Despite growing awareness of quantum computing risks and increasing pressure on organisations to prepare for the transition to post-quantum cryptography (PQC), most internet-facing systems remain unprepared for a quantum-safe future, according to new research from Forescout Research – Vedere Labs.
The report, published today, reveals that while adoption of PQC-capable technologies has accelerated over the past year, progress remains uneven across both internet infrastructure and enterprise networks.
Globally, the number of SSH servers supporting post-quantum cryptography has grown from 11.5 million to more than 19 million in just 12 months – a 72% increase. However, despite this growth, only 11.8% of internet-facing SSH servers are currently capable of supporting PQC, up from 6.2% a year ago. In other words, nearly 90% of identified SSH servers remain vulnerable to future quantum-enabled attacks.
The UK reflects a similar picture. Just 7.2% of SSH servers are currently PQC-capable, indicating that the overwhelming majority of internet-facing systems across the country have yet to begin the transition to quantum-resistant cryptography.
The findings come as governments and cybersecurity agencies around the world continue to warn organisations about the risks posed by “harvest now, decrypt later” attacks, where encrypted data is collected today and stored for future decryption once sufficiently powerful quantum computers become available.
Progress Is Being Made – But Not Fast Enough
The research found signs of progress across internet infrastructure. TLSv1.3, currently the only version of the protocol positioned to support post-quantum cryptography, now runs on 30% of identified internet-facing servers globally, up from 19% a year ago.
The UK is broadly aligned with the global trend, with TLSv1.3 now present on 31% of identified servers.
However, researchers warn that protocol upgrades alone do not guarantee quantum readiness and that organisations must still identify where quantum-vulnerable encryption is being used throughout their environments.
Within enterprise networks, readiness levels vary dramatically between traditional IT assets and cyber-physical systems. Previous analysis from Forescout found that while half of IT devices support PQC-capable SSH, adoption falls sharply across operational technology (OT), Internet of Things (IoT) and Internet of Medical Things (IoMT) environments, which are often more difficult to upgrade and maintain.
“Many organisations understand that quantum computing represents a future cybersecurity challenge, but far fewer understand where quantum-vulnerable encryption exists across their own environments today,” said Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs. “Inventory, visibility and risk prioritisation are becoming critical first steps as organisations prepare for what will be a multi-year migration effort.”
Taking Action
To help organisations better understand and manage quantum exposure, Forescout has announced the launch of new Post-Quantum Cryptography Readiness and Encryption Hygiene Dashboards.
The dashboards are designed to provide continuous visibility into cryptographic posture across IT, OT, IoT and IoMT environments, helping security teams identify where quantum-unsafe encryption is in use and which assets should be prioritised for remediation.
Capabilities include quantum encryption assessments, identification of assets using weak encryption, traffic analysis to detect concentrations of quantum-vulnerable communications and risk correlation that links cryptographic weaknesses to asset criticality and exposure.
Unlike traditional cryptographic discovery tools that simply catalogue protocols and ciphers, the dashboards are designed to help organisations understand which encryption gaps pose the greatest operational and security risk.
“Enterprise security teams are increasingly being asked by boards, regulators and auditors to demonstrate awareness and progress on post-quantum cryptography long before large-scale migration is feasible,” said Paul Kao, Chief Product Officer at Forescout. “Organisations need practical ways to understand where they stand today, prioritise risk and demonstrate progress over time.”
The Race to 2035 Has Already Started
Guidance from organisations including NIST, the G7 and the UK’s National Cyber Security Centre (NCSC) increasingly points towards the 2030-2035 period as a critical window for the widespread adoption of quantum-resistant cryptography.
The NCSC’s own migration roadmap calls on organisations to begin planning and discovery activities now, recognising that cryptographic migration across complex environments could take years to complete.
The latest findings suggest many organisations still have significant ground to cover. While adoption of PQC-capable technologies is growing, the reality is that the vast majority of internet-facing systems remain unprepared for the quantum era.
For security leaders, the challenge is understanding where exposure exists today and taking the first practical steps towards a quantum-safe future.
