The time has come to address the post-quantum security threat

Traditional encryption methods are at risk of being broken by quantum computers. Here’s how organizations can adopt post quantum solutions to protect their digital communications and data.

Late last year, a group of Chinese researchers successfully cracked RSA encryption, one of the oldest and most common methods used to secure data stored by countless banks, healthcare organizations, and government agencies around the world.

Their weapon of choice? A D-Wave quantum computer.

While cryptographically relevant quantum computers (CRQCs) are not yet accessible to the average cybercriminal, this event marks an unwelcome milestone in the quantum roadmap—one that poses a major cybersecurity threat for industries handling sensitive data, financial information, or intellectual property, such as healthcare, banking, energy, aviation, and automotive.

The study published about this event also rings the alarm bells about the urgency of this issue, as researchers raise the possibility of a "harvest now, decrypt later" scenario, where attackers steal encrypted data with the intention of decrypting it once commercial quantum computing becomes viable in the next 10-15 years.

This looming threat has initiated a global race toward post-quantum cryptography (PQC)—cryptographic algorithms designed to be secure against attacks from quantum computers. But while many organizations accept the need to act swiftly with new technology, transitioning to PQC can be a lengthy, costly, and complex process that could take years to complete.

In this blog, we explore how and why organizations must begin the transition to quantum-resistant cryptographic methods and the challenges they must overcome to ensure their data remains protected even in the face of advancing and evolving threats.

Understanding the post-quantum decryption threat

Cryptography—the use of codes and algorithms to protect and obscure sensitive data and other information—has long been the bedrock of digital security, ensuring confidentiality, integrity and authenticity in our communications. Traditional cryptographic methods, such as RSA and elliptic curve cryptography (ECC), have provided robust security based on the computational difficulty of mathematical problems like factoring large numbers or the discrete logarithm.

These cryptography methods are what has kept our online banking accounts, digital health records, government secrets, and intellectual property safe and secure… until now.

With the help of quantum computing, these traditional cryptography codes, which would have taken thousands of years to crack with a conventional computer, could potentially be broken in a matter of seconds. This is because quantum computers utilize quantum bits, or qubits, that can exist in multiple states simultaneously and can be entangled, allowing for parallel computation on an unprecedented scale.

Embracing post-quantum solutions ensures that sensitive customer data, as well as IP and government secrets, remains protected even in the face of advanced quantum computing threats.  It is also a critical consideration for organizations developing long-lifecycle products—such as those in automotive, aviation, and energy—which must ensure that digital components, like chips and hardware, can be updated with stronger security protocols as they become available. This is crucial to preventing catastrophic breaches that could compromise critical infrastructure, including power grids and air traffic control systems, as well as essential assets like planes and automobiles.

Embracing post-quantum solutions: Overcoming challenges to PQC

The transition to PQC is not a simple software update. It's a complex migration involving hardware, software and protocol changes across entire ecosystems. There are key challenges that organizations must overcome, technically, financially and culturally, to enable this shift. This requires a comprehensive approach that not only tackles known challenges but also anticipates future needs.

Technical challenges

As companies begin the shift to PQC, organizations must address the age-old challenge of legacy system compatibility. Outdated applications and infrastructure components may struggle to support new cryptographic algorithms, creating insurmountable interoperability issues. For those systems that can support more advanced encryption methods, performance overhead may remain an issue since these tools may introduce computational demands that surpass the system’s capabilities.

Financial challenges

​Transitioning to PQC also presents significant financial challenges for organizations, as program costs easily stretch into the millions. (For context, the U.S. federal government's migration to PQC between 2025 and 2035 is estimated to cost approximately $7.1 billion.) The high price tag associated with this transition may require companies to reevaluate and reallocate their IT budgets.

Cultural challenges

Finally, organizations cannot overlook the significant cultural challenges PQC presents. As with any new process or technology implementation, employees will need to learn how new PQC protocols work and adjust their workflows accordingly.

The good news is that in many cases, companies need not go it alone nor start from scratch to address these issues. The National Institute of Standards and Technology (NIST) has been actively working on PQC since 2017, with the first public key algorithms standardized in 2024. This long-term effort, which involves international collaboration, shows the global recognition of the need for PQC and provides a framework for implementation.

Jumpstarting the PQC journey: 6 practical steps to a more secure future

While the PQC journey is complex, it will not be unfamiliar to many IT leaders, as it resembles many common transformation programs. To help organizations understand the road ahead, here we share the main steps companies can take to begin the PQC transition.

1.    Conduct a cryptographic inventory and risk assessment.

Organizations need to audit their current use of cryptography to understand vulnerabilities. This includes identifying where public key cryptography is used and the nature of the data protected. Organizations should assess how quantum decryption could impact their assets, prioritizing data based on sensitivity and longevity. For example, organizations should prioritize securing long-term confidential data, such as customer financial records, healthcare information, or classified government communications, which could be vulnerable to “harvest now, decrypt later” attacks.

2.    Conduct a technical assessment.

Many organizations still use systems for which upgrading cryptography is not straightforward, particularly in sectors with long asset lifecycles, such as aerospace, energy, and healthcare. Organizations must assess their current technology stack to determine which systems can be easily upgraded and which will require significant investment or redesign to accommodate advanced cryptographic protections.

For example, cloud-based applications and software-defined infrastructure are generally more adaptable to cryptographic upgrades, allowing for seamless integration of post-quantum encryption methods. On the other hand, embedded systems in industrial control networks, medical devices, or aviation equipment often rely on hardware-bound encryption, making updates complex and costly.

3.    Adopt hybrid systems.

A full-scale, immediate overhaul of cryptographic systems would be a massive undertaking for most organizations. Instead, a hybrid approach—integrating both classical and quantum-resistant algorithms—enables a more gradual and manageable transition. Companies should prioritize high-risk areas identified in their initial assessments, implementing hybrid cryptography first in critical systems while planning a phased rollout across other assets.

4.    Follow industry-leading standards.

Organizations should follow the lead of bodies like NIST, and leverage published standards as they prepare for integration. This ensures their assets adhere to the latest security protocols and are in a strong position to be upgraded in the future as new standards are introduced.

5.    Conduct robust education and training.

PQC represents a monumental shift in how organizations must think about data security. IT and cybersecurity teams alike need to be educated on quantum threats and the necessity of post quantum solutions to manage this transition effectively. These leaders can then serve as ambassadors, educating other teams, including R&D, on this threat and working with them to adapt processes and capabilities to ensure ongoing protection of data and products.

6.    Continuously monitor and update security protocols.

As with any security strategy or solution, PQC is not a one-time event. It requires organizations to take a long-term approach to security, regularly monitoring and updating methods as the threat landscape evolves. Given that quantum cryptography is an emerging area where few people have significant expertise, it is wise to engage a reputable strategic partner and security service provider to evaluate, select, implement, integrate and operate post quantum solutions.

Taking action on PQC today

As CRQCs come closer to realization, organizations must act now to protect their sensitive data and ensure long-lifecycle assets remain securable in the coming years.

By taking a proactive, comprehensive approach, businesses can ensure long-term resilience against these deep-tech risks when they inevitably become reality.

As companies begin their PQC journey, Cognizant can help. We offer services at every stage, including planning and inventory, system evaluation and selection, deployment and integration, and operations. For more information about our services, please contact us.