The cybersecurity industry has long treated Q-Day – the point at which quantum computing shatters current encryption standards – as a distant, theoretical problem. However, this complacent timeline has been rather aggressively upended.
As highlighted by Richard Ford, chief technology officer of Integrity360 during the Security First conference in Cape Town, the threat has become a present-day reality that demands a fundamental rethink of cyber resilience.
The most sobering proof of this accelerating timeline recently came from Google, which surprised the technology sector by pulling its internal post-quantum cryptography migration deadline forward to 2029.
The quantum threat – once joked about as perpetually 10 to 20 years away – now has a concrete, near-term date attached to it by one of the world’s primary digital infrastructure providers.
According to Ford, South African organisations should already be preparing for Q-Day, and its potential exposure long before such a moment arrives, rather than assuming quantum risk can be dealt with later.
“We have seen this pattern before. If we look back at the early internet – ARPANET – it was built primarily to work and be functional first and foremost,” Ford explained during the Cape Town leg of the Security First conference.
“Security was an afterthought because the assumption was that every user could be trusted. We are repeating that mistake today with AI and quantum-vulnerable encryption. We are racing toward functionality and speed while leaving safety as a secondary concern, which is precisely what makes the ‘store-now-decrypt-later’ threat so potent.
“Q-Day itself is only part of the picture. The concern is that sensitive data may already be getting collected and stored for future decryption,” Ford explains.
“If that information still has value years from now, then the risk and the potential consequences are already in motion. This is the essence of the ‘store-now-decrypt-later’: attackers stealing encrypted data today with the intention of unlocking or selling it once quantum capabilities mature,” says Ford.
Google’s accelerated 2029 deadline is an eerie warning. The tech giant’s security leadership explicitly cited the immediate danger of ‘store-now-decrypt-later’ attacks as a primary driver for moving their timeline forward.
The danger is especially acute for information with a long confidentiality lifespan, such as intellectual property, financial records, health data, legal material, strategic plans and sensitive customer information.
To understand this exposure, South African organisations should conduct a data shelf-life audit, Ford says.
“If a business holds sensitive data that must remain confidential for 10, 15 or 20 years, then the risk attached to outdated cryptography is not theoretical. It represents a deferred exposure that may affect regulatory standing, commercial trust and long-term enterprise value.
“In that sense, quantum preparedness increasingly belongs in the same category as other board-level resilience issues: third-party risk management, business continuity, digital identities and governance and risk compliance.”
Decision-makers must determine the lifespan of their data and how long it needs to remain private and trustworthy.
Once that is understood, organisations can begin mapping where vulnerable encryption exists across applications, backups, certificates, archived data, partner ecosystems and legacy infrastructure.
Cryptography and resilience planning
Quantum risk connects to resilience challenges that organisations are already grappling with. This is why it makes sense for post-quantum readiness to be treated as part of a wider effort to protect long-term value in an environment where threats, dependencies and timelines are all shifting.
Fortunately, organisations do not need to solve the entire quantum problem today. But Ford argues that boards should start identifying where their most enduring exposures lie – and sooner rather than later.
“Organisations that ignore these timelines are essentially gambling with their future continuity,” warns Ford. “It is similar to a senior partner at a law firm who replaces all their junior lawyers with AI to save costs today, only to retire in ten years and realise there is no one left with the senior expertise to run the firm.
“By the time Q-Day arrives, now possibly as soon as in 2029, those who haven’t built the internal knowledge and mapped their cryptographic dependencies today will find themselves without the human or technical expertise to survive the transition.
“Waiting for a precise deadline may feel prudent, but it could mean acting only once the most valuable data has already been harvested. Organisations that prepare early, rather than leaving it until the threat feels more immediate, will be in a stronger position to preserve trust, continuity and operational stability.”
Protecting enterprise value requires proactive adaptation, Ford adds. Waiting for 2029 is a flawed strategy because the most valuable asset – data – is already being targeted.
The organisations that begin migrating to quantum-safe standards today, or at least map out their vulnerabilities, are the ones taking cyber resilience seriously.
“For boards that have not yet examined the lifespan of their data or the cryptographic dependencies protecting it, it is already a live resilience issue,” he says.