Mentions of quantum computers breaking today’s encryption standards are still perceived by most companies as a distant future problem. That perception carries risk. If your organization stores valuable encrypted data, your problems may begin much sooner than the moment quantum computers reach full practical capability.
Attackers can already intercept and store — or rather “archive” — encrypted communication such as emails, API traffic, system-to-system transfers, and cloud data. Today, current encryption standards make that data practically unreadable. But attackers are already operating under the assumption that this may eventually change. In the cybersecurity world, this approach is known as “harvest now, decrypt later.”
The idea that the primary threat will be quantum computers simply “breaking encryption” is not entirely accurate. Modern symmetric encryption, which is used to encrypt data with a private key, remains highly resistant even against quantum attacks. “If you tried to brute-force this type of encryption using today’s computing power, it would take trillions of years,” explains Pavol Draxler, founder of Binary Confidence. With quantum computers, it may ‘only’ take billions. Sounds practical, right? 😊
So where is the real Achilles’ heel of modern encryption?
The problem begins with digital communication and asymmetric encryption. These are the mechanisms that allow two parties to securely exchange encryption keys. This is exactly where the quantum threat enters the picture. Technologies based on large-number factorization (RSA) or elliptic curve cryptography (ECC) are currently considered secure.
In the case of a 2048-bit RSA key, breaking the encryption using classical computers would take trillions of years. A sufficiently powerful quantum computer, designed specifically for decryption tasks, could theoretically do it in days — according to some estimates, even hours or seconds. What is impossible today may become relatively achievable within years.
All an attacker needs today is to capture the key exchange. In the future, they may be able to use a quantum computer to derive private keys retroactively and decrypt historical communication.
Why this should matter to your business
If you are telling yourself that your company does not handle information that will still be sensitive in ten years, you are likely mistaken. Contracts, financial records, business strategies, technological know-how, and customer personal data all have long-term value. Financial records, in particular, often remain confidential and valuable for decades, well beyond a 10-year horizon.
Even data that seems insignificant today may quickly gain value in the future. Encrypted and archived information could eventually reveal operational secrets through metadata analysis alone, creating opportunities for extortion, fraud, and other cybercriminal tactics.
A large part of the risk is not directly in your hands. It lies with the service providersyou rely on. According to Pavol Draxler, “cloud platforms, SaaS applications, communication tools, and IT vendors all use cryptography that customers themselves do not control. One of the key questions is therefore not only how we encrypt data ourselves, but how our suppliers encrypt it.”
Can you answer these questions today?
Post-quantum cryptography is by no means just a highly technical topic. On the contrary, it is a serious risk management issue.
- Who in your organization is responsible for cryptographic strategy?
- Can you identify which data must remain confidential beyond 2030?
- Do your supplier contracts include the ability to transition to new cryptographic standards without major operational disruption?
- Do you know where you use mechanisms such as RSA or ECC — and what will replace them?
- Do you want to deploy post-quantum solutions before they become expensive and capacity-constrained services?
Are you prepared to prepare?
Post-quantum cryptographic algorithms already exist today and are gradually entering real-world deployment. Some modern communication tools and technology platforms have already started implementing them proactively as they prepare for what the next decade may bring.
For several years now, post-quantum standards such as ML-KEM, ML-DSA, and SLH-DSA (SPHINCS+) have been publicly available. “The key factor will be your crypto-agility — the ability of your systems to switch cryptography as needed. This flexibility will determine which organizations transition into the post-quantum era smoothly, and which will face expensive and risky infrastructure interventions,” concludes Pavol Draxler from Binary Confidence.
The European Union already recommends inventorying cryptographic usage, assessing risks, and preparing migration plans. A full transition to post-quantum algorithms — including across supply chains — is expected around 2035. For companies, this means post-quantum cryptography is gradually becoming a compliance necessity, not merely a technological choice. If you needed to replace a cryptographic algorithm tomorrow, could you do it quickly and in a controlled way? In the post-quantum era, that will no longer be a hypothetical scenario, but a real competitive advantage.
Táto aktivita je podporovaná European Cybersecurity Competence Centre (ECCC) ako súčasť projektu s grantovým kódom: 101145856 a Ministerstvom investícií, regionálneho rozvoja a informatizácie ako súčasť projektu Plán obnovy pod grantovým kódom: 17I04-04-V02-00001.
