Hello! We hope you’re doing well.
From time to time, we come across articles that don’t just talk about today’s cyber risks, but about what may fundamentally change cybersecurity in the years ahead. One topic that continues to surface in those discussions is quantum computing — and what it could mean for encryption, data protection, and long-term cyber risk.
While quantum computers are not yet a practical threat, their eventual arrival raises important questions that businesses should begin thinking about now — calmly and pragmatically.
Why Quantum Computing Matters for Cybersecurity
Quantum computers promise computing power far beyond what today’s systems can achieve. One well-understood impact is on public key cryptography, the encryption methods that protect most online communications today, including RSA and elliptic curve cryptography (ECC).
Once sufficiently powerful quantum computers exist, they will be able to run Shor’s algorithm, which could break these encryption methods in a very short time. This is not speculation — it is a known mathematical reality.
Because of this, security researchers believe some attackers are already running “harvest now, decrypt later” (HNDL) campaigns. In simple terms, this means stealing encrypted data today and storing it, with the intention of decrypting it in the future when quantum capabilities become available.
The Big Unknown: Timing
Quantum computers already exist, but they are currently too small and too unstable to pose a real cryptographic threat. Most public projections suggest that a cryptographically relevant quantum computer — often referred to as “Q-Day” — is still several years away.
The challenge is that no one knows exactly when that day will arrive.
As John Farley from Gallagher has noted, quantum risk is the opposite of the Y2K problem. With Y2K, everyone knew the date but didn’t know the outcome. With quantum computing, the outcome is clear — encryption will be broken — but the timeline is uncertain.
This uncertainty makes it easy for organisations to delay action, especially when budgets are tight and current cyber risks already demand attention.
Why Delay Is Understandable — but Risky
Many security leaders point out, quite reasonably, that most cyber incidents today don’t involve advanced cryptography at all. Instead, attackers succeed through phishing, social engineering, unpatched systems, and poor identity controls.
From a risk-based perspective, those problems absolutely deserve immediate focus.
However, this does not change the underlying reality: quantum computing is coming, and transitioning to post-quantum cryptography (PQC) is not a simple switch. It will take years of planning, testing, and gradual migration.
Some experts now warn that organisations that have not begun even the first phase of preparation could struggle to catch up once timelines accelerate.
What This Means for Businesses Today
This is not about panic or rushing into expensive technology changes. It’s about awareness and preparation.
Cybersecurity planning has always involved preparing for risks before they become urgent. Quantum computing is simply another example where early awareness allows calmer, better-paced decisions later.
Practical steps today might include:
- Understanding where encryption is used across systems and suppliers
- Tracking vendor roadmaps for post-quantum readiness
- Ensuring long-term sensitive data is identified and protected appropriately
None of these require immediate technical overhaul — just visibility and planning.
A CSB Perspective
At CSB, we see quantum computing as a strategic, long-term cybersecurity issue, not an immediate operational crisis. Businesses don’t need to solve it today — but they do need to understand it.
Cybersecurity maturity is often about knowing what not to ignore, even when the threat feels distant. Quantum risk fits squarely into that category.