Never before has the integrity of identities, transactions, and digital signatures come so starkly into question than with the approaching Q-Day, which can derail longstanding trust and risk management.

The cybersecurity industry has spent decades building walls around networks and identities. Attackers have spent the same time learning to walk straight through them.  

And now there’s a bigger challenge on the horizon: quantum computing. Threat actors are already hoarding encrypted data, waiting for the moment when quantum capabilities make it readable.

Increasingly, attackers are stealing data as part of a “harvest now, decrypt later” strategy; these rely on exfiltration and long-term storage of currently unreadable encrypted data with long term value awaiting the availability of commercial quantum computing capabilities, referred to as ‘Q-Day’, that would render the data readable and of value.

Q-Day is coming and most organizations aren’t ready.

Robert Hann, Global VP of Technical Solutions & Centre of Excellence at Entrust, commented: “On World Quantum Day 2026, adversaries are already using ‘harvest now, decrypt later’ tactics, and if Google’s latest predictions are correct, Q-Day could arrive as early as 2029. Migrating data and asset protection infrastructure to post-quantum cryptography (PQC) is a multi-year journey, spanning data in motion, data at rest, and data in use – meaning universal migration should have already started.”

Paul German, CEO of Certes, commented:“For too long, cybersecurity has focused on protecting infrastructure and identities, yet attackers continue to bypass those controls.  The reality is that organizations must now assume breaches will occur and focus on protecting the data itself… wherever it resides, using quantum-safe data protection and strict communication controls that prevent attackers from moving through the environment or exploiting stolen data.”

“Importantly, this can be achieved with zero application rewrites or refactoring, enabling organizations to apply quantum-safe protection to legacy applications that cannot easily be upgraded. It gives business leaders confidence that even in the event of a breach, their data remains secure and their operational and regulatory risk is significantly reduced.” 

As organizations increasingly operate across hybrid environments, the edge has become one of the most vulnerable points in the security chain. Traditional perimeter tools such as VPNs, firewalls, and endpoint detection systems primarily focus on protecting infrastructure and identity. However, attackers continue to bypass these controls, using stolen credentials to move laterally and extract sensitive data. 

Ian Farquhar, Security Chief Technology Officer, Gigamon, warned: “What’s often overlooked is that this isn’t just about ‘harvest now, decrypt later,’ but ‘harvest now, forge later.’ If private keys are compromised, the integrity of identities, transactions, and digital signatures comes into question, derailing longstanding trust and risk calculations that form the backbone of the modern era. This will impact organizations across every industry, impacting consumers and businesses alike.

Simon Pamplin, CTO at Certes, said:“Traditional security controls do less than half the job because they focus on defending the network rather than the data.”

Underestimating the threat

Hann said: “A year on from NIST’s quantum-safe standards, we’re seeing organizations start to move from planning PQC to deployment. Large enterprises such as Mastercard are already advocating early adoption, particularly in the finance sector. In Singapore, the Cyber Security Agency (CSA) has already begun laying the groundwork for quantum-safe migration, launching a Quantum-Safe Handbook and Quantum Readiness Index in 2025.”

However, he warned: “Yet, many organizations continue to underestimate the threat. Research from the ‘2026 Global State of Post-Quantum and Cryptographic Security Trends’ report shows that only 33% of organizations in Singapore and 38% globally are currently transitioning to PQC. In 2026, leaders need to take decisive action to protect how identities are issued, verified, and trusted in a post-quantum world.”

Farquhar concurred: “This World Quantum Day should be a wake-up call for many organizations. There is little time left to transition, and quantum could be here in as little as four years’ time in some parts of the world.”

He pointed out that, even if there’s ongoing debate about how quickly quantum computing will scale, the risk is significant enough and the timelines short enough that organizations can no longer afford to wait.

“If we think back to 1999 when Y2K was approaching, the event itself was a forcing function that led to massive technology infrastructure upgrades and tech stack modernization,” Farquhar added. “In that case, there was very little impact from the two-digit data representation, and some people characterized it as wasted effort.  It was not, as we benefited as an industry from the tech stack modernization which it delivered.”

But like Y2K, today’s quantum challenge isn’t just the potential event itself, he said. “It’s the scale of the remediation effort required across systems, applications, and embedded technologies, which makes early action critical.”

The upside 

Farquhar believes the real upside is that Q-Day is forcing a long-overdue modernization: “Most organizations rely on a narrow set of aging cryptographic algorithms that have gone largely untouched because they’re difficult to change. To prepare, organizations should create a dedicated team internally, much like a cryptographic center of excellence.”

From there, this team can inventory where cryptography exists across their environments, prioritizing what matters most, and building the internal muscle, often through dedicated teams, to manage and execute these upgrades. 

“Once done, we then need to monitor our environments to ensure that vulnerable non-PQC crypto has not been missed or sneaks back in. If that effort results in true cryptographic agility, where policies and algorithms can be swapped out quickly in response to future threats, then the investment will have been worth it regardless of how the quantum threat ultimately evolves.”

According to Pamplin, solutions such as Certes’ v7 bring quantum-safe, per-flow encryption and segmentation directly to the endpoint, ensuring that even if attackers get in, they cannot move freely or turn stolen data into something usable.

Such solutions deliver universal, sovereign, quantum-safe, per-flow data protection from server workloads to the edge, ensuring that even when networks, identities, endpoints, or cloud controls fail, an organization’s data remains secure, consistent, and unusable to attackers.  Besides PQC for any app, any infrastructure, anywhere – they also reinforce data sovereignty.

Pamplin added: “Customer‑owned post‑quantum keys are never visible to cloud providers or third parties, giving organizations demonstrable control over who can decrypt sensitive data, and where – whether workloads run in AWS, Azure, GCP, Oracle, private data centers or at the edge. This is about containing breaches and removing the financial, operational, and regulatory fallout that follows.”