"Harvest now, decrypt later is a today problem": Collapsing uncertainty in quantum security
Q-Day - the moment when quantum computers will be able to crack traditional cryptography - may not be a notional future threat forever.
For years, the quantum threat has existed in a kind of superposition -simultaneously urgent and distant, real but unobserved. We can model the risk. What we can’t pin down is the moment it becomes unavoidable.
That ambiguity has allowed organisations to treat post-quantum security as a future problem. But that window is closing.
In quantum physics, observing a system collapses its wave function into a single, definite state. In security, the rise of “harvest now, decrypt later” attacks is having a similar effect, turning a theoretical risk into something measurable, and therefore impossible to ignore.
We know that threat actors are collecting encrypted data in the hope that quantum computers will be able to crack it one day.
But what's less obvious is how and when to respond.
Google recently set a new and aggressive deadline of 2029 for its own shift to post-quantum cryptography (PQC) - citing the risk of harvest now, decrypt later attacks. That decision came after its researchers warned that quantum attacks could crack cryptocurrency encryption in minutes.
The US National Institute of Standards and Technology (NIST) has finalised three PQC standards (FIPS 203, 204, 205) and set a migration deadline of 2035.
Enterprises are also starting to include PQC in their risk and compliance programs, meaning that vendors are including quantum-safe encryption.
Making the move to post-quantum cryptography
One of these providers is Certes, which recently upgraded its Protection and Risk Mitigation (DPRM) platform to v7 to deliver quantum-safe data protection and crypto-segmentation.
In conversation with Certes, one point was made clear. The move to PQC cannot be put off.
Paul German, CEO, told Machine: "Today's data has intrinsic value in the future. So it could be captured now in line with a that quantum will be able to break RSA or ECC algorithms in the future. This threat poses a clear and present risk that has to be mitigated.
"We're having a lot of conversations around sovereignty with customers, who understand that while data exists on their infrastructure, they can have an element of control, perhaps. But when that data is exfiltrated or moves outside of sovereign boundaries, how is that protection retained?"
"The time for organisations to move is now. This is a today problem, not a tomorrow, next year or year after problem."
A quantum leap in data protection?
Certes’ v7 platform enables organisations to centrally define data protection and segmentation policies and automatically enforce them across all endpoints.
Each data flow is secured individually using quantum-safe cryptography and rapid key rotation, ensuring sensitive data remains protected across IT, operational technology, and cloud environments.
By applying cryptographic segmentation to every application flow, v7 replaces brittle network and identity-based controls with protections designed to contain attacks within tightly defined micro-segments.
READ MORE: Commercialising the "second quantum revolution"
Certes has been speaking to customers who are preparing for the shift to PQC - but too slowly.
Simon Pamplin, CTO, said: "The customers who are preparing for a quantum-safe future are carrying out assessments and looking at a multi-year process to identify where all the embedded crypto is in all of their applications. Then they will go through a process of upgrading it. But there isn't time to do that."
Rather than a multi-year headache involving ripping out infrastructure, rewriting applications, and hoping nothing breaks along the way, v7 sidesteps the busywork to apply quantum-safe protection directly to data flows.
Certes said this removes the need for wholesale upgrades, allowing companies to move now rather than wait for perfect conditions.
Achieving quantum security
The key is abstraction. Instead of embedding new cryptographic standards deep inside applications or networks, v7 wraps data itself with quantum-safe controls that travel with it.
That means legacy systems, hybrid cloud environments, and edge deployments can all be protected without modification. The result is a solution sold as a dramatically shorter path to PQC.
This also changes the economics of the transition. Traditional PQC migration plans are expensive, disruptive, and often stall before they begin. v7 turns it into an incremental, policy-driven rollout: define protections centrally, enforce them everywhere, and scale without operational drag.
Organisations can prioritise their most sensitive data first, closing real risk immediately rather than waiting for a full-stack overhaul.
READ MORE: When will quantum computing have its "ChatGPT moment"?
In practice, that means companies no longer have to choose between security and speed. As the “harvest now, decrypt later” threat accelerates, v7 offers a way to deploy quantum-safe protection today - buying time, reducing exposure, and turning PQC from a theoretical future requirement into a present-day control.
Dan Panesar, CRO at Certes, added: “With v7, we help boards and CISOs move to quantum‑safe data protection in weeks, not years, without refactoring applications, redesigning networks and infrastructure, or grinding operations to a halt.
"When a breach happens, and it will, v7 shrinks the blast radius, stops attackers turning access into impact, and materially reduces cost, downtime, and regulatory fallout."
READ MORE: Quantum is "creating anxiety" for security leaders. Here's what to do about it
The question is no longer whether quantum will break today’s encryption. That outcome is starting to look inevitable - or at least very probable.
For organisations holding long-lived secrets - financial records, intellectual property, critical infrastructure vulnerabilities, the secret to making Coca Cola - the risk is likely to materialise.
That’s what “harvest now, decrypt later” actually means. The breach happens first. The impact comes years later.
In that sense, the wave function has already collapsed.
The only uncertainty left is who is exposed - and how much of their data is already gone.
