Close
    Share
    Facebook Facebook icon Twitter Twitter icon LinkedIn LinkedIn icon Email
    Quantum-Cyber-Security

    Governance

    Is quantum computing the next big cybersecurity risk?

    by I by IMD Published March 26, 2026 in Governance ‱ 8 min read

    This article is republished with permission from UNSW’s BusinessThink, the knowledge platform of UNSW Business School. You may access the BusinessThink article here.

    Businesses must prepare now for post-quantum cryptography, as quantum computing could render today’s encryption obsolete and expose sensitive data to future cyber threats.

    Within the next decade, advances in quantum technology will result in sufficiently powerful machines that could undermine today’s encryption standards.

    Experts have warned that advances in quantum computing pose real risks to cybersecurity, digital trust, and long-term business resilience. This means quantum security is no longer a distant threat but a pressing governance issue. For boards overseeing cybersecurity risk, supply chain exposure, and long-lived sensitive information, the question is no longer whether quantum attacks are possible, but whether the organization is prepared to remediate current encryption vulnerabilities before quantum computing power makes them exploitable at scale.

    The message is clear: quantum readiness requires planning now.

    Cyber security and online data protection with tacit secured encryption software
    Post-quantum cryptography is a new way of ‘locking up’ information

    What changes when quantum computers arrive?

    Sushmita Ruj, Faculty of Engineering Lead at the UNSW Institute for Cybersecurity, IFCYBER and Associate Professor at the School of Computer Science and Engineering (CSE), UNSW, Sydney, says that not all quantum machines pose a threat to current encryption methods.

    “Cryptographically relevant quantum computers have the power to break currently used public key algorithms like RSA and ECDSA, which are the backbone of many communication protocols and secure applications. Much of the encryption today relies on algorithms like RSA and   These will no longer remain secure.”

    Post-quantum cryptography is essentially a new way of ‘locking up’ information so that even quantum computers – very powerful future computers – won’t be able to gain access to it. The encryption and authentication algorithms used to keep data safe today – RSA and other common public key algorithms, for example – work well against conventional computers but could be easily cracked by more advanced quantum computers.

    “This has a significant impact on personal data, such as health records and credentials, as well as sensitive government and corporate information,” says Ruj.

    Public-key systems such as RSA and ECC underpin secure web browsing, digital signatures, authentication protocols, and secure data exchange across supply chains. If broken, the impact would extend across providers, customers, and global digital ecosystems.

    Ruj says that although the exact timeline for deploying this new technology remains uncertain, the direction is clear. “With the advancement of quantum computing, the risk is pretty high. Though we might not have cryptographically relevant quantum computers for another five to 10 years, the transition process is so slow that if we don’t start now, then it will be hard to change to quantum-safe systems overnight,” she says.

    “To give some numbers, currently, we have quantum computers with a little more than 1,000 qubits; a cryptographically relevant quantum computer might potentially need around a million qubits to break RSA-2048 [a very large digital key that is extremely difficult to crack].”

    The implication for risk management is significant. Even if cryptographically relevant quantum computers are years away, sensitive information encrypted under current systems today could be exposed in the future.

    Abstract technology background big data internet network digital technology with binary computer code on virtual screen illustration
    “One of the most concerning quantum threats is known as harvest now, decrypt later.”

    The ‘harvest now, decrypt later’ problem

    ÖykĂŒ IĆŸÄ±k, Professor of Digital Strategy and Cybersecurity at IMD, explains that a quantum computer is not just a faster computer – it’s a completely different kind of machine.

    “For a narrow – at least, currently – set of problems, it can use different physics to explore solution spaces in ways classical computers can’t,” she says. “The main security issue resulting from this is that, if a sufficiently capable quantum computer becomes publicly accessible or commercially available, it can undermine the assumptions behind widely used public-key algorithms that power our web security infrastructure, such as data encryption, user authentication, and digital signatures.”

    IĆŸÄ±k explains that modern digital trust is grounded in the mathematical hardness assumptions behind cryptographic algorithms. In practice, security depends on encryption schemes built on problems that classical computers find computationally infeasible to solve at scale.

    “Quantum computers will be able to solve these mathematical problems effortlessly. Even though the transition to quantum computers may be slow, the breakthrough through wide availability will be sudden. That is why being ready is so important.”

    One of the most concerning quantum threats is known as harvest now, decrypt later. “It means attackers can steal encrypted data today, store it, and decrypt it later when quantum capability makes that feasible,” explains IĆŸÄ±k.

    “That turns quantum into a delayed-breach problem: the theft happens now but the damage can arrive years later. Boards should care because it changes the risk profile of long-lived sensitive data, such as IP, strategy, and customer records, where confidentiality must hold for a decade or more. Unfortunately, we know that the theft of encrypted data is already happening – and has been for several years.”

    For sectors handling long-lived data – including healthcare records, financial services data, and government systems – quantum risk then becomes a strategic governance issue, not just a technical vulnerability.

    Where organizations get stuck is often around costs and uncertainty.

    Why post-quantum cryptography is not a simple upgrade

    Ruj says business leaders often assume post-quantum cryptography is a simple swap for existing classical encryption and signature algorithms, but that this is not the case.

    “There have been efforts around the world, with some algorithms being standardized by the National Institute of Standards and Technology. It is often easy to think, why don’t we replace a classical algorithm with a PQ algorithm? It’s not easy to plug and play. Partly because of the performance bottlenecks associated with post-quantum cryptography algorithms, which impact the quality of service,” she explains.

    “Some, like SLH-DSA, have large signature sizes, whereas ML-DSA has large public key sizes. Larger keys and signatures increase bandwidth, storage, and processing demands. Added to this, there are legacy systems, which are hard to upgrade.”

    Where organizations get stuck is often around costs and uncertainty. “Post-quantum cryptography transition is expensive because it requires upgrading systems and processes and investing in capacity building and training,” says Ruj, who adds that many organizations are “not convinced” it’s worth spending money for such upgrades.

    At the same time, while new infrastructure support, products, and services are available, choosing a well-tested, stable, and reliable one can be hard for organizations. “Many solutions are not standardized and therefore carry some associated risks,” she says.

    Unlike AI, whose productivity gains and profit potential are visible even to everyday users, post-quantum cryptography offers no immediate or obvious commercial upside, says Ruj. “In the case of post-quantum cryptography, individual customers cannot see the immediate value. Post-quantum cryptography might not generate immediate revenue for organizations, but what it can do is to save millions of dollars that can otherwise be lost in quantum attacks.”

    What boards should be asking now

    IĆŸÄ±k warns that waiting only compounds exposure. “Waiting only shrinks your options. You accumulate cryptographic debt as new systems hard-code today’s algorithms, while the eventual migration becomes bigger, costlier, and more rushed. And when the industry flips, everyone will scramble at once – vendors, auditors, certificate authorities, consultancies – exactly when you don’t want to be improvising.”

    She urges boards to move beyond abstract monitoring and towards concrete risk assessment by asking:

    • What kinds of data must remain confidential for 10 or more years, and where is it stored?
    • Where do we rely on public-key cryptography across critical systems? Do we have an inventory?
    • How crypto-agile are we? Can we swap algorithms without redesigning systems?
    • Which key vendors and partners have access to our sensitive data, and do they have a post-quantum roadmap?
    • Do we have a transition plan with owners, milestones, and a budget?

    “If management can’t answer these precisely, the organization is not ready, only optimistic,” she says.

    Ruj adds that technical literacy at the governance level is essential. “My first suggestion to the board is to have well-qualified cybersecurity technical experts. This is a highly technical problem, and failing to understand its magnitude and the proper approaches to address it can lead to improper company policies and decisions.

    “They should start preparing now. Their customer data is at risk, which could cost them more than the cost of migration. Delaying the process of migration means that they might later have to make decisions in a hurry and are prone to making mistakes.”

    In Australia, the Australian Signals Directorate has issued migration guidance, and comparable frameworks exist internationally. Organizations are being instructed to follow suggested timelines, as transitioning to post-quantum cryptography is a gradual process that cannot be completed quickly.

    “It is a very slow process and needs time and effort. So, the earlier they start, the better,” says Ruj. “The organization should begin understanding risks and prioritizing the post-quantum cryptography migration. This would include building an inventory of crypto assets, finding dependencies between them, evaluating the risk, and taking a phased approach to post-quantum cryptography migration.”

    This is also where training and awareness are crucial, and where universities, government, and industry can play an important role. “There is a need for extensive discussions between technology and policy experts to ensure that the technology implementation is backed by strong policies and regulations,” she adds.

    In trust-based ecosystems, laggards become the weak link commercially through partner friction, operationally through interoperability issues, and reputationally through questions about data stewardship.
    - ÖykĂŒ IĆŸÄ±k

    The governance test of the quantum era

    IĆŸÄ±k says that regulators, customers, and partners will increasingly expect credible quantum readiness. “I do not believe that customers, partners, and regulators would expect perfection, but they will expect credible preparation. ‘We haven’t started’ will increasingly imply weak governance: failing to anticipate a foreseeable, material risk with long lead times.

    “In trust-based ecosystems, laggards become the weak link commercially through partner friction, operationally through interoperability issues, and reputationally through questions about data stewardship.”

    Related

    Learn Brain Circuits

    Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
     
    Read more 

    Explore Leadership

    What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
     
    Read more

    Join Membership

    Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
     
    Sign up
    X

    Log in or register to enjoy the full experience

    Explore first person business intelligence from top minds curated for a global executive audience

    Register NowSign in