Certes has released new research showing that many organizations remain unprepared for the security risks posed by quantum computing, despite growing awareness of the threat.
According to the company’s Emerging PQC Imperative report, 78% of organizations believe legacy systems represent their biggest quantum security risk. The findings highlight growing concerns that outdated infrastructure and applications could leave sensitive data exposed as quantum computing capabilities advance.
The study, conducted by Freeform Dynamics and commissioned by Certes, surveyed 200 senior IT and security leaders across the United States and the United Kingdom, including CISOs, CIOs, and other decision-makers from industries such as healthcare, manufacturing, financial services, and the public sector.
Organizations struggling to move from planning to action
While awareness of post-quantum cryptography risks is high, the research found that many businesses lack confidence in their ability to respond effectively.
Only 11% of organizations said they are confident they can achieve post-quantum readiness within expected timelines. Meanwhile, just 2% said they are fully confident in achieving crypto agility at scale.
The report also found that 97% of respondents are not fully confident they can meet long-term crypto agility timelines, suggesting a significant gap between strategy and execution.
Paul German, CEO of Certes, said organizations understand the threat posed by quantum computing but are struggling to turn awareness into meaningful action.
“Most security and IT leaders understand the threat quantum computing poses. They know the timelines, and they recognize what’s at stake, but comprehending the problem and being equipped to solve it are two very different things,” German said.
He warned that businesses can no longer afford to delay preparations for post-quantum security.
“The 2030 milestone sounds like it’s a long way off, but when you factor in the sheer scale of complexities and cryptographic transition, the runway is much shorter than it looks,” he said. “The window to act is narrowing, and time is running out faster than most organizations realize.”
Edge and IoT systems seen as major weak points
The research also highlighted growing concern around edge computing and IoT infrastructure.
Nearly three-quarters of respondents, 74%, said edge and IoT environments are a major quantum security risk because they are difficult to upgrade and standardize.
At the same time, 73% of organizations said they are evaluating the impact of “harvest now, decrypt later” attacks, where cybercriminals collect encrypted data today with the intention of decrypting it in the future once quantum computing becomes viable.
Simon Pamplin, CTO of Certes, said the organizations making the most progress are treating quantum readiness as a business risk issue rather than simply a compliance exercise.
“The hardest challenges lie in legacy environments, custom applications, and edge and IoT infrastructure,” Pamplin said. “These represent both the greatest exposure and the most complex remediation work.”
Certes launches new platform update
Alongside the research, Certes announced the launch of v7 of its Data Protection and Risk Mitigation platform.
The company said the update is designed to help organizations deploy quantum-safe data protection and crypto-segmentation across hybrid cloud, edge, and legacy environments without requiring major infrastructure changes.
Certes said the platform is intended to simplify post-quantum security adoption while reducing operational complexity for businesses facing increasing pressure to modernize their cryptographic protections.
For more information on v7 as part of the Certes DPRM platform visit: https://pages.certes.ai/v7-blueprint-for-quantum
