Progress in quantum computing is accelerating, with tangible progress in hardware stability, error correction, and scale. As quantum capabilities advance, their implications for cybersecurity are becoming harder to ignore.
The most immediate impact is on cryptography. Today's digital infrastructure relies heavily on public-key cryptography as the foundation for secure key exchange, digital signatures, and identity, protecting data, transactions, and communications. The realization that sufficiently powerful quantum computers will be able to break the mathematical assumptions underlying widely used public-key encryption has triggered a global push toward post-quantum cryptography (PQC). Governments, regulators, and enterprises are beginning to plan for migration, acknowledging that this will be a multi-year transition rather than a simple upgrade.
Quantum computing plays a dual role in cybersecurity. It introduces significant new risk by weakening existing cryptographic foundations, while also enabling new defensive approaches if adopted deliberately and early. The challenge is that once large-scale quantum machines become viable, reacting at that point will already be too late.
Recent research by Bain & Company highlights the gap between awareness and preparedness:
- 71% of executives expect quantum-enabled attacks within five years, with nearly a third believing they could occur within three
- 65% of business, IT, and cybersecurity leaders expect quantum computing to significantly increase cyber risk
- Only 10% of organizations have a funded, leadership-backed roadmap to address these threats
What quantum-enabled attacks could look like
The primary shift is not the introduction of new attack techniques, but quantum computing's ability to undermine the mathematical foundations of public-key infrastructure, increasing the scale, speed, and impact of attacks.
Businesses should expect:
- Rapid decryption of stolen data
Encrypted datasets protected by classical public-key algorithms such as RSA and elliptic curve cryptography could be decrypted in hours once cryptographically relevant quantum computers become available, exposing intellectual property, personal data, and sensitive communications.
- "Harvest now, decrypt later" exploitation
Adversaries are already collecting encrypted data today with the intention of storing it until quantum capabilities mature, turning long data retention periods into long-term liabilities. Data with decades-long confidentiality requirements, such as government archives, medical records, or trade secrets, remains vulnerable even if encrypted today.
- Forged digital signatures
Compromised classical digital signature schemes based on RSA or elliptic curve algorithms would undermine software updates, certificates, identity verification, and trust in digital transactions. Quantum computers using Shor's algorithm could derive private keys and forge signatures that appear legitimate.
- Breakdown of secure communications
Secure communications that rely on classical cryptography for key exchange or authentication could become readable or impersonable.
- AI-accelerated vulnerability discovery and exploitation
Quantum computing combined with AI may accelerate the discovery of zero-day vulnerabilities and enable more sophisticated attack methods. While quantum's direct role in vulnerability discovery remains theoretical, the convergence with AI-driven analysis could shorten the time between discovery and exploitation.
- Enhanced AI-driven attack capabilities
AI tools are enabling cybercriminals to automate reconnaissance, generate highly targeted phishing at scale, and develop adaptive malware. When combined with quantum-enabled decryption capabilities, these AI-powered attacks could operate at unprecedented speed and sophistication, though quantum computers themselves won't be running malware or directly executing attacks.
- Increased nation-state exploitation
Nation-state actors pose the greatest near-term threat given the significant resources needed for quantum computing. State-level adversaries could gain access to long-lived sensitive data, including defense systems, energy infrastructure, and government records.
What organizations should do now
A “wait and see” approach is no longer viable. The good news is that there is growing alignment globally on the path forward, and concrete steps organizations can take today.
Key actions include:
- Elevate quantum risk to the board level as a strategic priority
Quantum security is not just a technical issue, but it affects long-term risk, compliance, and data longevity. Executive ownership is essential. - Establish internal PQC ownership and migration teams
Assign clear responsibility across security, IT, risk, and compliance functions to avoid fragmented decision-making. - Build cryptographic inventory and visibility
Conduct cryptographic inventory and discovery to understand where encryption is used, which algorithms are in place, and which systems are most exposed. You cannot migrate what you cannot see. - Assess data sensitivity and longevity
Prioritize systems based on how long data must remain confidential, not just current threat levels. - Create a phased migration roadmap
Plan for staged transitions rather than one-time replacements, accounting for operational complexity and regulatory requirements. - Adopt quantum-safe products where available
Quantum-resilient VPNs, secure communications, and cryptographic tooling designed for PQC can reduce exposure now while broader transitions continue. - Design for crypto-agility
Build architectures that allow cryptographic algorithms to be updated without disrupting systems, reducing future migration risk.
Quantum readiness is not about predicting a specific breakthrough date. It is about building resilience into security architecture so cryptography can evolve as threats change. Organizations that start early will retain control over their transition. Those that delay may find their most critical decisions already constrained by time, regulation, or exposure.