Site Search Site Search
PwC Middle East Publications Securing data in the post-quantum age

Menu

Insights & Media

Menu

Blogs & Articles

Menu

Radio & TV interviews

Featured

28th CEO Survey

Loading Results

Securing data in the post-quantum age
Ensuring effective AI utilisation
  • Publication
  • February 11, 2025

Post-quantum readiness is no longer optional - it’s a strategic necessity. To prepare against cyber risks, organisations must transition to quantum-resistant encryption and align with evolving regulatory frameworks.

As quantum makes its way into real-world businesses and industries, it is about to impose one of the greatest cybersecurity issues of our time. 

Whether quantum computing will be as revolutionary as the advent of normal computers is no longer in question - it’s already moving beyond the lab and changing the way we approach complex problem solving, encryption and security. What’s become increasingly clear is the imminent threat to data confidentiality. As quantum technologies advance, the threat to data protection becomes more urgent, along with the the potential threats to traditional cryptographic assets and systems. 

Although further innovation is needed to achieve the required accuracy and scale to have an operational quantum computer, the pace of advancements in quantum technology suggests significant progress and a quicker timeline for achieving this reality. While quantum computing promises what is referred to as “quantum advantage” where it can outperform classical supercomputers, it also presents a substantial risk to the cryptographic foundations securing today’s digital world.  Encryption is deeply imbedded and integrated in everything we do in this digital world, yet it remains poorly documented or understood.   

This is a “now” problem, not a “5 or 10-year problem”. We only must look back to 1997 when the commonly used Data Encryption Standard (DES) was broken, and the world had to transition to the now widely used Advanced Encryption Standard (AES).  This was long, protracted and complex - with DES still used today in some systems.  With today’s exponential digital explosion, transition to quantum-resistant encryption will be ever more challenging.  With new resilience measures and cryptography compliance standards coming into focus, it is critical to assess, prepare and prove technological and regulatory readiness for cyber-attacks in a post-quantum world.

Understanding the threat landscape A major risk of quantum computing is the potential compromise of sensitive data. This has wide-reaching consequences across industries, especially those reliant on vulnerable cryptographic systems for critical services, such as government, energy, finance, telecommunications, and health. The net effect of compromised data is loss of trust from customers and stakeholders, leading to significant and unpredictable consequences for reputation, regulatory compliance and financial impact.

Nation-state actors pose the greatest near-term threat to current encryption systems, given the significant resources needed for quantum computing. However, attacks from other groups, such as independent criminal enterprises, are also a growing threat today, as stolen data today could be decrypted in the future with more advanced quantum capabilities.

Threats at a glance:

  • “Harvest Now, Decrypt Later” attacks: Malicious actors have already started harvesting and storing substantial amounts of encrypted data so they can mass-decrypt sensitive information as quantum capabilities become accessible.
  • Compromised certificates and trust chains: Quantum attacks could break the public key infrastructure (PKI) used to issue digital certificates, leading to forged certificates that mislead users into trusting malicious websites. This can have a major impact on internet communication, email protection and trust in online transactions. 
  • Signature impersonation: Quantum computing power allows attackers to impersonate digital signature certificates, resulting in attacks, such as malware distribution and targeted phishing

The regulatory landscape: What’s being done to defend against quantum threats

As risks increase, industry and government regulatory guidance is also expanding to protect organisations against quantum threats:

  • The 2022 USA Quantum Computing Cybersecurity Preparedness Act prepares organisations for the transition to post-quantum cryptography.
  • In April 2024 the European Union Agency for Cybersecurity (ENISA) issues a recommendation for the need of a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography (PQC), encouraging European Union member states to develop a comprehensive strategy for the adoption of Post-Quantum Cryptography.
  • In August 2024, the National Institute of Standards and Technology (NIST) releases three post-quantum encryption standards.  These are meant to be actioned and NIST recommends organisations to begin implementing them now.
  • As a continuation of its efforts to protect against threats of post quantum, NIST announces in October 2024, a list of 14 candidates to advance to the second round of the additional digital signatures for the post-quantum cryptography standardisation process.  
  • In the Middle East, the Technology Innovation Institute (TII) in Abu Dhabi has been proactive in addressing quantum cryptography threats. TII's Cryptography Research Centre developed the UAE's first Post-Quantum Cryptography Library, a collection of algorithms designed to safeguard confidential data against potential quantum attacks. This initiative underscores the region's commitment to advancing quantum-resistant cryptographic solutions.

Post-quantum readiness:  Key insights and questions 

Organisations across major sectors are responding by investing in research, developing quantum-resistant technologies and collaborating with industry advisors. Whether you're well into your quantum journey or still assessing your risk, you should ask some key questions:

  • Does your organisation understand how you are currently using cryptography to secure your data and how quantum computing can impact your security protocols and controls?
  • Does your organisation understand which systems utilise and process sensitive or proprietary information vulnerable to the quantum threat?
  • Is your data safeguarded from quantum threats to your cryptography that exists today, such as the “Harvest Now, Decrypt Later” attacks?
  • Have you revised your risk assessment of data loss or breach and reassessed your historical data loss with this new threat?
  • Are you prepared to meet impending regulatory requirements around quantum threat resilience?
  • Have you assessed your third-party relationships, their cryptologic standards and any potential impacts on post-quantum cryptography?
  • Have you revised your procurement requirements to address PQC standards and documenting encryption for new solutions?

Prepare your roadmap for post-quantum readiness

When it comes to quantum cryptography, one thing is certain: The technology will continue to advance and the transition to post-quantum readiness should begin now. Just like the Year 2000 problem,  organisations will need to assign a task force and a dedicated programme to transition and protect their environment, as this will likely take many years to complete.

1. Assess 

Gain visibility on the current cryptographic environment and measure maturity and risk in context of PQC.

1.1 Cryptographic asset discovery and inventory

Conduct a thorough inventory of cryptographic assets across the organisation, utilising automated scanning tools and manual methods to identify cryptographic algorithms, protocols, and keys in use.

1.2 Asset-based quantum risk assessment

Evaluate the risks associated with the cryptographic inventory of key assets, assessing the vulnerability of current cryptographic implementations to quantum attacks and the potential impact on business operations.

1.3 Data loss risk reassessment

Assess the potential impact of data already compromised or intercepted that could be decrypted later as quantum computing capabilities mature, focusing on identifying and mitigating data loss risks.

2. Plan

Establish unified strategies and frameworks to prepare for a secure post-quantum future.

2.1 PPQC strategy

Prepare for a post-quantum future by defining key security goals and the implementation roadmap across people, process and technology, including third-party risk, culture, system design and legacy technology, to ensure organisations stay ahead of security challenges posed by quantum advancements.

2.2 PPQC procurement framework

Adapt procurement policies and procedures to align with PPQC requirements. This involves revising procurement guidelines, vendor selection criteria and contract management to ensure that all products and services meet quantum-proof security standards.

3. Transform

Transition culture, processes and technology to PPQC.

3.1 Phased implementation of quantum-resistant cryptographic solutions 

Phase the implementation of PQC solutions, prioritising assets and systems based on risk assessments and criticality to business operations.

3.2 PPQC algorithm testing and validation

Enable a smooth transition by testing post-quantum cryptographic algorithms in controlled lab or development environments to ensure they meet performance, security and interoperability requirements before deployment.

3.3 Awareness and education

Enable cultural transformation by promoting awareness of quantum threats and risks, and upskilling operators and security personnel on post-quantum migration activities.

4. Oversight Setting up a dedicated Project Management Office (PMO) to oversee the execution of quantum security initiatives entity-wide, ensuring structured project management, internal and external reporting and compliance with organisational requirements. This is particularly crucial for large, complex organisations with distributed environments and stakeholders.

Are you ready for a post-quantum world? 

 The transformative potential of quantum computing brings with it associated cybersecurity challenges. Organisations in the region must be well-prepared to navigate the complexities of the post-quantum era, safeguarding their data and maintaining trust in their digital infrastructures. They need to work with experts who are at the forefront of researching and implementing post-quantum cryptographic solutions, facilitating the assessment of    current cryptographic frameworks, identifying vulnerabilities susceptible to quantum attacks, and enabling the transitioning to quantum-resistant algorithms.  

We believe that the most important question that technology, security and business leaders should ask themselves is simple yet pivotal: “Is my organisation ready for a post-quantum world?”

The time to act is now and organisations should establish a programme to start the transition from discovery through to actual implementation. Business leaders must revisit their risk exposure, stay informed about the latest advancements in quantum computing, and adjust their defense and risk strategies accordingly. A static approach could leave critical gaps in security infrastructure, as quantum threats can undoubtedly grow more sophisticated.

By adopting quantum-resistant technologies, and fostering a culture of agility and preparedness, organisations can build the resilience necessary to safeguard their most essential assets. This isn’t just about a technological upgrade - it’s a strategic imperative for business survival.

Preparing for quantum threats isn’t just about safeguarding data - it's about future-proofing trust in a digital world that’s evolving faster than ever before.

Clinton Firth - Cybersecurity and Digital Trust Partner, PwC Middle East

Contributors: 

  • Dr. Mohammad Alhammouri - Partner, PwC Middle East
  • Ahmad Shah - Senior Manager, PwC Middle East
  • Ismail Qamar - Senior Manager, PwC Middle East 
  • Ali Qureshi - Manager, PwC Middle East

Contact Us: 

Clinton Firth

Cybersecurity and Digital Trust Partner, PwC Middle East

Email

Related content

We unite expertise and tech so you can outthink, outpace and outperform
See how
Follow us
Issues Navigating data privacy regulations New world. New skills. Doing Business in the Middle East VAT in the Middle East Megatrends Now: The need to ADAPT
Services Assurance and Audit Consulting Deals Entrepreneurial & Private Business PwC Academy Tax and Legal Strategy&
Industries
Banking and Capital Markets Consumer Markets Energy, Utilities & Resources Financial Services Government/Public Services
Health Industries Industrial Manufacturing Real Estate Transportation and Logistics
About us PwC office locations in the Middle East Our purpose and values Corporate Sustainability Ethics and compliance Transparency reports Health, Safety and Environment Policy Third party code of conduct PwC’s global human rights statement Alumni
Publications
Careers Graduate & undergraduate careers Experienced careers Opportunities for Omani nationals Opportunities for Saudi nationals PwC's Watani Graduate Programme for UAE Nationals
Media centre Press releases Articles and blog posts TV and radio interviews

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.