Post-quantum encryption and enterprise cryptographic migration

The Internet Fixed Its Quantum Problem. Your Enterprise Hasn’t.

Mark Vos

The internet just quietly passed a milestone that most boards don’t know about.

Cloudflare, which routes more than 20% of all global web traffic, reports that over 60% of human-generated traffic on its network now uses post-quantum encryption. Not future. Not planned. Now.

No press conferences. No procurement cycles. No board approvals. Browser vendors and infrastructure providers just turned it on.

“Over 60% of human-generated traffic now uses post-quantum encryption. Not future. Not planned. Now.”

— Cloudflare Radar, March 2026

I want to break down what’s actually happening, why it matters, and what organisations should be doing about it. Because the short version is: the internet is protecting itself automatically. Your enterprise is not.

What’s post-quantum encryption and why should you care?

Every time you send an email, sign a contract electronically, or access your banking app, encryption protects that data. The encryption methods we’ve relied on for decades work because they’re based on mathematical problems that today’s computers simply cannot solve.

Quantum computers will be able to solve them. Not today. But the timeline is shortening, and the threat is already real.

The threat isn’t a quantum computer cracking your traffic in real time. It’s “harvest now, decrypt later.” Nation-state actors and sophisticated threat groups are recording encrypted traffic today, storing it, and waiting for quantum computers powerful enough to crack it.

A survey of 32 global quantum computing experts found a significant probability that the encryption most organisations rely on today (RSA-2048) will be breakable by the mid-2030s. Some respondents estimated a 5% chance within just 5 years.

— Global Risk Institute, Quantum Threat Timeline Report, 2024

This isn’t a theoretical exercise. If your organisation handles data that will still be sensitive in five to ten years, this is your problem today.

The internet already fixed its side of the problem.

In August 2024, international standards bodies finalised new encryption methods that quantum computers cannot break. Within months, the major infrastructure providers and browser vendors implemented them.

They used a hybrid approach: every connection now runs both the traditional encryption and the new quantum-resistant encryption simultaneously. If either one fails, the other still protects you. Belt and braces.

If you’re reading this on a modern browser, your connection to this page is probably already quantum-resistant. Chrome, Firefox, and Edge all support it. The padlock in your browser is doing more than it used to.

That’s the good news. Here’s the problem.

The 60% number is misleading.

That 60% covers traffic between browsers and websites — the part that browser vendors and infrastructure providers could upgrade by themselves, without asking anyone’s permission.

Here’s what it doesn’t cover:

  • Your internal corporate network traffic and VPNs
  • Data sitting encrypted in your databases
  • Legacy applications that were built with old encryption baked in
  • Your email encryption
  • Code signing and software integrity certificates
  • IoT devices, building systems, and operational technology
  • Your internal security certificates
  • Your entire supply chain’s encryption posture

For most enterprises, this is the vast majority of their encryption footprint. And almost none of it has been touched.

Why this is harder than it sounds.

Here’s the question I ask executive leadership: can you tell me everywhere your organisation uses encryption?

Almost none can. They don’t know which systems use which encryption methods, which security certificates expire when, which applications have old encryption hardcoded into them, or which third-party vendors are running outdated security protocols.

If you can’t find it, you can’t assess it. If you can’t assess it, you can’t migrate it. And this migration is not a software update you push on a Friday afternoon. It’s a multi-year program that touches every system that encrypts anything.

The US government understands the scale. The NSA requires all new national security system acquisitions to use quantum-resistant encryption by January 2027, with full compliance across most system types by 2033. That’s a seven-year migration window, and they started planning in 2022.

Most Australian organisations haven’t started the conversation.

What does this mean for your business?

Think about the data your organisation handles right now. Board papers. M&A strategy documents. Customer databases. Intellectual property. Financial records. Health data. Legal advice.

If any of that data was intercepted today and decrypted in seven years, what would the consequences be? Regulatory action? Competitive disadvantage? Litigation? Loss of customer trust?

That’s not a technology question. That’s a board-level risk question.

And while your competitors are starting to think about this, every month you wait is another month of sensitive data being transmitted with encryption that has an expiry date on it.

Three things your organisation should be doing now.

1. Commission a cryptographic inventory.

Not a theoretical risk assessment. An actual audit of where encryption exists in your environment. Every certificate, every key store, every system that encrypts data in transit or at rest. You need to know what you have before you can plan to change it. This is the foundation. Everything else depends on it.

2. Test whether your systems can adapt.

Can your systems swap to new encryption methods without rebuilding the application? In most organisations, the answer is no. Encryption was baked in during development and nobody planned for the day it would need to change. The organisations that will migrate fastest are the ones whose architecture was built to be flexible. If yours wasn’t, you need to know that now, not during the migration.

3. Start with what matters most.

Not everything needs to be migrated at the same time. What data, if harvested today and decrypted in seven years, would still cause damage? That’s your priority list. Board papers, intellectual property, medical records, financial data, national security material. Work backwards from consequence, not forward from technology.

The bottom line.

“The internet solved its own quantum problem because it could. A handful of infrastructure providers upgraded their systems and billions of connections became quantum-resistant overnight. Your enterprise doesn’t work that way.”

You have legacy systems, custom applications, embedded devices, supply chain dependencies, and regulatory requirements that don’t update themselves. This is a governance problem, not a technology problem. The new encryption standards exist. They’re finalised. The question is whether your organisation has started the work.

Because while 60% of web traffic is now protected, the data that actually matters to your business probably isn’t.

Is Your Organisation Ready for the Quantum Transition?

Most organisations don’t know where encryption exists in their environment, let alone whether it’s quantum-resistant. Cyber Impact can help you assess your cryptographic exposure and build the migration roadmap your board needs to see.

Get in Touch

Mark is a Melbourne-based executive advisor specialising in cyber security, AI governance, and digital risk management. He works with boards, CEOs and regulators globally to solve complex business problems.