For much of the business world quantum computing still feels like science fiction, filed somewhere between colonising Mars and fully automated workforces. In reality, however, it poses a far more immediate and practical risk than many business leaders currently recognise
This shift from theory to practical risk is already being recognised by security authorities, who are warning organisations to prepare now rather than react later. The UK’s National Cyber Security Centre (NCSC) warns that future large-scale quantum computers could render current encryption methods ineffective, urging organisations to begin transitioning to post-quantum cryptography (PQC).
Quantum computing remains under active development and continues to progress, though its day-to-day advances can be difficult to parse. Google, in 2019, and the University of Science and Technology of China, in 2020, both claimed to have achieved quantum supremacy, but those assertions were later challenged by experts and rivals in the field. Some researchers claim supremacy is still several years away and it remains unclear what practical change will follow once we reach this loosely defined milestone.
It is clear, however, that there are niche areas, such as cryptography, where quantum computers could have devastating consequences. While this is unlikely to happen in the immediate future, businesses should take proactive steps now to protect their data before the risk becomes real.
To understand the urgency, we must look at the fiscal bedrock of digital trust. Current security infrastructure is built on the assumption that factoring large prime numbers is too computationally expensive to be worth the effort.
Quantum computers operate on qubits, which exist in multiple states simultaneously through superposition. Peter Shor’s algorithm, formulated in 1994, proved that a sufficiently powerful quantum computer could bypass the prime factorisation problem entirely. The NCSC’s latest guidance acknowledges that as hardware matures, the “computational cost” of breaking current RSA-2048 standards drops toward zero.
For businesses, this is equivalent to the locks on the company’s digital safe failing at once. If a firm’s core digital transformation initiatives, from cloud platforms to blockchain-based supply chains, depend on classical encryption, then its security foundations may be far less stable than assumed.
What current NCSC guidance says
The most significant strategic oversight in the C-suite is the belief that quantum risk is a future-dated problem. This ignores the Have Now Decrypt Later (HNDL) threat. State-sponsored actors and sophisticated criminal syndicates are currently harvesting encrypted data from high-value targets in the UK and EMEA, betting on the “quantum dividend.”
The NCSC has published guidance on moving to a post-quantum cryptography world, with mitigation efforts including moving to post-quantum algorithms through a multi-year phased approach. It notes that the current public-key algorithms deployed across many security systems, such as RSA and common elliptic curve, will be vulnerable to quantum computers due to their capabilities in solving maths problems much faster than a classical computer.
Even if these quantum computers are years away, data encrypted with public-key algorithms will be vulnerable once it arrives. Slow internal planning cycles mean the likelihood of data being re-encrypted is low and costly, especially for older systems, so businesses are better off transitioning to these newer algorithms sooner rather than later.
“Quantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods,” says Ollie Whitehouse, CTO at the NCSC. “Our new guidance on post-quantum cryptography provides a clear roadmap for organisations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come. As quantum technology advances, upgrading our collective security is not just important – it’s essential.”
At the same time, not all encrypted data needs to be immediately upgraded for a post-quantum world. Much of the symmetric encryption used to protect bulk data remains relatively resilient against potential quantum attacks. Hybrid approaches to encryption, which combine classical and post-quantum, are also being developed to support a smoother transition. The greatest risk lies with data that must remain confidential for many years, such as intellectual property or regulated records, which makes industries required to store data for decades particularly exposed.
First moves to protect against quantum computing
For organisations unsure where to start or what to prioritise, the first step is to conduct a risk assessment of cryptographic exposure. Identify the parts of the business that rely on authentication, regulatory compliance, and secure communications, and evaluate whether each area could be vulnerable in a post-quantum world. Legacy technology and vendor lock-in should be flagged early, as transitioning away from these systems could prove particularly difficult.
From there, organisations should develop governance structures and build skills to treat quantum computing as a strategic risk. Transition roadmaps should include plans for deploying post-quantum algorithms, and pilot tests should be conducted in non-critical environments to build internal capabilities and confidence.
However, for most UK businesses, large capital investments in quantum hardware and R&D remain premature. Specialist research centres and cryptography-focused organisations may offer guidance or services, but until quantum computing becomes accessible to malicious actors, the near-term return on investment is likely to be low.
Outside of security, businesses should also be wary of claims of quantum advantage and jumping on board the train, given the likelihood of huge shifts in policy, security and risk as quantum computing moves from research to active usage.
For now, the most practical focus is on readiness; understanding which systems will need to be updated as quantum capabilities advance. Strong governance, underpinned by risk assessments, discovery and a staged implementation approach, should be sufficient to mitigate the risks of quantum computing and prepare organisations for the years ahead.
For much of the business world quantum computing still feels like science fiction, filed somewhere between colonising Mars and fully automated workforces. In reality, however, it poses a far more immediate and practical risk than many business leaders currently recognise
This shift from theory to practical risk is already being recognised by security authorities, who are warning organisations to prepare now rather than react later. The UK’s National Cyber Security Centre (NCSC) warns that future large-scale quantum computers could render current encryption methods ineffective, urging organisations to begin transitioning to post-quantum cryptography (PQC).
Quantum computing remains under active development and continues to progress, though its day-to-day advances can be difficult to parse. Google, in 2019, and the University of Science and Technology of China, in 2020, both claimed to have achieved quantum supremacy, but those assertions were later challenged by experts and rivals in the field. Some researchers claim supremacy is still several years away and it remains unclear what practical change will follow once we reach this loosely defined milestone.
