As many IT teams currently focus on upgrading their security infrastructures to combat the latest wave of AI-driven cyber threats, a new and potentially disruptive technology is emerging on the horizon: post-quantum cryptography.
The imminent advent of quantum computing, along with its cryptographic implications, could pose significant risks to cybersecurity defenses if organizations do not begin preparing early. But how close are we to this technology becoming a tool for malicious actors? And what steps should companies take today to safeguard their networks and data against future quantum threats?
Understanding the Quantum Threat
Quantum computing, at its core, is capable of solving complex mathematical problems that are practically impossible for classical computers to handle efficiently—such as factoring large numbers. This capability means that once sufficiently powerful quantum computers are available, they could potentially break many of the cryptographic algorithms that underpin online security today. These algorithms are deeply embedded across platforms, used to encrypt communications, protect stored data, and generate digital signatures.
Right now, quantum computers capable of threatening current cryptographic standards are not yet commercially available. However, post-quantum cryptography should be viewed as a strategic concern for organizations for two primary reasons. First, there is a real threat of retrospective attacks: because cryptography is so embedded in modern infrastructure—protecting data both at rest and in transit—most stored data is encrypted in a way that could be compromised in the future. Malicious actors might collect sensitive encrypted information now and decrypt it later when quantum computers become capable enough. This “store now, decrypt later” approach means that data which is valuable today could still be exploited years from now, even if it is encrypted at the moment of collection.
The second major concern revolves around the significant investments required to upgrade or replace legacy systems that rely on vulnerable cryptographic methods. Transitioning from old to new cryptographic standards carries inherent risks—financial, operational, and security-related—especially if rushed. Currently, no quantum computer exists that can crack traditional encryption, but major private companies and governments are investing heavily in this technology, suggesting that we could see practical quantum computers within just a few years.
To mitigate the financial and logistical burdens, organizations are encouraged to modernize their systems gradually in anticipation of the arrival of commercial quantum computing, rather than waiting until the technology matures and facing an urgent, costly overhaul or risking falling behind competitors.
Planning Your Quantum Readiness
While there is no consensus on exactly when quantum computers will become capable enough to threaten current cryptography, most experts believe it could still be 3 to 5 years away. Governments are already issuing guidelines to help businesses prepare for this transition. For example, the UK’s National Cyber Security Centre (NCSC) has recently published recommendations advising organizations to start planning their migration now to ensure a smoother and more controlled transition, thereby reducing risks associated with hasty implementation and potential security gaps. As part of this effort, organizations are urged to assess their systems comprehensively to understand what needs to be updated for post-quantum readiness.
The European Union is also working on policies related to quantum-resistant encryption, with upcoming regulations such as NIS2 and DORA expected to include requirements for post-quantum cryptography. Even though the current governmental guidance remains primarily advisory and non-mandatory, cybersecurity leaders should ensure this topic is high on their strategic agenda. Addressing it early will help avoid the rush to compliance later, which can often be costly and disruptive.
Next Steps for Organizations
Though the tangible threats posed by quantum computing might still be a few years away, the potential risks warrant proactive measures today. Companies should begin by evaluating their existing systems, identifying points of vulnerability, and developing phased upgrade plans to progressively transition toward quantum-resistant encryption standards. This approach will help mitigate the threat of retrospective attacks and prevent the operational and financial pressures that come with an accelerated, unplanned migration.
Governments and cybersecurity agencies are already providing guidance for navigating this transition, making it critical for Chief Information Security Officers (CISOs) and IT leaders to prioritize this issue and keep their boards informed. Preparatory planning not only shields sensitive information but also preserves competitive advantage in an evolving digital landscape increasingly threatened by advanced computing capabilities.
The future of cybersecurity depends on foresight and strategic planning. By beginning to address the quantum threat now, organizations can maintain resilient and robust security architectures capable of withstanding emerging technological threats and safeguarding their critical assets.
* Yaroslav Rosomakho is VP Field CTO at Zscaler
