crucial juncture in the cybersecurity landscape. As quantum technology continues to evolve, the onus falls on organizations to proactively prepare and adapt to ensure robust defenses against emerging threats.