The Entrust Cybersecurity Institute has released survey findings on post-quantum cryptography (PQC) and public key infrastructure (PKI), assessing organizational PQ preparedness and the future of encryption. The global study reveals that most organizations have not begun preparing for the post-quantum threat. This comes on the heels of NIST publishing its first three finalized post-quantum encryption standards, outlining usage and implementation guidelines for organizations entering a new era of quantum cryptography.
Entrust’s 2024 PKI and Post Quantum Trends Study presents findings from a survey of IT and IT security professionals across the U.S., UK, Canada, Germany, UAE, Australia/New Zealand, Japan, Singapore, and the Middle East, conducted by the Ponemon Institute. Compared to previous years, this new data shows a clear shift towards increased awareness of PQC and the threats it poses to modern organizations. At the same time, it highlights a concerning trend that most organizations are either not yet motivated or unprepared for the transition, citing major concerns with the skills, education, and technologies needed to effectively prepare, leaving them vulnerable to potential attacks.
“There’s a shift in the industry with regard to Post-Quantum readiness," said Samantha Mabey, Director of Digital Solutions Marketing at Entrust. “While the questions around the PQ threat used to be ‘is it real’, the questions as of late are now ‘what do I need to do’ and ‘how’.”
Key findings from the 2024 PKI and Post Quantum Trends Study include:
• Support for PQC readiness is increasing, but plans for implementation are trailing: While 61% of global respondents plan to migrate to PQC within the next five years, less than half of organizations globally (41%) are presently preparing for the transition. At the same time, 38% of global respondents reported not having the right scale and technology to support the required extra computing power for PQC.
• Ownership, skills, and inconsistent requirements serve as the top challenges for enabling applications of PKI: 51% of respondents reported a lack of clear ownership over this transition, while 43% reported a tie between insufficient skills and complicated or fragmented requirements as the biggest hurdle to enabling PKI.
• Cryptographic asset visibility is a top concern for organizations seeking PQC readiness: Despite the fact that 44% reported a focus on building their cryptographic strategy, 43% cited an inability to simply inventory their crypto asset, the top concern for all nine countries surveyed in readying themselves for the transition.
• Even among organizations that decide to migrate, the path to PQC is uncertain: While 36% of organizations globally favor implementing a strict PQC plan, a significant proportion are inclined towards a hybrid approach (31%) or initial internal testing of PQC (26%).
“Organizations know that the threat of PQ is inevitable and impact substantial, but they lack the cryptographic visibility, skills, and computing power needed to effectively activate a plan, revealing a critical gap between awareness and action as the quantum threat looms. A major focus for organizations in 2025 will be activating these plans, bolstering their visibility into their cryptographic assets, and preparing their teams for a quantum-safe future” said Mabey.