Data safety in the quantum computing age

Today’s world runs on data, from emails and passwords to financial and medical records, from factories, schools and armies to energy grids and telecommunications networks. And encryption protects this data, preventing criminals and hackers and other bad actors from getting their hands on this precious resource.

While cracking encryption would take a traditional computer billions of years, with the emergence of quantum computing these codes could potentially be broken in hours. It is possible that encrypted data may have already been stolen, with the anticipation that in the next decade or so, quantum computers might be able to decrypt this information. That’s a concerning prospect when you consider that certain types of data should be kept secure for many years or decades. These include health records and financial information, defense designs, autonomous systems and critical infrastructure, like payment systems, telecommunications and energy supply.

Misuse of data has a real-world impact on people. When hackers are able to steal individuals’ identities to misdirect payments (such as house deposits or salaries), apply for credit cards or passports, or file for government benefits, the impacts to respective financial systems could stretch to trillions of dollars. Organisations could fall prey to phishing and malware attacks, leading to business interruption, ransoms and negative publicity.

This is not a future problem but an immediate issue. On the one hand, numerous governments, companies and researchers are racing to scale up their quantum computing systems, with many technology companies producing quantum roadmaps towards large, error-corrected quantum computers. On the other hand, these organisations are also seeking smart ways to make it harder to crack encryption, by producing quantum-safe cryptosystems. Nor is it just a technological threat; there are likely to be regulations that could leave organisations facing penalties for failing to meet encryption standards, as well as being locked out of defense, national security, health and government contracts, as procurement requirements are updated.

In the US, for example, the Quantum Computing Cybersecurity Preparedness Act requires federal government agencies to “adopt technology that will protect against quantum computing attacks.”¹ The Australian Signals Directorate (ASD) has updated its guidelines for cryptography and information security.^2,3 And in February 2025, Europol hosted a Quantum Safe Financial Forum (QSFF) event, calling on financial institutions and policymakers to prioritise the transition to quantum-safe cryptography.⁴ Which has been followed by a European Commission transition timeline for critical infrastructure, starting in 2026 and to be completed by 2030.⁵ As quantum computing evolves, and the cyber threat increases, we can expect to see an increase in industry-specific frameworks, regulations, and best practice guidelines.

Encryption is typically implemented by internal IT teams, cloud and software providers. However, despite being totally reliant on encryption, many organisations know relatively little about how and where the data they use is encrypted. This magnifies the challenge of quantum resilience, which now calls for an understanding of both your own cryptographic implementation as well as all dependent systems.

To protect against quantum cyber risk, organisations should adopt post-quantum cryptography (PQC) algorithms, which resist the efforts of powerful quantum computers. The US National Institute of Standards and Technology (NIST) has already made such algorithms available. Transitioning to PQC is a major effort over several years, involving the entire enterprise — not just IT — preferably overseen by a cross-organisational encryption leader.

PQC algorithms would need to be implemented in various software solutions, including key libraries, digital signatures and authentication. Given the scale of the task, it’s important to broaden cyber expertise, plan budgets, and empower teams to manage this increasing risk, as part of a multi-year transition effort.

Organisations should aim to build a cryptographic bill of materials (CBOM), to better understand what encryption is being used, and where. The CBOM lists all the cryptographic assets employed across software (including software-as-a-service), services, and infrastructure — within the enterprise and across the supply chain. It’s also vital to assess the level of risk of each asset, to prioritise high-value data — which varies between sectors. For consumer companies, for example, customer data is paramount; in life sciences, intellectual property is especially valuable. Other organisations may be keen to protect financial, operational, and employee information.

These key efforts support the development of a roadmap for discovery, assessment, management, remediation and monitoring the transition to quantum resilience, and coping with ongoing risk. This requires coordination across the IT estate. With so many players involved in encryption, contractual agreements with third parties should specify appropriate levels of quantum cybersecurity and clarify how the PQC transition can be harmonised. Procurement strategies, whether for devices or software, should also be updated to include quantum-resistant technologies, so that these IT investments can support PQC requirements during their lifetime.

As is already the case it's vital to review data retention policies, to reduce the time that sensitive data is stored and only retain data that’s absolutely necessary, while deleting data no longer needed. To maintain operational continuity, organisations should make appropriate enhancements to security controls (based upon their unique risk profile) to integrate PQC, and to select and test quantum-safe, cryptographically agile solutions in their IT infrastructure, ahead of full deployment.

It is not yet a full quantum computing world, but it soon will be. As they prepare to adopt PQC, IT leaders should be aware that this is not a standalone project but a transition to a new business-as-usual. It will take several years and impact the entire enterprise, calling for multiple internal and external stakeholders to build a willing coalition. With bad actors always seeking to find ways to break encryption, organisations should continually re-evaluate their defenses. Getting started now, with a carefully managed plan for PQC transition, can help to keep one step ahead, maintain resilience and operations, with safe, secure, data.