Crypto AgilityJune 22, 2026

The Quantum Cyber Threat Is Already Here: What Every Enterprise Must Do Before the Window Closes

Adversaries are harvesting your encrypted data today to decrypt later. Learn why the quantum cyber threat is a present breach and what enterprises must do now before the migration window closes.

Allison Seller

Chief Executive Offiver

The Quantum Cyber Threat Is Already Here: What Every Enterprise Must Do Before the Window Closes

A recent LondonWorld feature put it bluntly: the quantum cyber threat is already here, and most businesses are not ready. The piece interviewed Moona Ederveen-Schneider, a post-quantum specialist with more than twenty years in cyber and risk leadership at Deutsche Bank, JPMorgan Chase, UBS, Nomura and ABN Amro, and former Executive Director EMEA at FS-ISAC. Her message to enterprise leaders was direct: this is not a 2035 problem. It is happening now.

She is right. And the reason it matters for every CTO and CISO reading this is simple: the most dangerous part of the quantum cyber threat is not a future event. It is a decision being made, or avoided, in your organization today.

Key Takeaways

"Harvest now, decrypt later" is a live attack. Adversaries are capturing your encrypted data today to decrypt once a cryptographically relevant quantum computer exists. Any data with a long confidentiality life is already exposed.
The timelines are tighter than they look. The UK's NCSC expects full migration by 2035; Google has set an internal 2029 deadline. A full cryptographic overhaul takes most large enterprises 5-10 years, so "start now" is not urgency theater, it is arithmetic.
97% of enterprise systems are not prepared for quantum-safe standards, and 93% of federal agencies have no migration plan.
The common failure is treating this as a security-team IT project. Post-quantum migration is a whole-organization transformation, and it starts with data, not a cryptographic inventory.
Readiness is now a commercial differentiator. Insurers are pricing in quantum risk and procurement teams are demanding proof of a plan.

"Harvest Now, Decrypt Later" Is Not a Future Risk. It Is a Present Breach.

The phrase Ederveen-Schneider returns to is the one every board needs to understand: harvest now, decrypt later (HNDL). Adversaries, including well-resourced nation-states, are intercepting and storing encrypted traffic today, betting that quantum computing will soon make it readable. As she puts it, this "is already happening."

That reframes the entire risk conversation. The breach is not pending; the data has, in effect, already left the building. Quantum computing simply determines when the contents become legible. For anything that must stay confidential for years, patient records, financial histories, intellectual property, government contracts, executive communications, the clock on that exposure started the moment the data crossed the wire under RSA, ECC, or Diffie-Hellman.

This is why "we'll deal with quantum when the computers arrive" is a category error. By the time a cryptographically relevant quantum computer is public, the data you transmitted years earlier is already in an adversary's archive, waiting.

The Timelines That Belong on Every Board Agenda

The hype around quantum makes it easy to dismiss. The regulatory and engineering calendar makes it impossible to ignore.

August 2024 - NIST finalized the first post-quantum standards: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). These are no longer drafts. They are the algorithms enterprises are now expected to migrate toward.
January 2027 - the CNSA 2.0 mandate begins to bite for systems connected to national security infrastructure. This is when enterprise budgets unlock and "later" stops being an option for regulated sectors.
2028 / 2035 - the UK NCSC timetable: detailed migration planning complete by 2028, full migration by 2035.
2029 - Google's internal deadline. As Ederveen-Schneider notes, Google is one of the companies building these machines and has set a 2029 full-migration target, citing faster-than-expected progress. When the builders move their own deadline forward, that is a signal worth heeding.
Here is the part most leaders miss. Ederveen-Schneider observes that a full cryptographic overhaul typically takes a large organization at least five years, and sometimes twice that. Put the engineering reality next to the deadlines and the conclusion is unavoidable: 2035 is not generous, and a 2027-2029 horizon for the most exposed systems means the work has to start in this budget cycle, not a future one.

Where Post-Quantum Migration Goes Wrong

Most failed or stalled migrations share the same two mistakes, and Ederveen-Schneider names both.

Mistake one: treating it as a technology project and handing it to the security team. Post-quantum migration is a whole-organization transformation. The data that needs protecting lives in HR, legal, and finance, and in what regulations like DORA call critical business processes. A crypto migration owned solely by security, with no mandate across the business, stalls the moment it touches a system another department controls.

Mistake two: starting with the cryptographic inventory. The industry mantra is "inventory first." Ederveen-Schneider advises the opposite: enhance your data security posture first by answering the business questions, what are we protecting, and how long does it need to remain secret? Inventory matters, but without data-driven prioritization it produces a spreadsheet of thousands of cryptographic assets and no way to decide what to fix first.

The throughline of both mistakes is the same: organizations approach a coordinated, enterprise-wide problem with fragmented, single-team tools.

What "Ready" Actually Requires: Crypto-Agility, Not a One-Time Swap

The standards will keep evolving. Algorithms that look solid today may be deprecated tomorrow. That is why the goal is not to bolt on one post-quantum algorithm and declare victory. It is crypto-agility: the ability to swap cryptographic algorithms across the enterprise as standards change, without ripping out infrastructure each time.

This is the practical heart of the matter. An enterprise that hard-codes a single algorithm into hundreds of systems has simply created its next migration crisis. An enterprise that builds the ability to generate, rotate, revoke, and swap algorithms centrally has built resilience that outlasts any single standard. And, as Ederveen-Schneider points out, that same architecture hardens the organization against today's threats too: ransomware, AI-enabled attacks, and supply-chain compromise.

The Missing Layer: Coordinating Quantum-Safe Across Every System at Once

Here is where most of the market falls short, and where the real gap lies. The vendors selling pieces of the solution each protect one layer at a time:

Chip makers sell quantum random number generators and secure semiconductors.
PQC algorithm providers sell the math, but not the coordination.
Migration consultancies sell roadmaps, not running infrastructure.
HSM vendors sell key management, but not orchestration across systems.
None of them coordinate the whole picture. Yet "ready" means every connected system, your AI infrastructure, your bank app, your patient data, your payment processors, your cloud and SaaS dependencies, is quantum-safe together, with consistent policy and a single audit trail. A migration that secures one system while leaving its neighbors on legacy cryptography has not closed the exposure; it has just moved it.

This coordination layer is precisely what CONUX AI was built to be. The CONUX SHIELD sits between your enterprise systems and the outside world, applying quantum-safe encryption, hybrid key management (ML-KEM + AES-256), sensitivity-based routing, and algorithm swapping across all traffic, with one-click audit reports mapped to CNSA 2.0, FIPS 140-3, and HIPAA. It is the layer that turns Ederveen-Schneider's principles, crypto-agility, data-first prioritization, whole-organization coverage, into a system that actually runs, rather than a framework that sits in a slide deck.

Quantum Readiness Is Already a Commercial Differentiator

Perhaps the most important shift in the LondonWorld interview is this: the consequences of delay are no longer hypothetical. As Ederveen-Schneider notes, "quantum readiness is a differentiator now, not in 2035."

The market is already moving:

Insurers are beginning to price quantum risk into cyber policies.
Procurement teams are requiring evidence of post-quantum readiness from vendors.
Clients are asking questions that organizations without a plan simply cannot answer.
Early adopters in financial services and pharmaceuticals are already extracting value while preparing for the risk. The organizations that move now will be both safer and ahead. Those that wait will face a reactive, expensive scramble, and a procurement and insurance disadvantage that compounds every quarter.

What to Do in the Next 90 Days

Make it a business program, not a security ticket. Get executive sponsorship and pull HR, legal, finance, and operations into scope from day one.
Start with the data. Classify what must stay secret and for how long. Tier your highest-longevity, highest-sensitivity data as immediate HNDL exposure.
Build a cryptographic bill of materials against those priorities. Discover the algorithms, keys, and certificates protecting your tier-one data, including shadow cryptography in third-party and legacy systems.
Design for crypto-agility. Choose an approach that lets you swap algorithms centrally as standards evolve, not one that hard-codes today's choice into tomorrow's liability.
Coordinate, don't fragment. Treat quantum-safe as an enterprise-wide orchestration problem so every connected system migrates under one consistent, auditable policy.

Conclusion: The Window Is Closing

The LondonWorld interview is a useful wake-up call because it comes from a practitioner who has run these programs inside the world's largest banks. Her conclusion and ours are the same: the quantum cyber threat is already here, the timelines are tighter than they appear, and the organizations that treat readiness as a coordinated, data-first, enterprise-wide program will win on both security and commercial standing.

The hard part was never the algorithms. NIST has finalized those. The hard part is coordinating quantum-safe protection across every system, keeping it agile as standards shift, and proving it to regulators, insurers, and clients. That is the layer most enterprises are missing.

CONUX AI exists to be that layer. If you want to understand your quantum exposure and build a migration that is systematic, agile, and auditable, it starts with a single conversation.

Source / further reading: Tabish Ali, "The quantum cyber threat is already here, and most businesses are not ready", LondonWorld, 18 June 2026, an interview with Moona Ederveen-Schneider, founder of Resilia Connect and the Quantum Security Connection.

Frequently asked questions

It is real today. The cryptographically relevant quantum computer may be years away, but "harvest now, decrypt later" attacks are active now. Adversaries are capturing encrypted data today to decrypt later. Any data that must remain confidential for 5-10+ years is already at risk.

Sooner than the headline dates suggest. The UK NCSC targets full migration by 2035 and Google set an internal 2029 deadline, while CNSA 2.0 obligations begin in 2027 for national-security-connected systems. Because a full overhaul takes most large enterprises 5-10 years, planning needs to begin in the current budget cycle.

Treating it as a security-team technology project and starting with a cryptographic inventory. It is a whole-organization transformation, and it should start with data, what you are protecting and how long it must stay secret, not with a list of algorithms.

Crypto-agility is the ability to swap cryptographic algorithms across your systems as standards change, without re-engineering infrastructure each time. It matters because post-quantum standards will keep evolving, and a single hard-coded algorithm simply guarantees a future migration crisis.

Those products protect one layer. CONUX AI is the coordination layer that applies quantum-safe encryption, key management, sensitivity routing, algorithm swapping, and compliance reporting across every connected enterprise system at once, so readiness is consistent and auditable, not fragmented system by system.

The CONUX Briefing

Get the next briefing in your inbox.

Monthly deep dives on quantum resilience, AI control planes, and the infrastructure protecting tomorrow's critical systems. No noise.

Unsubscribe anytime · No spam

Continue reading

All articles

Crypto Agility

June 18, 2026

The Rise of Machine Identity

Machine identities already outnumber humans on your network and AI agents are about to multiply them further. Learn why governing machine identity is the defining security challenge of the decade.

Why AI Needs a Trust Layer

The AI economy is built on machines acting autonomously. Learn why a cryptographically grounded, quantum-resilient trust layer is the foundational infrastructure every organization needs now.

Is AES-256 Enough? The Encryption Question Executives Keep Getting Wrong

“We use AES-256 encryption, so we’re fine” is the most common mistake leaders make. What AES-256 encryption protects, what it doesn’t, and where the real quantum gap is.

TC

Team Conux

Read