Too many industry conversations start like this: "Why should we start preparing now? It sounds really hard”. But adversaries are already preparing. 

They are already harvesting encrypted data to decrypt it once quantum computers become powerful enough.

These "harvest now, decrypt later" attacks are happening today, in secret. If your organization holds data that will still be sensitive in 5, 10, or 20 years, that data is at risk right now.

Data retention spans vary dramatically across industries: a decade for financial records, 25+ years for pharmaceutical trials, lifetimes for healthcare, and 75+ years for classified government information. Further, the systems protecting this data or steering industrial plants often take 15-25 years to replace and make them quantum secure.

If quantum preparedness is delayed, the quantum threat can manifest with dire consequences: imagine the impact of combining the Ashley Maddison breach, Panama Papers, and Wikileaks, all over the globe, all at the same time. In addition, quantum computing threatens the security of cryptocurrency, blockchain, and digital signatures.

Thankfully, quantum preparedness is not the overwhelming technical challenge many assume. The foundations are the same security practices your organization should already be implementing: proper data governance and systematic risk management.

Beyond Fear, Towards Action

The biggest barrier to quantum preparedness is not technical complexity, but the perception this is too overwhelming or too distant to address now. However, quantum computers are coming. Multiple research groups and commercial entities are making steady progress. Whether they arrive in 2030 or 2035 is less important than the fact that adversaries are harvesting your encrypted data right now.

Starting your quantum preparedness programme today means you will be ready when quantum computers arrive. Delaying means scrambling to catch up, paying more, whilst your historical data becomes readable to adversaries.

The path forward, following the practical post-quantum transition framework, is clear: Secure executive buy-in, establish governance, assess the risk and implement defensive improvements, like enhanced data management. Then, plan and systematically transition to quantum-resistant cryptography based on risk prioritisation.

This is not about panic. It is about prudent planning. And the best time to start is now.

Starting Small, Winning Big

Quantum preparedness delivers immediate value. Every step organizations take to prepare for quantum threats, simultaneously strengthens their defence against current threats like ransomware attacks [DP1] and supply chain compromises.

As an example, consider data management. To prepare for quantum, you need to assess what data you have, where it lives, and how long you keep it. This same exercise directly improves your ransomware readiness. Organizations with clear data inventories, defined retention policies, and immutable backups recover faster from attacks.

Or take cryptographic discovery: knowing which systems use which encryption methods is fundamental to quantum readiness. This visibility also helps you identify legacy systems using weak cryptography that is vulnerable today.

Quantum preparedness is not about abandoning current security work for some distant threat nor massive upfront investment. It is about systematically improving your security posture and operational resilience in ways that deliver value now whilst positioning you for the quantum transition ahead.

The Framework: Three Manageable Phases

The path to manageable quantum readiness follows a logical progression that any organization can navigate using existing risk management skills.

Discovery and defense is the first phase. Build your foundations by securing executive buy-in and establishing governance. Conduct risk assessments, enhance data management, and cryptographic discovery to understand your current posture. These activities cost relatively little but deliver immediate security improvements, including against several key threats. Too many organizations jump straight to technical solutions without proper foundation and fail.

Migration and integration is phase two. Systematically transition to quantum-resistant algorithms and crypto-agility, prioritising based on risk. Critical systems and long-lived data are addressed first.

Continuous Improvement is a concurrent third phase, because quantum threats will evolve, standards will change, and new vulnerabilities will emerge.

How Urgent Is It Really?

When should your organization start preparing? The relative urgency depends on your data lifecycle and system complexity. The UK NCSC advises to start preparing now.

Data lifecycles vary significantly: pharmaceuticals, government, and defence face highest priority due to long retention; healthcare and financial services sit at medium; whilst retail and manufacturing can take a more measured approach.

However, urgency increases if your systems are difficult to replace, such as in financial services and manufacturing. Given the active threat and extensive time to migrate, every organization should be taking the foundational steps now. These activities are low-cost, deliver immediate value, and position you for later phases.