The global cybersecurity landscape is approaching a turning point as quantum computing accelerates faster than most organisations realise.

According to Wessel Pieterse, cybersecurity lead at Accelera Digital Group (ADG), the shift is not a distant, theoretical concern, but a present-day business risk that demands immediate action.

“Quantum computing doesn’t need to exist at scale to be a threat. Adversaries are already stealing encrypted data today with the intention of decrypting it later. Businesses with long-life data such as the financial services industry, telcos, government, healthcare, education and similar sectors are exposed right now, not in 10 years’ time,” says Pieterse.

This emerging tactic – known as ‘harvest now, decrypt later’ – is driving a global push toward quantum-resistant security. Major technology leaders, including Google and Microsoft, have already begun large-scale migrations to post-quantum cryptography (PQC).

Google Cloud, for example, has rolled out quantum-safe protections across internal systems and recently announced quantum-safe key encapsulation mechanisms in Cloud KMS, signalling the urgency of preparing for a post-quantum world.

 

Transition to PQC takes years

Pieterse states that South African organisations cannot afford to wait for global deadlines to catch up. “The transition to PQC takes years. If businesses only start when quantum computers arrive, they will already be too late – their data would already have been harvested.”

He outlines the top three things businesses need to know:

  • The threat is immediate, not decades away – While large-scale quantum computers capable of breaking today’s encryption may still be years out, the threat has already materialised. Attackers are actively collecting encrypted data with long-term value, such as health records, financial contracts, intellectual property, and government information, knowing they will be able to decrypt it once quantum capabilities mature. “Any organisation holding data that must remain confidential for a decade or more is already at risk. Quantum is not a future problem. It’s a present-day exposure,” Pieterse comments.
  • Modern public-key encryption will be broken: Most digital trust today relies on RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), the two primary asymmetric cryptographic algorithms used to secure internet traffic, digital signatures and data transmission. These are algorithms that quantum computers will be able to break in minutes using techniques such as Shor’s Algorithm. Once that happens, everything from secure web traffic to VPNs, digital signatures, and identity systems becomes vulnerable. “RSA and ECC are the backbone of modern security. Quantum computing will snap that backbone instantly. Businesses need to be ready to replace it,” says Pieterse.
  • The solutions already exist and are standardised: In 2024, the US National Institute of Standards and Technology (NIST) finalised the first three PQC standards, providing a clear, software-deployable path for organisations to migrate to quantum-resistant cryptography. These include ML-KEM for key establishment and ML-DSA and SLH-DSA for digital signatures. Businesses don’t need to wait for new technology to be invented. The standards are here, and the migration roadmaps are here. The only missing piece is organisational urgency,” Pieterse states.

 

Why businesses must act now

The transition to PQC is complex because encryption is deeply embedded across every layer of enterprise infrastructure, from APIs and databases to IoT devices, firmware and third-party Software-as-a-Service (SaaS) platforms. Most organisations do not even know where all their cryptographic dependencies sit.

“Cryptography is everywhere, but visibility is nowhere. You can’t protect what you can’t see. That’s why the first step is understanding your cryptographic footprint,” Pieterse says.

He adds that the migration challenge extends beyond internal systems. “Even if you update your own environment, you’re still exposed if your vendors and partners haven’t migrated. Supply chain readiness is just as important as internal readiness.”

 

Three immediate priorities

Pieterse says organisations beginning their quantum-readiness journey should focus on three immediate priorities:

  • Inventory cryptographic assets: Identify where RSA, ECC, TLS, VPNs, certificates, and embedded cryptographic libraries are used. This forms the foundation of any migration plan.
  • Prioritise long-life data and build cryptographic agility: Focus first on data that must remain confidential for years or decades. Build systems that can rotate keys, replace algorithms, and adapt quickly as standards evolve.
  • Begin testing and phased migration to PQC: Start validating PQC algorithms in controlled environments and coordinate with vendors to ensure the entire supply chain is aligned with NIST’s transition timelines.

“Quantum-safe security is not a switch you flip. It’s a multi-year transformation. The organisations that start now will be the ones that stay secure. Those who wait will find themselves exposed at the exact moment quantum computing becomes real,” Pieterse concludes.