Quantum Reckoning: Securing Data Before the Breakthrough

December 2025, Daryl Flack, Partner

Published on: Cyber Security Insiders

Quantum computing has long been discussed as a revolutionary technology, but its security implications are only now starting to enter mainstream organisational thinking.

While operators of critical national infrastructure (CNI) are becoming more alert to the impending timeline they need to be quantum ready for, many other sectors remain at the early stages of understanding what a quantum relevant computing capability really means for their digital environments.

For decades, cryptography has been the quiet constant of digital infrastructure. Encryption standards have evolved slowly, creating an impression of dependability and permanence. The result is a common assumption that cryptographic protection can be taken for granted, that it is mature, stable, and the responsibility of vendors or security teams to maintain. Quantum computing is reshaping this assumption, and its impact is not a futuristic concern. It has already begun.

The shifting cryptographic landscape

Cryptography forms the backbone of nearly every digital interaction and system. It secures communications, validates identities, protects financial exchanges, and maintains the privacy of data moving across networks. Because it is so deeply embedded, organisations often lack a clear understanding of where it is used within their estate. Legacy applications with outdated encryption, undocumented crypto libraries, and sprawling technology stacks make the picture even murkier.

This is why the transition to quantum-safe cryptography represents one of the most significant shifts of the current digital era. It is not simply a technology upgrade, it is maturity journey that will require a fundamental shift from the relatively static, crypto management approaches of today to a post quantum, cryptographic resilient future.

The UK’s National Cyber Security Centre (NCSC) has set out a structured pathway to help organisations navigate this change. By 2028, businesses are expected to have completed discovery and planning activities. Priority systems should begin migrating to post-quantum solutions by 2031, with full transition concluded by 2035. Those dates may seem generous, but given the complexity of unpicking decades of cryptographic use and the challenges associated with specifying new standards that will then need to be designed, built, and deployed across entire technology ecosystems, the window for action is already narrow.

Why today’s encrypted data is already at risk

One of the most misunderstood aspects of the quantum threat is timing. Quantum computers capable of breaking widely used encryption algorithms do not yet exist, but adversaries are not waiting. Many are already stealing encrypted information now with the intention of decrypting it later, once the technology matures. This “harvest now, decrypt later” risk means that data being created today may be at risk years or decades into the future.

This is particularly concerning for information that must remain confidential or verifiable over long periods, such as legal and financial documents, medical research, national security material, scientific datasets, and sensitive corporate records, among them. If such data is compromised, even if it is currently encrypted, that may not be enough to adequately protect it when a quantum relevant computer is available.

The countdown has effectively already started.

Responsibility cannot be outsourced

It is tempting for organisations to assume that their major software and technology providers will solve the problem for them. While vendors will certainly deliver updated algorithms and standards, which will help many businesses, it won’t be the silver bullet for all. Ultimately, the responsibility for ensuring cryptographic resilience sits firmly within each organisation.

Encryption touches every point where trust is required: authentication, secure transport, digital signing, device communication, and operational systems. A passive approach risks creating bottlenecks and dependencies that will slow the transition at the moment it becomes most urgent.

The first and most important step is to undertake both internal discovery and 3rd party crypto dependency mapping to determine where and how cryptography is used. This must be followed by structured prioritisation and planning. Crypto-agility, the ability to switch algorithms and standards without re-engineering entire systems, is the only way forward.

Innovation and risk: the quantum double-edge

The transformative benefits of quantum computing are undeniable. Combined with artificial intelligence, quantum systems will accelerate optimisation, enhance modelling accuracy, and unlock breakthroughs across sectors such as finance, healthcare, logistics, materials science, and climate analytics. Smarter cities, personalised medicine, cleaner energy systems, all these opportunities are real and compelling.

Yet the power that enables these breakthroughs also threatens the cryptographic foundations on which the digital economy has been built. Quantum decryption of sensitive or mission-critical data would erode privacy, intellectual property, and national security on an unprecedented scale. For this reason, quantum resilience must be elevated to a strategic concern, not simply a technical one.

Beginning the journey: discovery and prioritisation

Organisations should begin with a comprehensive effort to identify:

• where cryptography exists in their systems and those that rely upon,

• how data flows across applications, devices, networks, and cloud services,

• which datasets require confidentiality far into the future,

• and which systems depend on digital signatures or integrity guarantees.

  
  

Once the landscape is clear, the next step is to prioritise systems that hold sensitive or enduring data and ensure they can support quantum-resistant algorithms. Planning should also include governance, investment strategies, policy alignment, and executive engagement. Cryptographic resilience must sit alongside cyber risk, operational risk, and business continuity within enterprise and business risk management.

Moving decisively toward quantum resilience

Quantum computing may not be ubiquitous yet, but its implications are already shaping the future of cybersecurity. The NCSC’s milestones provide a clear timeline yet meeting them will require sustained effort and a proactive approach across the coming decade.

Organisations that begin now by discovering their cryptographic footprint and planning their migration path, both internally and with their supply chain, will be well-positioned to face the quantum era with confidence. Those that delay risk finding that they’re working to an adversary’s schedule in a race against time to protect their systems, data and wider business resilience.

Preparing today is not simply prudent; it is about maintaining trust, integrity, and resilience in the decades ahead.