The cybersecurity industry has long treated Q-Day – the point at which quantum computing shatters current encryption standards – as a distant, theoretical problem. However, this complacent timeline has been upended rather aggressively. As highlighted by Richard Ford, CTO at Integrity360, during the Security First conference in Cape Town, the threat has become a present-day reality that demands a fundamental rethink of cyber resilience.
The most sobering proof of this accelerating timeline recently came from Google, which surprised the technology sector by pulling its internal post-quantum cryptography migration deadline forward to 2029. The quantum threat, once joked about as perpetually 10 to 20 years away, now has a concrete, near-term date from one of the world's primary digital infrastructure providers.
According to Ford, South African organisations should already be preparing for Q-day and its potential exposure long before such a moment arrives, rather than assuming quantum risk can be dealt with later.
“We have seen this pattern before. If we look back at the early internet – ARPANET – it was built primarily to work and be functional first and foremost,” Ford explained. “Security was an afterthought because the assumption was that every user could be trusted. We are repeating that mistake today with AI and quantum-vulnerable encryption. We are racing toward functionality and speed, while leaving safety as a secondary concern, which is precisely what makes the 'store-now-decrypt-later' threat so potent.
“Q-Day itself is only part of the picture. The concern is that sensitive data may already be getting collected and stored for future decryption. If that information will still have value years from now, then the risk and potential consequences are already in motion. This is the essence of the ‘store-now-decrypt-later’: attackers stealing encrypted data today with the intention of unlocking or selling it once quantum capabilities mature,” says Ford.
Google’s accelerated 2029 deadline is an eerie warning. The tech giant's security leadership explicitly cited the immediate danger of ‘store-now-decrypt-later’ attacks as a primary driver for moving their timeline forward.
The danger is especially acute for information with a long confidentiality lifespan, such as intellectual property, financial records, health data, legal material, strategic plans and sensitive customer information.
To understand this exposure, South African organisations must conduct a data shelf-life audit.
“If a business holds sensitive data that must remain confidential for ten, fifteen or twenty years, then the risk attached to outdated cryptography is not theoretical. It represents a deferred exposure that may affect regulatory standing, commercial trust and long-term enterprise value. In that sense, quantum preparedness increasingly belongs in the same category as other board-level resilience issues: third-party risk management, business continuity, digital identities, and governance and risk compliance.”
Decision-makers must determine the lifespan of their data and how long it needs to remain private and trustworthy. Once that is understood, organisations can begin mapping where vulnerable encryption exists across applications, backups, certificates, archived data, partner ecosystems and legacy infrastructure.
Cryptography and resilience planning
Quantum risk connects to resilience challenges that organisations are already grappling with. This is why it makes sense to treat post-quantum readiness as part of a wider effort to protect long-term value in an environment where threats, dependencies, and timelines are all shifting.
Fortunately, organisations do not need to solve the entire quantum problem today, but he argues that boards should start identifying where their most enduring exposures lie – and sooner rather than later.
“Organisations that ignore these timelines are essentially gambling with their future continuity,” warns Ford. “It is similar to a senior partner at a law firm who replaces all their junior lawyers with AI to save costs today, only to retire in ten years and realise there is no one left with the senior expertise to run the firm.”
“By the time Q-Day arrives, now possibly as soon as 2029, those who have not built the internal knowledge and mapped their cryptographic dependencies today will find themselves without the human or technical expertise to survive the transition.
“Waiting for a precise deadline may feel prudent, but it could mean acting only once the most valuable data has already been harvested. Organisations that prepare early, rather than leaving it until the threat feels more immediate, will be in a stronger position to preserve trust, continuity and operational stability."
For more information, go to www.integrity360.com/en-za/
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version