{"id":8466,"date":"2026-06-12T07:40:00","date_gmt":"2026-06-12T07:40:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8466"},"modified":"2026-06-12T07:40:00","modified_gmt":"2026-06-12T07:40:00","slug":"harvest-now-decipher-later-the-quantum-threat-few-are-preparing-for","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8466","title":{"rendered":"\u2018Harvest now, decipher later\u2019: The quantum threat few are preparing for"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Quantum technology\u00a0may\u00a0feel far off but certain risks are already with us in the form of \u201charvest now, decrypt later\u201d \u2014 an attack vector in which malicious actors steal data now for a future in which they have access to quantum computational tools capable of breaking encryption deployed by most companies today to protect their data.<\/p>\n

Despite increasing discussion surrounding this issue, not all organizations are aware of the risk. According to a 2025 ISACA survey<\/a>, only 5% of cyber professionals considered the threat a high priority, despite two-thirds being concerned about quantum\u2019s future ability to break encryption. That 5% was the same percentage of organizations that had defined a strategy to prepare for the quantum threat<\/a>, according to the survey\u2019s findings.<\/p>\n

Contrary to the rhetoric of a \u201cQ-Day\u201d \u2014 a pivotal date on which classical cryptography will be broken by quantum computers \u2014 organizations such as the\u00a0European think tank CEPS warn<\/a>\u00a0that this possibility will not arrive suddenly, but gradually.<\/p>\n

\u201cWe\u2019ve been waiting for some time for something like a quantum computer, which will likely allow us to break traditional encryption systems in a seemingly simple way,\u201d explains F\u00e9lix Barrio, director general of Spanish national cybersecurity institute INCIBE, via video call. \u201cAlthough this has been demonstrated theoretically and we haven\u2019t yet seen computers with that capability, there are different estimates,\u201d ranging from a few months to a decade.<\/p>\n

Barrio notes, however, that such computational power will probably only be available to a few entities, generally government agencies, given their high cost.<\/p>\n

The first three standards for\u00a0post-quantum cryptography (PQC)\u00a0encryption<\/a> were published by the US National Institute of Standards and Technology (NIST) in 2024.<\/p>\n

\u201cThese are algorithms that could supposedly withstand a quantum attack using a quantum computer,\u201d Barrio says. Currently, these algorithms are being tested and adapted to various technologies.<\/p>\n

Quantum key distribution (QKD) \u2014 a quantum-like system that could be applied to data transmission over cable, adapted fiber optic cable, or satellite \u2014 establishes an alternative key exchange system that, through properties of quantum physics, functions as an early warning mechanism in case of detected breaches or intrusions, enabling compromised keys to be discarded.<\/p>\n

The EU has already designed a\u00a0roadmap<\/a>\u00a0for the\u00a0transition to post-quantum cryptography, which sets the end of 2026 as the first phase for deploying these tools, with 2030 as the deadline for high-risk use cases and 2035 for the rest.<\/p>\n

Barrio explains that INCIBE has allocated part of the resources from its innovative public procurement program to advanced cryptography resistant to quantum attacks, funding five initiatives located in different cities in Spain.<\/p>\n

\u201cIn Spain, we have taken the lead in investing in this transition phase\u00a0with the most promising projects we have identified in these public calls for proposals, and over these three years we have been working to ensure that test systems using Spanish technology can be offered and that these systems can also be commercialized,\u201d he notes. \u201cIn Europe, in general, when you talk to other cybersecurity agencies, they are genuinely concerned.\u201d<\/p>\n

Where the sector stands on quantum resilience<\/h2>\n

\u201cToday we take for granted that communications with our bank or healthcare systems are private, and that digital signatures \u2014 for example, those that support financial transactions or cryptocurrencies \u2014 are unforgeable. The impact of these guarantees becoming invalid is enormous, both economically and socially,\u201d Alberto de Mercado, manager of systems engineering for service providers at Fortinet, tells Computerworld Spain via email.<\/p>\n

From a cybersecurity vendor\u2019s perspective, De Mercado speaks of the need to \u201cimplement a phased transition strategy,\u201d taking into account elements such as the type of information exchanged and its need for long-term confidentiality, available resources, compatibility with the existing architecture, and prioritization over other more immediate cybersecurity risks.<\/p>\n

\u201cIn this context, the concept of cryptoagility is key: deploying solutions that allow for the agile change or combination of cryptographic algorithms when necessary, guaranteeing service continuity without needing to completely redesign the architecture or change providers,\u201d he says.<\/p>\n

De Mercado calls for \u201cacting now\u201d when dealing with sensitive information that must remain confidential long-term.<\/p>\n

\u201cIn these cases,\u00a0waiting for absolute certainty means taking a risk that may be unacceptable,\u201d he says, adding the regulatory factor: Although there is no explicit European regulation on the subject, it can be linked to regulations such as GDPR, NIS2, or DORA, which establish protection obligations, \u201cwithout explicitly limiting the time frame.\u201d<\/p>\n

\u201cFrom this perspective, organizations that handle sensitive information long-term must begin to consider this risk as part of their security assessments,\u201d he says, a trend that also applies to cybersecurity providers, \u201cwho are progressively incorporating quantum-safe algorithms and mechanisms into their products,\u201d as is the case with Fortinet.<\/p>\n

Regarding current demand, De Mercado observes an initial trend toward PQC, \u201cas it requires less investment and is easier to integrate into existing environments. QKD is reserved for very specific scenarios, such as highly sensitive interconnections between large headquarters or data centers.\u201d<\/p>\n

Overall, he perceives an \u201cuneven\u201d level of concern, with the most regulated sectors or those with the highest confidentiality requirements at a more advanced stage of testing, transition planning, or even initial deployments of secure communications.<\/p>\n

\u201cGenerally, the more mature an organization is in cybersecurity, the better it is at mitigating immediate risks and the greater its capacity to anticipate emerging threats such as quantum computing,\u201d he says.<\/p>\n

How to protect yourself<\/h2>\n

From the banking sector, CaixaBank addresses the quantum threat \u201cunderstanding that it is a real risk and, as such, must be managed proactively,\u201d a company representative said via\u00a0email.<\/p>\n

\u201cThe risk is already relevant, and it is necessary to have mitigation measures in place now,\u201d the representative continued. \u201cAt the same time,\u00a0the approach is not simply to replace one encryption algorithm with another, but to equip the bank with the necessary crypto agility\u00a0to be able to rotate keys, change cryptographic models, or adopt new standards quickly and in a controlled manner when necessary. In this way, not only is this specific threat mitigated, but the bank\u2019s resilience and preparedness for future technological changes are structurally strengthened.\u201d<\/p>\n

The firm itself is already developing a comprehensive plan, currently under way, with 2029 as the target date for a robust crypto-agility model. This plan has two complementary dimensions. On the one hand, it includes the new PQC schemes, which the bank is currently analyzing to determine how they can be incorporated in an orderly fashion.<\/p>\n

\u201cThe goal is to ensure that the bank is technically prepared to protect both data in transit and data at rest, as these new standards reach the necessary maturity,\u201d the bank\u2019s representative said. But \u201cthe approach goes far beyond a one-off technological transition, taking the opportunity to build a structurally more robust, automated, and repeatable model that will allow for much greater agility in implementing any cryptographic changes in the future.\u201d<\/p>\n

CaixaBank is also participating in European projects to validate practical post-quantum security solutions applicable to the financial sector, as well as in industry forums such as the Quantum Safe Financial Forum (QSFF), where they \u201cshare experiences, define best practices, and contribute to a transition that is realistic, interoperable, and aligned with the sector\u2019s regulatory requirements,\u201d according to the bank\u2019s representative.<\/p>\n

With the quantum threat becoming increasingly prevalent, reviewing the cybersecurity model will soon be imperative for all companies.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Quantum technology\u00a0may\u00a0feel far off but certain risks are already with us in the form of \u201charvest now, decrypt later\u201d \u2014 an attack vector in which malicious actors steal data now for a future in which they have access to quantum computational tools capable of breaking encryption deployed by most companies today to protect their data. […]<\/p>\n","protected":false},"author":0,"featured_media":8467,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8466"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8466"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8466\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8467"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}