Blair Canavan | Director, Alliances – PQC Portfolio, Thales
More About This Author >
Blair Canavan | Director, Alliances – PQC Portfolio, Thales
More About This Author >
Why Quantum‑Safe Alone Isn’t Enough
Quantum computing is a real and looming threat to today’s encryption standards. Shor’s algorithm could break asymmetric encryption methods like RSA, ECC, and Diffie‑Hellman, while some speculate that Grover’s algorithm could potentially weaken symmetric encryption methods such as AES and SHA‑256. These threats are applicable to data security, date integrity and authentication.
Yet even as businesses prepare for quantum threats with stronger, quantum‑resistant algorithms, encryption alone is not enough. Sure, it protects data privacy and integrity, but it doesn’t verify who is accessing that data.
While fully-fledged quantum computing is still several years away, “harvest now, decrypt later” and “harvest now, forge later” attacks are already happening, as threat actors harvest encrypted data to store for a time when it can be decrypted when quantum computing capabilities are developed. In addition, vulnerable hash functions such as SHA-256, used for the secure storage of passwords, can be broken within seconds, exposing access credentials in the wild.
This is why organizations are upping their efforts to implement PQC resilience, or algorithms resistant to quantum attacks, and incorporating standards developed by NIST and other agencies into products and test environments.
However, a successful transition to PQC takes more than replacing algorithms; it requires a comprehensive approach within an overall cybersecurity strategy that considers people, processes, and systems. There is a risk of complacency with a strategy that focuses solely on “quantum-safe” cryptography.
The Misconception: PQC Equals Security
Many CIOs and CISOs believe that PQC is the silver bullet for future threats. In this way of thinking, once quantum-resistant algorithms are in place, an organization is secure. However, this rigid mindset overlooks important attack vectors that PQC does not protect against.
Identity and Authentication Risks
Encryption keeps data private and intact, but it doesn’t verify who’s accessing it. The main way bad actors breach company networks is via identity compromise, be it stolen passwords, weak MFA implementations, or insecure identity systems. No matter how strong the underlying cryptography, if authentication can be faked or stolen, security can be bypassed.
Thales’ work on secure digital identity, including quantum‑resistant smartcards and identity solutions, demonstrates that PQC must be integrated with robust identity and access management (IAM) frameworks to protect the full authentication lifecycle.
Application‑Layer Vulnerabilities
Business logic abuse, vulnerable APIs, and flawed session management are some of the usual suspects behind breaches. PQC can protect data in transit, but it doesn’t address SQL injection, cross-site scripting (XSS), authentication bypasses, or business logic attacks. An application security strategy that includes runtime protection, secure coding, and vulnerability management is needed to shrink the attack surface as much as possible.
Thales Imperva Application Security Platform and CipherTrust Data Security Platform help close these gaps by securing apps and data at rest and in motion.
Metadata and Side‑Channel Exposure
Quantum-resistant algorithms focus on cryptographic security, but they were not necessarily designed to guard against side-channel leaks or metadata disclosure. Timing, power analysis, and electromagnetic radiation attacks can compromise cryptographic computations, even PQC ones. Research shows that resistance in algorithms alone is not enough; implementations need to be made secure against physical and logical leaks.
Compliance vs. Security: The Checkbox Trap
However, regulatory pressure and standards will soon mandate that quantum resilience be built into security. Schemes like ANSSI’s EUCC are being touted by governments to adopt PQC well before 2030. Yet, the risk with this sort of compliance mandate is that businesses will try to implement the bare minimum PQC to squeak through their audits, without really considering other dangers.
If PQC is seen as just another compliance box to tick, the company is left with a false sense of security. Malicious actors don’t attack compliance; they target vulnerabilities. They will find a way to slither through identity gaps or application vulnerabilities. Even data-handling practices remain vulnerable, regardless of whether encryption is quantum-secure. Only a defense-in-depth approach can properly neutralize this threat.
Toward a Holistic, Future‑Ready Cybersecurity Posture
To avoid undermining PQC adoption in 2026 and beyond, businesses must embrace a broader approach to security that includes:
Crypto-Agility and Real-World Testing
To be quantum-safe, it is necessary to be agile in adapting to new PQC standards as they emerge. Thales offers several solutions to help firms assess and quantify their readiness for the quantum age in a real-world setting, outside of production environments.
- Identity and Access Management Integration - A quantum-safe identity infrastructure is also necessary for secure identity management. Thales MultiApp 5.2 Premium PQC is the first quantum-resistant smart card that helps organizations future-proof their identity and access management infrastructure easily.
- Application and Data Protection - A comprehensive AppSec program, combined with end-to-end data protection, safeguards against threat vectors that lie beyond the classical boundaries of PQC.
- AI-Enabled Threat Detection - Thales AI cybersecurity solutions offer adaptive threat detection and response capabilities that keep pace with adversaries’ tricks and tactics. This is key to identifying anomalies that bad actors could exploit, even if the underlying cryptography is quantum-safe.
PQC Alone is Not Enough
Quantum-safe cryptography is an inevitable component of cybersecurity in the years to come, but it is not the only one. Nor is it a panacea. It is dangerous and unrealistic to assume that PQC alone can protect an organization's digital assets.
To protect against tomorrow’s threats, PQC must be integrated into a comprehensive security strategy that embraces robust crypto discovery, IAM, application security, data governance, and intelligent threat detection. This is the only way for businesses to move forward and build a future that can be trusted.
Don’t let quantum‑safe become merely a compliance checkbox. Contact Thales experts to evaluate your post‑quantum readiness across cryptography, identity, applications, data and AI‑driven security.
You can also check out the 2026 Thales Data Threat Report for more information on future quantum risks, and also our Security Sessions Podcast recorded live at PQC Palooza during RSAC 2026 and featuring insights from leaders across the PQC ecosystem.