Threatonomics

What business leaders need to know about post-quantum cyber risk

by Emma McGowan , Senior Writer
Published

A strategic briefing for enterprise leaders

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                         

As part of Cybersecurity Awareness Month, throughout October we are publishing this three part series that distills a highly technical topic into strategic insights for leaders. Part 1 explains why quantum decryption poses a threat to current encryption systems. Part 2 will lay out credible timelines for when disruption may arrive. Part 3 will offer practical guidance on how organizations can begin to prepare to safeguard sensitive data, protect customer trust, and ensure compliance in a post-quantum future.

The big picture

Today’s internet security is built on a simple principle: certain math problems are so hard that even the world’s fastest computers would need trillions of years to solve them. This is what keeps your bank transactions safe, protects confidential emails, and secures everything from medical records to military communications.

But quantum computers work differently than regular computers. They can solve these “impossible” math problems in hours instead of trillions of years. Today’s classical computers store information as bits (0s or 1s), while a quantum computer uses “qubits” to store information as a superposition of both 0 and 1 simultaneously, allowing it to perform vastly more complex calculations.

When powerful enough quantum computers arrive, they could break through most of today’s digital security like a master key opening every lock.

What’s at risk?

Almost every secure connection on the internet today relies on encryption methods that quantum computers could break:

Secure websites (HTTPS): The padlock you see in your browser depends on encryption that protects your passwords, credit card numbers, and private information. A quantum computer could crack this protection.

Digital signatures: Everything from software updates to email authentication uses digital signatures to prove authenticity. These signatures could be forged if quantum computers can break the underlying security.

Digital certificates: The entire system of trust online—how your browser knows it’s really talking to your bank, not an imposter—relies on certificates that would become worthless.

Think of it this way: Today’s encryption is like a safe with a combination lock so complex that trying every combination would take longer than the universe has existed. Quantum computers are like having a device that can try billions of combinations simultaneously and crack the code in an afternoon.

The “steal now, decrypt later” problem

Even though cryptographically relevant quantum computers (CRQCs) don’t exist yet, this threat is urgent now. Nation-state adversaries and sophisticated threat actors are already harvesting encrypted data today with the strategic intent to decrypt it retrospectively once quantum capabilities mature.

The attack model is straightforward: adversaries intercept and archive encrypted communications and data stores, warehousing them until quantum computers become operational. At that point, previously secure information becomes retroactively compromised. The encryption that protects data today offers no defense against future decryption—the confidentiality clock is already ticking.

This strategy poses particular risk for data with long confidentiality lifetimes:

  • Medical records and protected health information
  • Legal documents, privileged communications, and intellectual property
  • Financial agreements, M&A documentation, and trade secrets
  • Military and intelligence data
  • Long-term strategic plans and competitive intelligence
  • Backups and archives, where data may be stored for decades

The NSA and CISA have issued explicit warnings about this threat, urging organizations with long-term confidentiality requirements to begin migrating to Post-Quantum Cryptography (PQC) now, well before Q-Day—the inflection point when quantum computers become capable of breaking public-key encryption. For sensitive data that must remain confidential beyond 2035, the window to act is narrowing.

Who’s behind this?

Countries including China, the United States, and the European Union are investing billions in quantum computing research. Whichever nation achieves a breakthrough first gains an enormous advantage—both economically and for national security.

While criminal hackers aren’t building quantum computers themselves, they could eventually benefit from leaked tools from government programs, access to quantum computing as a commercial service, and stolen quantum technology.

The irony here is that quantum computing actually makes the very thing that governments want to protect–their critical infrastructure–vulnerable. Here are just some of the systems that are at risk from quantum computing power finding its way into the wrong hands. 

  • Industrial systems: Power grids, water treatment plants, and manufacturing facilities rely on encrypted connections that could be compromised. This could allow attackers to shut down essential services or manipulate industrial processes.
  • Software supply chains: Companies verify that software updates are legitimate through digital signatures. If these can be forged, attackers could distribute malicious software disguised as trusted updates.
  • Financial systems: Global banking networks and payment systems depend on the same vulnerable encryption. A breakdown in financial cryptography could trigger systemic economic risks.

A silver lining: Symmetric encryption remains viable

Not all cryptographic systems are equally vulnerable to quantum attack. Symmetric encryption—the standard method used for bulk data protection like securing files and network connections—is significantly more resilient than the public-key systems that handle identity verification and secure handshakes.

The key difference is in how quantum computers attack them. Public-key encryption (RSA, ECC) relies on specific mathematical puzzles that quantum computers can solve exponentially faster—essentially breaking the foundation entirely. These systems face a structural vulnerability that requires complete replacement.

Symmetric encryption faces a less severe threat. Quantum computers can search for keys faster than classical computers, but only by a factor that effectively halves the key strength. This means AES-256, the current standard for protecting sensitive data, retains sufficient security even against quantum attacks. Organizations can simply double their key lengths to maintain protection—a straightforward upgrade rather than a fundamental redesign.

The practical takeaway: Symmetric encryption like AES-256 remains quantum-safe for the foreseeable future. The urgent challenge is replacing asymmetric cryptography—the systems used for establishing secure connections, digital signatures, and identity verification. These require entirely new post-quantum algorithms, though hybrid approaches during transition allow organizations to maintain compatibility while adding quantum protection.

What post-quantum risk means for your organization

The quantum threat is real, but it’s not happening tomorrow. However, the time to prepare is now because:

  1. Migration takes years: Replacing cryptographic systems across an entire organization is complex and time-consuming.
  2. Data has a long life: Information you protect today may need to remain confidential for decades.
  3. Attackers are already harvesting: Encrypted data stolen now could be decrypted later.
  4. Critical infrastructure can’t fail: Systems that control essential services need robust protection before quantum computers arrive.

The next parts of this series will help you understand when this threat becomes real and what concrete steps you can take to protect your organization, maintain stakeholder trust, and ensure regulatory compliance in a post-quantum world.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]