Cryptography and the Quantum Era: What is the IT Risk for Organizations?

Cryptography: The Pillar of Cybersecurity.

Cryptography is the foundation of digital trust. It plays a central role in IT security, as nearly all organizational infrastructures and processes depend on it, ensuring data confidentiality, file integrity, identity authenticity, and transaction non-repudiation. Without cryptography, our infrastructures would be exposed, and our communications easily manipulated or falsified.

For nearly four decades, standard cryptographic mechanisms were regarded as unbreakable and permanent, leaving governance overlooked and undervalued. What is clear is this: today, no organization has full visibility or control over the mapping and management of the cryptographic assets embedded in their information systems.

However, the impending arrival of quantum computing is a game-changer. It forces organizations to refocus their attention on a domain that has remained in the shadows for far too long.

The Threat Posed by Quantum Computers

Quantum computing, though still in development, is set to disrupt the very foundation of today’s cybersecurity. By harnessing the principles of quantum mechanics, this technology can solve problems in record time, problems that traditional computers would require virtually unlimited processing power and time to tackle. Yet it is precisely the difficulty of solving these mathematical problems that underpins the strength of cryptography. If this hypothesis fails, the cryptographic algorithms built upon it collapse as well.

For the past 40 years, asymmetric cryptographic algorithms such as RSA and Diffie-Hellman have held an almost monopolistic position in securing our communications. However, quantum computing—and particularly Shor’s algorithm—demonstrates that these methods will not withstand the power of a fully operational quantum computer.

In other words, with the advent of quantum computing, the security provided by today’s asymmetric cryptography will not merely be weakened, it will collapse entirely.

The IT Risks in the Quantum Era

A sufficiently powerful quantum computer will create a systemic risk for organizations that continue to rely on classical asymmetric cryptography:

• Confidentiality will be compromised: sensitive data will become accessible to anyone.
• Digital trust is broken: certificates and electronic signatures will lose their validity. Anyone could impersonate a legitimate actor on your network.
• Financial transactions and blockchains can be destabilized: contracts could be altered, private keys hijacked.
• Massive economic fallout will ensue: there will be a loss of trust and reputation, business disruption, and the added cost of large-scale migrations.

The risk is not just theoretical. Even today, encrypted data can be intercepted and stored to be decrypted later with quantum computing: a threat known as harvest now, decrypt later.

The Only Solution: Quantum-resistant Cryptography

To guard against emerging threats, organizations have no choice but to prepare for the replacement of classical asymmetric cryptography. The only alternative currently considered industrially viable and endorsed by national security agencies is post-quantum cryptography (PQC), designed to withstand attacks from quantum computers.

In 2024, the National Institute of Standards and Technology (NIST) published the first three algorithms, resulting from a global collaborative effort among research teams. These algorithms provide a solid reference framework for building resilient security against quantum‑related risks.

While quantum computers are not yet capable of breaking RSA‑2048 or large-scale elliptic-curve cryptography, experts estimate this could become feasible within 10 to 20 years, or sooner in the event of a technological breakthrough. International consensus recommends transitioning to post-quantum cryptography (PQC) before 2035.

These new algorithms offer no absolute guarantees: they are still recent, and their resilience must be proven over time. For this reason, the transition to PQC should be based on:

• an agile approach, allowing rapid replacement of an algorithm if it is later deemed vulnerable, and
• a hybrid strategy combining the well-understood advantages of classical cryptography with the quantum-resistant benefits of PQC.

How to Prepare Your Migration to PQC

The countdown has begun, and we only have ten years, or maybe even less. But a migration project toward post-quantum cryptography (PQC) could take more than a decade. Waiting exposes organizations to an unavoidable wall in the form of a regulatory, technological, and operational shock that cannot be absorbed in time.

The first critical step is to conduct a cryptography inventory. This involves mapping usage, identifying deployed algorithms and protocols, detecting vulnerabilities, and obtaining a complete view of all cryptographic assets in operation. Although time-consuming and complex, this exercise forms the cornerstone of any PQC migration strategy.

This first phase also coordinates the steps of the post-quantum migration to achieve:

• a consolidated view of risks,
• actionable reporting at the executive level, and
• a solid foundation for building a realistic roadmap.

In parallel, within pilot environments, it is critical to test post-quantum cryptography and implement crypto-agile solutions within your systems. Through the deployment of end-to-end use cases in a quantum-resistant mode, the objectives are to:

• understand the technical impact of post-quantum cryptography: key sizes, latency, protocol hybridization effects, algorithm selection, and more.
• raise awareness and engage teams, building the expertise required to define and implement a post-quantum transition plan. By nature, these plans are cross-functional and affect the entire organization: Cybersecurity, IT, Risk, Compliance, Procurement, and beyond.

The bottom line is this: Effective cryptography governance is critical for operational resilience.

Cryptography is the backbone of cybersecurity. In the quantum era, it risks becoming its own Achilles’ heel. The IT risk is significant and well-identified. Transitioning to quantum-resistant solutions must be planned carefully; otherwise, confidentiality and digital trust will collapse.

The time for action is now: take inventory, anticipate, experiment. Post-quantum cryptography has become a strategic imperative for every organization.