How to protect your organization against post-quantum attacks

Article Oct. 8, 2025 Read time: min

Quantum computing, once seen as the realm of science fiction, is moving quickly from labs to the real world. This new technology holds tremendous promise, with the potential to enable better fraud detection, more efficient logistics, and the engineering of lifesaving drugs.

But quantum computing also presents risks, as a functioning quantum computer will be able to break today’s encryption algorithms—the ones that currently protect everything from state secrets to individual healthcare and finance information. While no one knows exactly when this will happen,  the date is often referred to as Q-day.

Uncertainty can’t become an excuse for inaction. In attacks known as “harvest now, decrypt later,” malicious actors are stealing encrypted information, to be stored until quantum computing allows them to break the encryption protecting it. The technology to make data, applications, and networks quantum-safe exists today. But becoming quantum-safe relies on modern networks and applications. If your network technology is ten years old, you’ll need to upgrade it before moving on to make it quantum safe. That’s why, for many organizations, becoming quantum-safe will be a multi-year project. The quantum race isn’t merely about building quantum computers, it’s about upgrading your infrastructure before quantum computers make today’s defenses obsolete.

In the U.S., the National Institute of Standards and Technology (NIST) has said it will deprecate current encryption algorithms by 2030. In the E.U., all critical infrastructure must use post-quantum cryptography by 2030. That makes it imperative to start planning now, identifying and understanding your vulnerabilities and classifying systems based on data sensitivity.

Programmers gathered together to conduct code review to fix errors, identifying technical issues with company software. Team of developers doing brainstorming, optimizing code, camera A
NIST works on the premise that traditional cryptography will be broken in 2030.

Start with a point of view on Q-day

The first step is to develop a point of view on when Q-day is coming. NIST works on the premise that traditional cryptography will be broken in 2030. Some CIOs think Q-day is coming sooner, while others think they have more time. Once you decide on a date, you can work backward to set a timeline to secure your data, applications and networks.

Most large organizations won’t be able to address every single vulnerability before Q-day, making it imperative to find your most critical vulnerabilities and address those first. You should also investigate the possibility of including quantum security in any planned or ongoing upgrades, such as mainframe modernization, network modernization, or digital transformation. Moving from a legacy SAP installation to S/4Hana in the cloud, for example, is a great opportunity to also address quantum security. Anything new that the organization chooses to build or buy should also support a quantum-safe IT environment. This is where organizations can benefit by making sure the business, IT, and procurement work closely together, rather than operating in silos.

Identify and prioritize critical vulnerabilities

One approach is to try to secure your most vulnerable systems and services in the next 12-24 months. In this scenario, your major vulnerabilities would be secured by 2027, allowing time to address secondary services.

Start with the systems and services that are most critical to your business. In the case of a decryption event, where would the biggest impact be? If you’re an insurance company, your biggest vulnerability might be claims. That means you need to look at the network, data, and platforms that support claims.

Once you’ve determined where a decryption event could do the most damage, construct an end-to-end digital profile of that service. The network may be the front door, but what about your data centers, cloud providers, or other entry points? Even fiber-optic cables—our most secure means of transmission—can be tampered with. Would you notice if your cable frequencies were fluctuating?

An investigation into critical services will no doubt lead you to data. Finding weaknesses in your data protection has implications for the services that use that data.

Understand critical and persistent data

A data audit is a key part of preparing for quantum security. Where does your critical data reside, and is it encrypted with high-quality algorithms? For U.S. organizations, NIST provides guidance on the use of algorithms expected to remain secure for the next few years.

The concept of critical data gains an additional dimension when considering ‘harvest now, decrypt later’ attacks. Critical data still includes sensitive customer data, for example, or data that is covered by regulations. But it also includes data that could be valuable years after it is stolen. The health records of politicians or high-level executives are one obvious example. Swiss bank accounts also have associated data that is extremely long-lived, as does some intellectual property and trade secrets.

If you don’t know where your critical data lives or how it’s encrypted, you’re likely to have operational issues, such as broken certificates, long before Q-day. If, on the other hand, you’re able to identify and locate all your critical data, and you know which algorithms are being used to encrypt it, you’re in a relatively good place to begin becoming quantum-safe.

For organizations in this position, it may be most efficient to encrypt closer to the application and to the data, ensuring end-to-end security. It's also important to implement a structured, controlled, and automated process to rotate your cryptographic keys.

 

Sofware developer thinking while touching beard while typing on laptop sitting at desk with multiple screens parsing code. Focused database admin working with team coding in the background.
Encryption at the network level is an option.


Quantum security at the network layer

If you don’t have a complete inventory of your data and the algorithms used to encrypt it, or you’re not certain that those algorithms are strong enough to withstand a post-quantum attack, encryption at the network level is another alternative. This may also be a good choice for organizations that aren’t able to thoroughly protect at the application level, or those that have very sensitive data moving through their networks.

Networks can be made quantum-safe by using symmetric key distribution to secure data center interconnects. This is not a great candidate for a DIY project: if not done properly, it can interrupt your business. And symmetric key distribution won’t protect you if other aspects of your network are easily compromised. In that case, while you’ve secured the front door, you may still have a backdoor held shut with a flimsy latchkey.

Conduct a network maturity assessment

A network maturity assessment can help determine exactly how your network needs to be secured or upgraded to become quantum-safe. This assessment will lead you through a series of questions designed to find opportunities for improvement across people, processes, and technologies.

People

  • Is your team currently able to run a quantum-safe network, or will you need to invest in them?
  • Does your culture support prompt remediation of security issues? Some teams don’t document their troubleshooting, making it harder to learn from those experiences. Others are punished for breaches, preventing anyone from taking responsibility for missteps. We’ve also seen organizations where front-line teams ignore guidelines. In some cases, team members may have an ethos of “this is not my job,” or, alternatively, “this is my job and not your job.”

Processes

  • How does your team handle tickets? Your processes for handling tickets determines how long an outage lasts, how easily it spreads, and the resilience of your network. If something goes wrong, who do you contact—customer? provider?—and what is your SLA for doing so? If a line goes down, what is the procedure?

Technology

  • Is your network technology outdated? The most advanced encryption won’t protect you if you have a router with a vulnerability that is easy to hack. At one customer, we found 126 versions of operating systems running on their networks. They had devices that hadn’t been patched since they were installed—and all of them had known vulnerabilities.

Once you have the answers to these questions, you’ll be in a position not just to install quantum-safe cryptography, but to support those improvements and ensure they continue to protect your organization as technology evolves.

Conclusion

Becoming quantum-safe may seem daunting, but organizations don’t have to do it all at once. They should focus on their most important vulnerabilities and look for opportunities to introduce quantum security into ongoing projects. No matter how aggressive you choose to be in adopting and protecting against quantum decryption, it’s important to start now.

Paul Savill is Global Practice Leader, Network and Edge, for Kyndryl