< Back to news

Managing Quantum Risk: Why Encryption Alone Is Not Enough

Jun 17, 2026

4 min read

The conversation around quantum security often focuses on the future.

Future computers. Future threats. Future cryptographic standards.

But for organisations responsible for sensitive information, critical services and long-term data protection, the more pressing question is what happens to the data being transmitted today. The National Cyber Security Centre (NCSC) has set out a clear roadmap for the transition to post-quantum cryptography. While the deadlines extend through to 2035, the challenge for organisations starts much sooner.

Because the real risk is not simply when quantum computing arrives.

It’s whether organisations understand what data they need to protect, how long it needs to remain protected, and importantly – who has access to it today.

The Risk Exists Today

One of the most widely discussed quantum threats is known as “Harvest Now, Decrypt Later.”

Sensitive information encrypted today may be intercepted and retained with the expectation that future advances in computing could make decryption possible.

For organisations responsible for strategic plans, intellectual property, legal communications, personnel records, financial information and critical national infrastructure, this changes the conversation.

The question is no longer whether quantum computing will arrive. The question is:

‘How long does your data need to remain protected?’

If the answer is ten years, twenty years or longer, the countdown has already begun.

The NCSC Has Set the Direction

The NCSC’s roadmap provides organisations with a clear framework for preparing for post-quantum cryptography:

  • By 2028: Understand and plan
  • By 2031: Prioritise and act
  • By 2035: Complete migration

These milestones provide important direction and help organisations begin planning their transition.

At Serbus, we see organisations increasingly recognising the importance of preparing for post-quantum cryptography, and we welcome the growing focus on quantum readiness across the industry.

However, successful preparation requires more than cryptographic migration alone.

Post-quantum cryptography will play a critical role in protecting sensitive data for the future. Equally important is understanding who has access to that data, how identities are governed, where accountability sits, and whether organisations have sufficient visibility and control across their environment.

Quantum Readiness is About More Than Encryption

A common misconception is that stronger encryption alone solves the problem. Organisations must also understand how access, governance and accountability are managed.

Questions security leaders and boards should be asking include:

  • Who issues, verifies and revokes identities?
  • Who controls encryption keys and associated metadata?
  • Who can access sensitive information, and under what authority?
  • How are access boundaries enforced, monitored and audited?
  • Do we have visibility of all users, devices and machine identities accessing critical systems?

These are not future questions. They are security fundamentals that determine whether an organisation is exposed today.

Roddy Wilson, CISO at Serbus, “If it’s connected, it needs to be protected.”

That protection requires multiple layers. Encryption is one of them, but it is not the only one.

Why This Is a Board-Level Issue

Quantum risk is often presented as a technology challenge. It is a business risk. Boards remain accountable for protecting sensitive information, understanding long-term exposure and ensuring appropriate investment is made to reduce risk.

The boardroom discussion should not start with algorithms.

It should start with understanding which information the organisation cannot afford to lose, expose or compromise in the future.

The organisations best prepared for the post-quantum era will be those that understand:

  • What data matters most
  • How long it needs to remain protected
  • Who has access to it
  • How that access is governed
  • Where accountability sits

The technology matters. But understanding what you’re protecting, and why, matters first.

Visibility, Control and Accountability 

Threat actors range from nation states to organised criminal groups and opportunistic attackers. Their motivations vary, but the objective is often the same: access to valuable information.

  • The greatest exposure often comes not from encryption failures, but from gaps in visibility, governance and control.
  • Unaudited machine identities
  • Legacy accounts that retain access
  • Poor visibility of sensitive data flows
  • Unclear ownership of encryption keys and metadata

These are the issues organisations should be addressing today, regardless of where they are on their quantum journey.

Quantum computing will not create these weaknesses. It will expose them.

Share on

Keep reading

Jun 04, 2026

Reality of Off-Channel Apps

Read article

Feb 12, 2026

Serbus Completes Executive Leadership Team to Drive ‘Connect and Protect’ Strategy

Read article

Jan 21, 2026

Serbus Launches to ‘Connect and Protect’ UK’s Critical National Infrastructure

Read article

Start your journey with us

From first steps to ongoing support, you don’t have to go it alone.

Talk to a specialist