THE INVISIBLE BACKBONE OF EVERY BUSINESS
Every time a business sends an email, logs into a cloud platform, processes a payment, or connects through a VPN, cryptography is working quietly in the background, acting as a silent guardian of operations. For many SME owners, it goes unnoticed, yet this invisible layer of protection is now under increasing pressure. The algorithms that have protected digital communications for decades, such as RSA and ECC, are built on mathematical problems that classical computers struggle to solve, which is what has made them secure. However, quantum computers change that equation entirely, and they are no longer theoretical because they are actively being developed today.
EVERY DIGITAL ACTION DEPENDS ON ENCRYPTION
When viewed holistically, almost every aspect of a modern SME relies on encryption, from client communications and financial transactions to contracts and internal systems. If that encryption were to fail, the consequences would not unfold gradually but would instead be immediate and far-reaching.
THE ATTACK HAS ALREADY BEGUN
This is not a distant or hypothetical risk because it is already happening, and within the cybersecurity community it is known as Harvest Now, Decrypt Later (HNDL). Adversaries are collecting encrypted data today and storing it, waiting until quantum computers become powerful enough to decrypt it, which means data being transmitted now could already be archived and exposed in the future.
THE CLOCK IS TICKING
Current projections suggest that quantum computers capable of breaking today’s encryption could emerge between 2030 and 2035, which may appear distant, but when considering that a full transition to post-quantum cryptography can take several years, the timeline becomes significantly more urgent. The challenge is no longer whether organisations should act, but when they should begin.
POST-QUANTUM STANDARDS ARE ALREADY AVAILABLE
Solutions are already emerging, as demonstrated by the introduction of post-quantum cryptography standards such as ML-KEM, ML-DSA, and SLH-DSA. These algorithms are designed to remain secure against both classical and quantum attacks, meaning organisations can begin preparing now rather than waiting for the threat to fully materialise.
REGULATORY EXPECTATIONS ARE EVOLVING
In the UK, the National Cyber Security Centre has outlined a phased migration roadmap that includes planning by 2028, piloting between 2028 and 2031, and full adoption by 2035. For SMEs operating within regulated sectors such as finance, legal, healthcare, or insurance, these timelines are likely to influence procurement requirements and supply chain expectations. Organisations that cannot demonstrate readiness may find themselves excluded from opportunities.
SUPPLY CHAINS INTRODUCE HIDDEN RISK
Even organisations with strong internal security measures remain exposed through their supply chains, as they rely on cloud providers, software vendors, managed service providers, and SaaS platforms. Each of these dependencies relies on cryptography, and each represents a potential vulnerability. Many SMEs lack full visibility into the security posture of these third parties, which increases overall risk exposure.
WHAT ORGANISATIONS CAN CONTROL
There are several critical areas within an organisation’s direct control, including building a comprehensive inventory of where encryption is used, reducing long-term storage of sensitive encrypted data, ensuring timely updates to systems, actively managing certificates, and engaging vendors with the right questions around post-quantum readiness. While some responsibilities, such as algorithm replacement and infrastructure updates, sit with suppliers, organisations must still maintain oversight and accountability.
PRACTICAL FIRST STEPS
To begin addressing post-quantum risk, organisations can focus on high-impact, manageable actions such as identifying where cryptography is used, reviewing vendor roadmaps, reducing unnecessary data retention, maintaining up-to-date systems, and recognising cryptography as a core business risk rather than purely a technical concern. Early progress does not need to be complex, but it does need to be intentional.
THE COST OF DELAY
Although it may be tempting to postpone investment until quantum computing becomes more immediate, delaying action often results in higher costs and increased disruption. A planned, phased transition allows organisations to spread costs over time and align with existing technology refresh cycles, whereas a reactive approach compresses timelines and introduces operational and financial strain.
THE CHALLENGE OF DEFERRED RISK
One of the defining characteristics of the quantum threat is deferred risk, where data that has already been transmitted or stored may have been intercepted and could be decrypted in the future. This creates a unique exposure that extends beyond traditional cybersecurity considerations, requiring organisations to think not only about future protection but also about existing data risk.
A STRUCTURED PATH FORWARD
Rather than treating post-quantum cryptography as a single project, organisations can approach it as a phased journey that includes assessment, vendor engagement, pilot initiatives, alignment with standards, and gradual transition. This structured approach reduces complexity and enables steady, manageable progress.
HOW IZAK OOSTHUIZEN CAN HELP
Navigating the transition to post-quantum cryptography can be complex, particularly for SMEs without dedicated in-house expertise, which is where experienced guidance becomes invaluable. Izak Oosthuizen, founder of Zhero, brings over two decades of experience in IT and cybersecurity and works closely with organisations to translate emerging risks into clear, practical strategies. Through advisory, training, and strategic consultancy, Izak supports businesses in understanding their current cryptographic exposure, developing realistic and cost-effective roadmaps, aligning security initiatives with broader business objectives, and ensuring that investments are both targeted and efficient. His approach focuses on making cybersecurity accessible and actionable, helping SMEs move forward with confidence rather than uncertainty.
THE QUANTUM SHIFT IS ALREADY UNDERWAY
Post-quantum cryptography is no longer a distant or purely technical consideration, as it is rapidly becoming a core business priority shaped by regulatory expectations, supply chain requirements, and evolving threat landscapes. Organisations that begin preparing now will be better positioned to manage costs, maintain trust, and remain competitive, while those that delay may face increased pressure and risk. The transition is inevitable, and the advantage lies with those who act early.