Quantum risk is near: Encryption may be broken within 4–15 years.
Slow change: Weak cryptography lingers for decades.
Harvest now, decrypt later is a risk: Captured data could be exposed in the future.
Log4j-scale disruption: PQC rollout will be painful if delayed.
Act now: Audit, plan, and build PQC into strategies today.
If you’ve been keeping up with the broader sweep of IT news (or just happen to be a crypto nerd like me) you’ll have heard of Quantum Computing (QC).
For years, cryptographers have treated it as a mid-term concern: the technology that, once practical, could ‘trivially’ break many of the cryptographic protections businesses rely on today, from VPNs and TLS to data-at-rest encryption.
At present, QC remains impractical however subject experts predict moderate to large-scale capability will emerge arrive somewhere between 4 and 15 years. Of course, a breakthrough could bring that forward to tomorrow. The only certainty is that ignoring QC because it is not yet practical is, at best, a very short-term view.
Once functional QC arrives, virtually all existing cryptographic mechanisms fall over. Logins, passwords, sensitive files - all exposed. At that point, the only real limiting factors are whether someone has already captured or is monitoring your encrypted data, and whether they can procure access to QC processing capacity. Nation states, organised crime groups and well-resourced hackers all meet those criteria.
Why is this worth talking about in 2025?
Three interlinked factors intersect, when planning to adopt Post Quantum Crypto (PQC):
• The time it takes to eradicate weak encryption.
• The time until QC becomes accessible beyond research labs.
• The lifespan of the data you are protecting.
Encryption underpins almost every digital interaction, from payment systems, retail transactions and cloud workloads to remote logins. Yet the pace of deprecating insecure modes has always been glacial.
Old hands will recall that disabling SSL v2 often required nothing more than a software update or a trivial configuration change. And yet it still took about 15 years to drive support for SSL v2 below 1%.
TLS 1.0, released in 1999 and formally deprecated in 2021, remains enabled on roughly 23% of the top 150,000 sites. Meanwhile, ATMs and PIN-based card transactions used single-length DES encryption for almost two decades after affordable hardware existed, in the late 1990s that could crack it in under a day. The global banking sector eradicate DES until the mid-2010s to maximise returns from the dedicated hardware, despite the obvious risks to consumer confidence.
This historical drag is important. If QC is five years away, and it takes 10–15 years to eliminate weak cryptography used by an organisation and it’s partners, there’s a looming window of exposure where sensitive data will be captured and later decrypted.
The attack scenarios
From an adversary’s perspective, a few seconds of a system administrator’s login session are pure gold. With so many IT roles now remote, and most systems delivered as SaaS or via cloud platforms, those sessions traverse public networks. Once QC breaks today’s encryption, the password element of multi-factor authentication will no longer be secret. That leaves attackers with a single barrier: the time-based code, that adversaries already have tools to trick users into handing those over.
Databases are another obvious target. Even if you encrypt backups at rest, a stolen copy of last year’s customer database exposes 80–90% of your current and former customer base once QC can process it.
Lessons from Log4j
Consider the Log4j flaw discovered in 2021: a single vulnerable module built into countless services forced millions of organisations to divert resources overnight. Many were still flushing out the last instances a year later. Now map that experience to a scenario where PQC must be deployed urgently and at scale. Weeks of disruption would be optimistic; months are more likely. Few organisations can absorb that level of opportunity cost without pain.
So what should leaders do?
While QC may feel like tomorrow’s problem, the slow pace of cryptographic change makes it a strategic priority for today. Executives should be asking their teams to:
• Audit where encryption is used across the organisation.
• Identify long-lived, high-sensitivity data that would retain value to an attacker.
• Engage suppliers, customers and partners — PQC adoption won’t happen in isolation.
• Build PQC into medium-term IT and security strategies.
• Raise the issue with boards and industry groups now, before it becomes urgent.
Conclusion
QC is a risk that needs to be considered into IT and security strategies, preferably sooner rather than later. Revamping internal policies, architectures and configurations to include PQC, along with raising the topic with customers, suppliers and industry stakeholders are key to addressing this future-but-predictable threat.
