Australian firms lag on post-quantum crypto readiness

Certes has published research suggesting many Australian organisations are behind in preparing for post-quantum cryptography, highlighting a wide gap between awareness of quantum threats and confidence in meeting official timelines.

The study found that 78% of organisations see legacy systems as their biggest quantum security risk, yet only 11% are confident they can achieve post-quantum readiness within expected deadlines. It also found that 74% regard edge and IoT environments as a major risk, while 73% are assessing the impact of so-called harvest now, decrypt later attacks.

The findings come as the Australian Signals Directorate's Australian Cyber Security Centre urges organisations to begin planning the move to post-quantum cryptography. Its guidance calls for a refined transition plan by the end of 2026, migration of vulnerable systems by the end of 2028, and completion of the shift away from traditional asymmetric cryptography by 2030.

For sectors such as critical infrastructure, financial services, telecommunications, healthcare and government, the challenge is compounded by long technology replacement cycles and continued reliance on older systems. These environments are often difficult to update, increasing the cost and complexity of changing cryptographic tools across large estates.

The research, conducted by Freeform Dynamics and commissioned by Certes, surveyed senior IT and security leaders at large organisations across sectors including financial services, healthcare, manufacturing and the public sector.

Other findings suggest concern about quantum risk is outpacing practical execution. Only 2% of respondents said they were fully confident in achieving full crypto agility, while 97% were not fully confident they could meet crypto agility timelines.

Budget also appears to be a constraint. Just 25% said they had a dedicated budget for quantum security work, even though 91% identified mitigation of material business risk as a main driver for action.

Execution gap

Quantum computing is expected to weaken much of the encryption now used to secure data and communications, although the timeline remains debated. Security specialists have also warned that attackers may already be collecting encrypted information for later decryption once more advanced quantum systems become available.

Paul German, chief executive officer of Certes, said the figures point to a broad failure to turn concern into action.

"Most security and IT leaders understand the threat quantum computing poses; they know the timelines, and they recognise what's at stake, but the challenge is that comprehending the problem and being equipped to solve it are two very different things. When only 11% of organisations feel confident they can meet initial post-quantum readiness targets, and the majority admitting that legacy systems are their biggest risk, it suggests a serious gap between intent and execution. We are looking at a systemic readiness crisis, not isolated pockets of unpreparedness, and what keeps me up at night is that this isn't something organisations can afford to kick down the road. "Harvest now, decrypt later attacks are happening today, which means data that feels secure right now will be compromised years from now when quantum capabilities catch up. The 2030 milestone sounds like it's a long way off, but when you factor in the sheer scale of complexities and cryptographic transition, the runway is much shorter than it looks. The window to act is narrowing, and time is running out faster than most organisations realise."

The findings suggest organisations are increasingly treating quantum security as a business problem rather than a narrow technical issue. That shift may help boards and executive teams justify spending, but the survey indicates many still lack the funding and internal readiness needed to begin large-scale migration work.

Legacy burden

Simon Pamplin, chief technology officer of Certes, said the hardest work lies in older and more distributed technology estates.

"What this research confirms is that the organisations making real progress on PQC are the ones treating it as a business risk problem, not just a compliance checkbox. The hardest challenges lie in legacy environments, custom applications, and edge and IoT infrastructure; these represent both the greatest exposure and the most complex remediation work, requiring careful prioritisation rather than a blanket approach. The case for acting now is not precautionary; it is entirely practical, and the organisations that build strong cryptographic foundations early will be in a significantly stronger position as the window narrows."

Alongside the research, Certes has introduced version 7 of its Data Protection and Risk Mitigation platform. The updated software is intended to help organisations apply post-quantum cryptography to legacy applications, hybrid cloud systems, AI workloads and edge environments without rewriting applications or redesigning networks.

Certes says the software can be deployed in days rather than months and uses central policy controls across hybrid, multi-cloud, on-premises and edge environments. It is intended to address the gap between planning and implementation by reducing the operational disruption typically associated with cryptographic change.

Dan Panesar, chief revenue officer of Certes, said many organisations cannot solve the problem by extending current security stacks.

"What we're seeing is a growing realisation that current approaches to security simply don't scale to the quantum challenge. You can't solve this by layering more controls onto already complicated environments or by planning another multi-year migration cycle. Organisations need a more practical path forward, one that delivers quantum-safe data protection and crypto-segmentation for any application, over any infrastructure, anywhere. That's how you move from theory to execution, reduce risk immediately, and give customers confidence that their data remains protected both today and in a post-quantum world."