Infosecurity Europe: Raise Security Concerns with Procurement Now, Because Quantum Can’t Wait

Quantum computing is moving from theoretical research to practical capability faster than many enterprises anticipate. The National Security Agency has warned since 2021 about harvest‑now‑decrypt‑later (HNDL) attacks, where adversaries capture encrypted traffic today and wait for quantum breakthroughs to decrypt it later. Recent disclosures, including Snowden’s leaks and the UK‑US Tempora program, confirm that state actors already collect massive volumes of encrypted data, underscoring the urgency for organizations to reassess their cryptographic defenses before quantum‑ready algorithms become mainstream.

Despite the looming risk, adoption of post‑quantum cryptography remains painfully low. Only 8% of SSH servers worldwide now support PQC, a marginal two‑point increase over the past year. Meanwhile, a new EY survey shows 87% of business leaders expect quantum disruption by 2030, yet merely 35% have elevated it to a five‑year strategic priority. This mismatch reflects a broader procurement blind spot: most purchasing decisions still evaluate products on legacy security criteria, ignoring future quantum resilience. The result is a growing exposure window where long‑lived data—financial records, intellectual property, personal information—could be retroactively compromised.

Ferguson’s three‑pronged roadmap offers a pragmatic path forward. First, organizations must conduct continuous, real‑time inventories of all encryption‑dependent assets to gauge PQC compatibility. Second, embed quantum readiness into procurement policies so every new hardware or software purchase is evaluated for crypto‑agility. Finally, adopt flexible cryptographic frameworks—such as TLS 1.3—that can accommodate future PQC algorithms without immediate cipher changes. Aligning these steps with the G7 Cyber Expert Group’s 2028‑29 migration timeline will shrink the vulnerability gap and position firms to transition smoothly when quantum computers become a realistic threat.