How Should Your Organization Prepare for Quantum Risk?

The Risk Posed by “Harvest Now, Decrypt Later”

Encryption — for both data at rest in storage systems or in transit via networks — has remained a powerful way to protect sensitive information for decades. Even if cybercriminals could access and steal this data, encryption rendered it essentially useless to them. However, the ability to “harvest now, decrypt later” (HNDL) — once quantum computing becomes powerful enough — has changed this equation.

Cybercriminals are already collecting encrypted data today with the intention of decrypting it in the future. This poses a particular threat for data in industries such as healthcare, financial services and government, where data maintains its value for many years.

The threat of HNDL means that any data a cybercriminal steals now could become valuable in the future, once it has been decrypted. To address this threat, organizations must begin working now to prevent the decryption of their data in the future. There’s nothing they can do to protect their data once it’s been stolen.

LEARN MORE: Improving cyber resilience can help your organization bounce back from security incidents.

Solution: The Arrival of Post-Quantum Cryptography

In May 2022, National Security Memorandum 10 directed federal agencies to prepare for the threat of quantum decryption. The memo requires agencies to take specific actions as part of a multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography. 

“Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” said Rob Joyce, then director of cybersecurity for the National Security Agency, in an August 2023 statement.

In August 2024, NIST published three cryptographic standards designed to resist an attack from quantum computers. These standards — ML-KEM, ML-DSA, and SLH-DSA — are intended to provide security for data across numerous systems, including email and e-commerce. NIST has encouraged IT teams to implement these standards are soon as possible.

Technology vendors such as Cisco Systems, Check Point and Palo Alto Networks have developed products with post-quantum cryptography (PQC) capabilities. These tools, including firewalls and network switches, can help organizations protect their data from quantum threats whether in transit or in storage.

“It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography,” said Jen Easterly, then director of the Cybersecurity and Infrastructure Security Agency, in an August 2023 statement.

How Organizations Should Assess Their Quantum Risk

Organizations looking to get started on addressing the risks posed by quantum computing can find guidance in numerous places. For example, NIST’s National Cybersecurity Center of Excellence in September 2025 published a draft white paper on migrating to post-quantum cryptography. The document recommends that organizations start planning their migrations now, as these processes generally take a long time.

As organizations begin their journey toward PQC, a valuable step is to conduct an assessment of what data might be at risk and how that risk affects the organization. The ISACA IT security organization recommends that IT leaders build a catalog of systems that may be vulnerable to quantum attacks and classify data based on its sensitivity and regulatory compliance requirements. This assessment helps IT teams prioritize their readiness efforts based on the potential financial and reputational damage an organization would face due to a quantum data breach and helps them focus mitigation efforts where they matter most.

After this assessment, an organization should conduct executive briefings and staff training to build awareness of the issue and carry out tabletop exercises to establish a culture of quantum readiness. Further, setting up a quantum readiness task force and appointing a dedicated quantum risk lead to oversee risk posture and mitigation establishes governance and accountability.

Take Action: Here’s How to Get Started on Your Quantum Readiness Journey

Experts throughout the IT industry advise organizations to get started now on preparing for the risks posed by quantum computing. Full migration to quantum-resistant may take years as IT teams grapple with discovery, testing and coordination.

As they develop a strategy for quantum readiness, IT and organizational leaders should align their efforts with existing security guidance, such as NIST’s Risk Management Framework. These steps should include establishing clear roles for governance, risk and compliance teams. IT leaders also should align their technology ecosystems with PQC solutions. Working with vendors and partners can help IT teams identify agile solutions that enable them to avoid being blocked by external constraints.

Ultimately, achieving quantum readiness will require coordinated efforts across numerous enterprises. There’s no better time than now for organizations to start their journey. “The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry,” NSA’s Joyce said in a statement. “The key is to be on this journey today and not wait until the last minute.”

BE PREPARED: Learn how a partner such as CDW can help your organization achieve its security goals.