Threatonomics

What business leaders need to know about post-quantum cyber risk

by Andrew Bayers, Director of Cyber Threat Intelligence
Published

A strategic briefing for enterprise leaders

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                         

As part of Cybersecurity Awareness Month, throughout October we are publishing this three part series that distills a highly technical topic into strategic insights for leaders. Part 1 explains why quantum decryption poses a threat to current encryption systems. Part 2 will lay out credible timelines for when disruption may arrive. Part 3 will offer practical guidance on how organizations can begin to prepare to safeguard sensitive data, protect customer trust, and ensure compliance in a post-quantum future.

The big picture

Today’s internet security is built on a simple principle: certain math problems are so hard that even the world’s fastest computers would need trillions of years to solve them. This is what keeps your bank transactions safe, protects confidential emails, and secures everything from medical records to military communications.

But quantum computers work differently than regular computers. They can solve these “impossible” math problems in hours instead of trillions of years. Today’s classical computers store information as bits (0s or 1s), while a quantum computer uses “qubits” to store information as a superposition of both 0 and 1 simultaneously, allowing it to perform vastly more complex calculations.

When powerful enough quantum computers arrive, they could break through most of today’s digital security like a master key opening every lock.

What’s at risk?

Almost every secure connection on the internet today relies on encryption methods that quantum computers could break:

Secure websites (HTTPS): The padlock you see in your browser depends on encryption that protects your passwords, credit card numbers, and private information. A quantum computer could crack this protection.

Digital signatures: Everything from software updates to email authentication uses digital signatures to prove authenticity. These signatures could be forged if quantum computers can break the underlying security.

Digital certificates: The entire system of trust online—how your browser knows it’s really talking to your bank, not an imposter—relies on certificates that would become worthless.

Think of it this way: Today’s encryption is like a safe with a combination lock so complex that trying every combination would take longer than the universe has existed. Quantum computers are like having a device that can try billions of combinations simultaneously and crack the code in an afternoon.

The “steal now, decrypt later” problem

Even though cryptographically relevant quantum computers (CRQCs) don’t exist yet, this threat is urgent now. Nation-state adversaries and sophisticated threat actors are already harvesting encrypted data today with the strategic intent to decrypt it retrospectively once quantum capabilities mature.

The attack model is straightforward: adversaries intercept and archive encrypted communications and data stores, warehousing them until quantum computers become operational. At that point, previously secure information becomes retroactively compromised. The encryption that protects data today offers no defense against future decryption—the confidentiality clock is already ticking.

This strategy poses particular risk for data with long confidentiality lifetimes:

  • Medical records and protected health information
  • Legal documents, privileged communications, and intellectual property
  • Financial agreements, M&A documentation, and trade secrets
  • Military and intelligence data
  • Long-term strategic plans and competitive intelligence
  • Backups and archives, where data may be stored for decades

The NSA and CISA have issued explicit warnings about this threat, urging organizations with long-term confidentiality requirements to begin migrating to Post-Quantum Cryptography (PQC) now, well before Q-Day—the inflection point when quantum computers become capable of breaking public-key encryption. For sensitive data that must remain confidential beyond 2035, the window to act is narrowing.

Who’s behind this?

Countries including China, the United States, and the European Union are investing billions in quantum computing research. Whichever nation achieves a breakthrough first gains an enormous advantage—both economically and for national security.

While criminal hackers aren’t building quantum computers themselves, they could eventually benefit from leaked tools from government programs, access to quantum computing as a commercial service, and stolen quantum technology.

The irony here is that quantum computing actually makes the very thing that governments want to protect–their critical infrastructure–vulnerable. Here are just some of the systems that are at risk from quantum computing power finding its way into the wrong hands. 

  • Industrial systems: Power grids, water treatment plants, and manufacturing facilities rely on encrypted connections that could be compromised. This could allow attackers to shut down essential services or manipulate industrial processes.
  • Software supply chains: Companies verify that software updates are legitimate through digital signatures. If these can be forged, attackers could distribute malicious software disguised as trusted updates.
  • Financial systems: Global banking networks and payment systems depend on the same vulnerable encryption. A breakdown in financial cryptography could trigger systemic economic risks.

A silver lining: Symmetric encryption remains viable

Not all cryptographic systems are equally vulnerable to quantum attack. Symmetric encryption—the standard method used for bulk data protection like securing files and network connections—is significantly more resilient than the public-key systems that handle identity verification and secure handshakes.

The key difference is in how quantum computers attack them. Public-key encryption (RSA, ECC) relies on specific mathematical puzzles that quantum computers can solve exponentially faster—essentially breaking the foundation entirely. These systems face a structural vulnerability that requires complete replacement.

Symmetric encryption faces a less severe threat. Quantum computers can search for keys faster than classical computers, but only by a factor that effectively halves the key strength. This means AES-256, the current standard for protecting sensitive data, retains sufficient security even against quantum attacks. Organizations can simply double their key lengths to maintain protection—a straightforward upgrade rather than a fundamental redesign.

The practical takeaway: Symmetric encryption like AES-256 remains quantum-safe for the foreseeable future. The urgent challenge is replacing asymmetric cryptography—the systems used for establishing secure connections, digital signatures, and identity verification. These require entirely new post-quantum algorithms, though hybrid approaches during transition allow organizations to maintain compatibility while adding quantum protection.

What post-quantum risk means for your organization

The quantum threat is real, but it’s not happening tomorrow. However, the time to prepare is now because:

  1. Migration takes years: Replacing cryptographic systems across an entire organization is complex and time-consuming.
  2. Data has a long life: Information you protect today may need to remain confidential for decades.
  3. Attackers are already harvesting: Encrypted data stolen now could be decrypted later.
  4. Critical infrastructure can’t fail: Systems that control essential services need robust protection before quantum computers arrive.

The next parts of this series will help you understand when this threat becomes real and what concrete steps you can take to protect your organization, maintain stakeholder trust, and ensure regulatory compliance in a post-quantum world.

About the Author
Andrew Bayers, Director of Cyber Threat Intelligence

You might also like

OpenClaw went viral. So did its security vulnerabilities.

Personal AI agents promise to streamline workflows and automate routine tasks, but a series of recent security incidents has exposed a critical vulnerability in how these tools acquire new capabilities. The findings reveal that threat actors are exploiting the same supply chain tactics that have compromised traditional software ecosystems, while platform security failures are exposing […]

Killing legacy systems might be your smartest financial move 

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years. You know these systems are problems. Your […]

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]