Certes says be ready to protect data before Q Day hits

Quantum computing is rapidly approaching Q-Day  - the date that usually refers to the point where quantum computers can break widely used public-key cryptography. It was not so long ago that we expected Q-Day to arrive in 2035, but the date has come in and is expected to hit sooner than expected. And when that happens, many of the encryption protocols we have relied on for the past couple of decades will be greatly weakened.

Post Quantum Cryptography (PQC) means that today's encryption standards will not be enough to protect your data. Yet, many organisations are not prepared, or even started preparing, for this transition.

Paul German, the CEO of Certes, said there is real risk Australian organisations will be caught short when Q-Day arrives.

"Quantum is gathering pace and, unfortunately, I think it's going to catch many businesses out. ASD [Australian Signals Directorate] said recently that it wants organisations to be in a position where they've transformed to post-quantum cryptography by 2030. That means they should be in the planning stages now. However, our research showed that just 3% of businesses in Australia have started their PQC journey. I think that is down to the risk being misunderstood. The pace at which the change is coming is underestimated."

That preparation is not just about being ready when Q-Day arrives. The number of incidents resulting in data loss increasing either accidental or through malicious action, is increasing. And threat actors have adopted a new harvest now, decrypt later strategy. Data protected with what will soon be legacy encryption protocols is being stolen today. While that data is safe now, there's no guarantee it will be when Q-Day arrives.

"If you haven't started preparing then start today. The risks are being carried today because of the lifetime value of sensitive data. The risk exists today because Q-Day will happen within the lifetime value of the data that's being harvested."

There is a lot of noise and conflicting messages around PQC. Some organisations see it as a simple infrastructure upgrade and plan to deprecate existing encryption standards and swap in PQC‑ready routers, switches and firewalls as vendors release them. Others argue that PQC must be built into applications. But German says neither approach is fit for purpose.

PQC strategy

Installing a data‑protection control at the network level protects only the links and the underlying infrastructure; the protection does not travel with the data. When sensitive information is exfiltrated to a third‑party network, the controls you have put in place are no longer effective. Relying on application vendors is problematic as many are still supporting deprecated TLS versions and the pace of change in the application layer can't keep pace with the emerging quantum threat.

"We believe a different strategy is required," explained German. "Abstract the protection of data away from the infrastructure and the application layers and use a dedicated, independent control that travels with the data. This control can be applied whether the data resides within your own premises or outside. If the data falls into the hands of an attacker, it becomes effectively useless because it is wrapped in post‑quantum cryptographic standards and the keys remain inaccessible."

This approach means organisations can maintain sovereign control, minimise risk, and react quickly to evolving threats without having to touch every application or piece of infrastructure. It also delivers crypto-agility – the ability to adapt as the PQC world changes.

"One thing we know about cryptographic standards is they will change again in the future. What we can do is we can provide our customers with frameworks that can evolve as the threat landscape changes. Some applications today are still using deprecated versions of TLS. That shows you that they are not and cannot be cryptographically agile. What we need is this abstracted capability where you can control policy, enforcement and the movement to new standards."

Starting point

The size and complexity of adapting to PQC can be overwhelming. For many organisations, knowing where to start is overwhelming. German advocated for a simple approach that ensures the most critical data assets are protected.

"80 percent of your risk exists across 20 percent of your estate. That's where you start. If you look at it that way you've reduced the problem by 80%."

Identity and access management is a major risk because trust in every identity relies on cryptographic standards. If those standards are broken by quantum attacks, everything from logging on to a secure device to verifying identity for high-value transactions is potentially compromised.

"The way that we manage trust within our environments is underpinned with cryptographic standards. If those cryptographic standards are compromised, then we're compromising the trust layer that we've built as the foundation of our environments," German said.

Q‑Day is not a distant forecast but a looming reality that threatens the trust fabric of our digital ecosystems. By abstracting data protection from infrastructure and applications, organisations can secure their most critical assets and adapt to evolving cryptographic standards before the quantum threat renders legacy safeguards obsolete.