Right now, somewhere in the world, a threat actor may already have a copy of your encrypted data. They cannot read it yet. But they are waiting.
This is not a future problem. It is happening today. And if your business has not started thinking about quantum encryption, now is the time to start.
What Is the “Store Now, Decrypt Later” Threat?
You may have heard that encryption keeps your data safe. And for now, that is mostly true. When attackers steal encrypted data today, they usually cannot read it. The encryption standards most businesses use, such as RSA and elliptic curve cryptography (ECC), are extremely difficult to break with today’s computers.
To crack RSA-2048 encryption using a classical computer, it would take roughly 300 trillion years. That makes it practically unbreakable right now.
But quantum computers change the equation entirely.
A sufficiently powerful quantum computer running a mathematical approach called Shor’s algorithm could break that same RSA-2048 encryption in hours or even minutes. That is the shift security experts around the world are concerned about.
Threat actors know this is coming. So many are playing a long game. They break into systems, steal encrypted data, and store it. They cannot decrypt it today. But when powerful quantum computers become more widely available, they will be able to unlock everything they collected.
Security researchers call this “store now, decrypt later,” also referred to as HNDL: harvest now, decrypt later. The US Cybersecurity and Infrastructure Security Agency (CISA) has already flagged this threat publicly.
The data stolen from your business years ago could be fully readable within the next several years.
What Encryption Is Actually at Risk?
It is worth understanding this clearly, because not all encryption is equally vulnerable.
The most at-risk encryption types are asymmetric algorithms, such as RSA and ECC. These are widely used for key exchange and digital signatures. They protect how encryption keys are passed between systems. A sufficiently powerful quantum computer could crack these using Shor’s algorithm.
Symmetric encryption like AES-256, which is used to encrypt the actual content of files, is more resistant to quantum attacks. That said, quantum computing can reduce its effective strength, which is why migrating to quantum-ready standards still matters across the board.
The practical issue is this: most encrypted data transmitted today relies on asymmetric encryption to securely exchange the symmetric keys used to protect it. If an attacker has captured that key exchange traffic in the past, a future quantum computer may be able to unlock the data it protected.
In plain terms, the padlock on your data is only as strong as the key exchange that secured it when it was sent.
The Timeline Is Closer Than You Think
The window is shrinking faster than most people realise.
In 2019, researchers estimated it would take around 20 million physical quantum bits (qubits) to break widely used encryption. By early 2026, some researchers suggest that number could be as low as 100,000 under certain conditions.
Google has set 2029 as its own internal deadline to complete its full migration to post-quantum cryptography across all of its products and systems. That is an important signal. Google is one of the world’s leading quantum computing researchers. When they accelerate their own timeline like that, other organisations should pay attention.
The US National Institute of Standards and Technology (NIST) finalised its first three post-quantum cryptographic standards in August 2024. US federal agencies have been directed to migrate by 2035. Private businesses are not mandated to act, but waiting until 2035 is a risk that most organisations cannot afford given how long data remains sensitive.
What This Could Mean for Your Business
Here is the scenario that concerns security professionals the most.
A threat actor broke into your systems a few years ago. They copied files, emails, contracts, client records, and financial documents. It was all encrypted, so they could not read it at the time. They stored it and waited.
Fast forward a few years. Quantum computing has matured. The attacker can now decrypt everything they took.
They send you a sample. A few paragraphs from a confidential contract. Maybe a screenshot from an internal email thread. Then comes the demand. Pay up, or they release everything.
This is not ransomware in the traditional sense. You cannot recover your files by paying a decryption fee. Your systems are still running fine. But your data is exposed, and there is nothing you can do to take it back.
If they publish that data on the dark web, your clients will be notified. Regulators may become involved. Your business could make the news. We have seen time and again how damaging data breach headlines are to customer trust and business reputation.
The time to act is before this happens, not after.
What Google Is Doing About It
Google has been one of the most proactive technology companies on this issue. It started rolling out post-quantum cryptography for its own internal communications back in 2022. In early 2026, Google moved its full migration deadline forward to 2029, citing faster-than-expected advances in quantum hardware, error correction, and factoring algorithms.
For businesses using Google Workspace, this matters directly.
Client-Side Encryption in Google Workspace
Google Workspace offers a feature called Client-Side Encryption (CSE). It is available on select Workspace plans and allows your organisation to hold its own encryption keys, completely separate from Google’s infrastructure.
Here is how it works in plain terms. Normally, Google holds the keys that encrypt your data in its systems. With CSE enabled, you hold those keys through a third-party key management service, such as Thales CipherTrust. Google cannot access your data. Neither can anyone who might compromise Google’s infrastructure.
When you pair CSE with a quantum-ready key management service, it can become part of a genuinely quantum-safe security posture for your Workspace environment. Thales and Google showcased a PQC-ready (post-quantum cryptography ready) Client-Side Encryption solution at Google Cloud Next 2025, positioning it as the only cloud productivity suite designed to protect data from quantum-based harvest-now-decrypt-later attacks.
If you are on a Google Workspace plan that supports Client-Side Encryption, this is worth investigating with a qualified specialist. Our Google Workspace security services can help you assess your current setup and identify what needs to change.
The Hidden Risk in Your Google Workspace Backups
Here is a vulnerability many businesses overlook entirely: their backups.
Many businesses back up their Google Workspace data to a third-party SaaS backup provider. The problem is that most of those providers are not quantum-safe today. If a threat actor compromises your backup provider and stores a copy of your encrypted backup data, they now have a potential goldmine sitting ready for future decryption.
Backup repositories are an attractive target precisely because they hold so much business data in one place. Threat actors are smart. They know that targeting a backup provider today could deliver an enormous payoff in the years ahead.
When choosing or reviewing your backup provider, look for two specific features that can help future-proof your data.
Bring Your Own Storage (BYOS): This lets you store backup data in your own cloud environment, such as AWS or Google Cloud. Both are actively implementing post-quantum encryption standards, putting them well ahead of smaller independent SaaS vendors on this issue.
Bring Your Own Key (BYOK): This allows you to manage your own encryption keys using a quantum-ready key management service. Options such as Thales CipherTrust and AWS KMS are building out post-quantum key management capabilities right now.
Backup Providers to Consider
Acronis Cyber Protect: Includes blockchain-based notarisation technology that verifies data integrity. This means a quantum-capable attacker cannot silently alter backup data without detection, adding an important layer of assurance even as encryption standards evolve.
Spin.ai (SpinBackup): A strong option due to its BYOS model. You can store backups directly in your own AWS, Azure, or GCP environment. This gives you direct control over the storage destination’s security roadmap and makes it much easier to adopt quantum-safe storage as the standards mature.
Afi.ai: A modern, high-speed backup platform that also supports BYOS. A good choice for businesses that want to tie their backups to a storage provider with a faster PQC adoption roadmap.
Legacy Providers to Review
Backupify (by Kaseya/Datto): Uses AES-256 at rest and TLS 1.2 in transit, stored in Datto’s own cloud. Reliable and well established, but with limited flexibility to move data to quantum-hardened storage destinations.
Spanning (by Kaseya): Enterprise-grade recovery with reliable encryption, but does not currently list PQC as a core feature or part of its roadmap.
Druva: SaaS-native with AWS-backed storage. Because AWS is actively rolling out post-quantum transport protocols, Druva may offer better in-transit protection than providers using older proprietary cloud infrastructure.
We strongly recommend reviewing your backup provider and asking them directly about their post-quantum roadmap. This is one of the most practical steps a business can take right now. Our team can help you work through this as part of a broader security assessment.
What Your Business Should Do Now
You do not need to be a technical expert to take meaningful steps forward. Here is where to start.
- Find out what encryption your business currently uses for data at rest and in transit
- Review your Google Workspace plan to check whether Client-Side Encryption is available
- Audit your backup provider and ask them directly about their PQC roadmap
- Consider whether Bring Your Own Storage and Bring Your Own Key are options you can enable
- Talk to a qualified security professional about your overall quantum risk exposure
The window to act without urgency is closing. Every year that passes means more encrypted data could already be in the hands of someone waiting to decrypt it. Getting ahead of this now is far less painful than managing the fallout of a breach later.
Start Building a Quantum-Ready Security Posture Today
Quantum encryption for business is not a niche topic reserved for large enterprises. Australian businesses of all sizes hold data that is worth protecting for years to come. Client records, financial data, contracts, and internal communications are all at risk from the store now, decrypt later threat.
The good news is that there are practical steps you can take right now, before quantum computing reaches the level needed to break today’s encryption standards.
Sentry Cyber helps Australian businesses reduce cyber risk with practical, real-world security services. Whether you need a full security assessment, guidance on your Google Workspace security posture, or ongoing strategic support through our CISO as a Service program, we can help you build a security strategy that accounts for both today’s threats and tomorrow’s.
Get in touch with the Sentry Cyber team to find out where your business stands.
10. FAQ
Q: What is quantum encryption for business and why does it matter? Quantum encryption refers to cryptographic methods that are resistant to attacks from quantum computers. It matters because the encryption standards most businesses use today, such as RSA and ECC, can be broken by a sufficiently powerful quantum computer. Businesses that do not migrate to quantum-safe encryption risk having their data exposed in the future.
Q: What is the “store now, decrypt later” attack? Store now, decrypt later (also called harvest now, decrypt later) is a strategy where attackers steal encrypted data today and store it, waiting until quantum computers are powerful enough to decrypt it. The data may be unreadable now, but could become fully accessible in the next several years as quantum technology advances.
Q: How soon could quantum computers break today’s encryption? The timeline is uncertain, but it is moving faster than expected. Google has set a 2029 internal deadline for its own post-quantum migration, citing rapid advances in quantum hardware and error correction. Some research suggests the number of qubits needed to break widely used encryption has dropped dramatically in recent years. Businesses with long-lived sensitive data should treat this as an urgent issue, not a distant one.
Q: Is Google Workspace safe from quantum threats? Google is actively migrating its systems to post-quantum cryptography with a 2029 deadline. For businesses, the most practical protective step within Workspace is enabling Client-Side Encryption (CSE) on eligible plans, paired with a quantum-ready key management service. This gives your organisation control over its own encryption keys, separate from Google’s infrastructure.
Q: Are third-party Google Workspace backup providers quantum safe? Most are not yet quantum safe, though some are moving faster than others. Providers that support Bring Your Own Storage (BYOS) and Bring Your Own Key (BYOK) offer the most flexibility to align with quantum-safe storage and key management services. Spin.ai and Afi.ai are worth considering. Legacy providers like Backupify, Spanning, and Druva use strong traditional encryption but have limited post-quantum flexibility compared to BYOS-capable platforms.
Q: What should Australian businesses do right now about quantum encryption? Start by auditing your current encryption standards and backup provider. Check whether your Google Workspace plan supports Client-Side Encryption. Ask your backup provider about their post-quantum roadmap. And speak with a security professional about your broader risk exposure. Sentry Cyber can help with a security assessment tailored to your business.