Post-Quantum: Are Organisations Ready?

July 2025, Daryl Flack, Co-founder and Partner

Published in: SC Magazine UK

As Q-Day approaches, what progress has been made in securing businesses from quantum attacks so far, and what still needs to be done?

The reality still seems far away, but the first six months of the year has seen major advancements in quantum technology. In May, Heriot-Watt University opened a £2.5 million quantum facility that will help secure next-generation communications against cyber threats.

In April, the UK government announced a £121 million investment in new technologies including £21 million for the National Quantum Computing Centre to advance software and testbed development.

In June, physicists at the University of Oxford set a new global benchmark for the accuracy of controlling a single quantum bit, achieving the lowest-ever error rate for a quantum logic operation.

Yet with quantum increasingly on the agenda, concerns are rising that criminals will be able to use quantum to hack critical systems such as satellites.

Q-Day – also known as Y2Q – which sees quantum computers become powerful enough to break through traditional encryption methods, is expected to happen within the next five years.

With this pressing issue in mind, what progress has been made in securing businesses from quantum attacks in 2025 so far, and what still needs to be done?

Q-Day Approaches

As Q-Day approaches, the threat posed by quantum-based attacks and the need to shore up defences as a result is becoming widely acknowledged. In March, the UK National Cyber Security Centre (NCSC) published new guidance on how organisations should migrate safely to post-quantum cryptography.

The NCSC urged organisations to guard their systems against quantum hackers by 2035. It issued a framework for larger businesses such as energy and transport providers, with a recommended timeline to become quantum-secure.

Inside firms themselves, there is growing awareness about the threat from quantum, but many are lacking the tools and policies to tackle it.

IT professionals are worried about the cybersecurity risks presented by quantum computing, but hardly any said their organisations have a proper strategy, according to new research from ISACA.

While 67% of European IT professionals are worried that quantum computing could increase or shift cybersecurity risks, just four percent say their organisation has a defined strategy, according to ISACA’s survey.

Only five percent have a strong understanding of the new NIST post-quantum cryptography standards, despite the fact that NIST has been working on them for over 10 years.

ISC2 CISO Jon France, who is leading an ISC2 Quantum Transition Task Force for cybersecurity professionals, says quantum computing is beginning to register on more organisations’ radars, but awareness and understanding are “still dangerously low”.

Many see quantum as a decade away, which creates complacency, he says “but as the NCSC warned, this transition could make Y2K look like child’s play.”

Meaningful Action

Firms are certainly talking about quantum – but few are taking meaningful action, says Alan Braggins, cyber security expert at PA Consulting. “That may be because quantum sounds too generic, leading organisations to dismiss it as not directly relevant, or because it still feels too far off in the future.”

Quantum computing is slowly starting to gain an early foothold on the radar of some organisations — particularly those operating in critical national infrastructure (CNI), says Daryl Flack, partner at Avella Security. More generally though, many firms’ awareness “remains patchy at best”, he says.

“Organisations are either in the very early stages of understanding the quantum risk or worse, not engaged at all.”

There has also been a relatively long period of “crypto-stability” where little has changed about the way cryptography itself is done, says Michael Murphy, deputy CTO, Arqit. “We’re still using similar algorithms to those in use 30 years ago. This means that most firms aren’t equipped to understand how to make the transition and are waiting on vendors to provide the answers.”

Yet there isn’t long to change. The NCSC is recommending that organisations have an initial plan by 2028 for migration to new encryption algorithms that are not susceptible to quantum computing cracking.

Some companies have already migrated or at least moved to hybrid deployments, using a mix of post quantum cryptology algorithms and standard RSA to “build experience for a complete switch at some stage in the near future”, says Dr David Howie, strategic advisor, UBDS Digital. “This issue is currently very much on the to-do list of CIOs and CTOs.”

Harvest Now, Decrypt Later

Adversaries are also preparing. They are harvesting encrypted data with the intention to decrypt it when quantum becomes viable at scale, France warns. “They’re putting the work in now to reap the rewards further down the line: Harvest now, decrypt later.”

As focus and resource is drawn towards the potential opportunity – and equal threat – of AI, quantum development is quietly evolving at an ever-increasing pace, adds Peter Jones, cybersecurity specialist at ITGL. “Without proactive education, this has the potential to catch many organisations off guard.”

Taking this into account, it’s important to face the issue head-on, alongside the more immediate threat of AI, experts say. In fact, quantum-readiness could even help firms mitigate AI risks.

“Quantum-based optimisation has the potential to improve AI models, and some AI tasks may run better on quantum computers once they reach a certain scale,” says Braggins.

On the other hand, AI could also speed up the development of quantum computers, searching for better error codes or qubit connection topologies, and be used to control and optimise the operation of a large quantum machine.

Five years until Q-Day is not a long time. For now, businesses need to get C-suite agreement on the strategic importance of post-quantum cryptography migration, says Braggins.

Firms should also start discovery if they don't already have a cryptographic inventory, and make cryptographic agility “a baseline requirement” for all new projects and procurement, he says. “Businesses shouldn’t wait to set their initial strategy. The earlier you identify where and when you should take action – and where you can delay it – the lower the overall costs.”