Quantum Security for Small Business: What the Threat Actually Is and What to Do About It

If you run a small business and someone has told you that quantum computers will soon break your encryption, the natural question is: does this actually affect me, and what do I need to do about it? The honest answer is more nuanced than either "nothing to worry about" or "you need an immediate security overhaul." The threat is real. For most small businesses, the response is measured and manageable. Here is what the situation actually is.

Yes, it applies to you, but not the way you might think

Small businesses are not the primary targets for a direct quantum attack. State-level adversaries with access to a future quantum computer capable of breaking encryption, a cryptographically relevant quantum computer, in the technical literature, will direct that capability at high-value targets first: government systems, defence contractors, large financial institutions, critical infrastructure. A local accountancy firm or independent medical practice is not on that list for direct targeting.

The indirect picture is different, however. The exposure runs through three channels. First, supply chain: if your business connects to larger enterprise or government systems via shared data interfaces, VPN, or B2B APIs, your cryptographic environment will eventually need to meet the standards those partners set. When large organisations migrate to post-quantum encryption, they will ask whether their suppliers have done the same. Second, your software and cloud providers are already migrating on your behalf. The encryption that protects your cloud storage, email, and SaaS tools is being updated by the providers who run those platforms. You will benefit from this without any direct action. Third, the data you hold today: if your business holds sensitive records whose confidentiality matters for more than a decade, patient files, legal documents, long-term financial records, those records could potentially be collected now and decrypted later once a capable quantum computer exists. For most small businesses, this is a low risk. For some, it is worth assessing.

For the majority of small businesses, the practical message is: most of the migration happens upstream in your supply chain. The question is not whether you need to run a cryptographic migration programme yourself. It is whether your systems and suppliers are part of the migration pathway or sitting outside it.

What quantum computers actually threaten

Current encryption standards protect internet communications in two main layers. The key exchange layer (which establishes the secure connection) uses RSA or elliptic curve cryptography. The session encryption layer (which protects the actual data in transit) uses AES. Quantum computers specifically threaten the key exchange layer. They do not threaten AES encryption directly. AES-256, which most modern systems use for data at rest, remains adequate against quantum computers. The urgent migration is in public-key encryption and digital signatures, not in the encryption of the data itself.

A quantum computer capable of breaking RSA or elliptic curve cryptography does not yet exist. The most systematic expert assessment, the Global Risk Institute's 2024 Quantum Threat Timeline Report, surveyed quantum computing researchers on timing. The results suggest approximately 50% probability of such a computer existing by the mid-2030s. [ASSUMED, verify exact GRI 2024 probability figure and year range against the published report before publication.] The US government's own planning assumptions align with this: the National Security Agency mandated full retirement of RSA and elliptic curve encryption from US national security systems by 2033, which was announced in September 2022.

In August and October 2024, the US National Institute of Standards and Technology published four final post-quantum encryption standards, completing an eight-year public evaluation process. These are now the target that software vendors, cloud providers, and enterprise security teams are migrating to. The standards exist. The migration is under way across the technology industry.

The "harvest now, decrypt later" concern applies specifically to long-lived sensitive data. A sophisticated state-level adversary can collect encrypted data today and store it, planning to decrypt it once a capable quantum computer exists. For most small businesses, this risk only matters if the data collected today needs to remain confidential for ten years or more. A retail transaction record from 2026 has no meaningful confidentiality value in 2036. A medical record, a legal file, or a proprietary research dataset might. The question is the data's confidentiality lifetime, not the business size.

What most small businesses do not need to worry about

Three major categories of encryption exposure are handled by your providers, not by you.

Cloud services. Microsoft 365, Google Workspace, AWS, Azure, Salesforce, and other major cloud providers are actively migrating their infrastructure to post-quantum encryption standards. Small business customers benefit from these migrations without taking any direct action. The encryption protecting your cloud-stored files and email will be upgraded by the provider. Your role is to verify that this is happening, not to carry out the migration yourself.

Payment processing. If your business takes card payments through a payment processor such as Stripe, Square, or a bank terminal, the cryptography protecting those transactions is managed by the processor and the card networks. PCI DSS v4.0, the payment card security standard that came into full enforcement in April 2024, requires organisations to monitor and adapt their cryptographic controls as the threat landscape evolves. [INFERRED: the specific applicability of PCI DSS v4.0 cryptographic monitoring requirements to the quantum threat is an inference from the standard's general language; PCI DSS v4.0 does not explicitly name post-quantum cryptography as of the knowledge cutoff for this article.] Payment processors are responsible for meeting this standard. You do not manage payment cryptography directly.

Website encryption. The padlock in your visitor's browser is managed by your web host or content delivery network. If your website runs through Cloudflare, AWS CloudFront, Google Cloud, Shopify, or similar, post-quantum encryption for web traffic is already being deployed at the infrastructure level. Cloudflare enabled post-quantum hybrid key exchange for traffic on its network from 2023 to 2024. Visitors to your website are being protected by these deployments without any change to your site configuration.

What small businesses should actually do

Four actions cover the realistic exposure for most small businesses. None of them requires a cryptographer or a specialist security project.

Ask your top three software or cloud providers for their post-quantum roadmap. The question is simple: "When will your platform support post-quantum encryption?" Any provider holding sensitive data on your behalf, HR records, legal documents, financial accounts, patient files, should have an answer. A provider with no answer is a risk item. Major cloud providers have published roadmaps; smaller vendors may not have. The act of asking is the first step in your supplier due diligence.

For businesses holding long-lived sensitive data: carry out a data classification review. Medical practices, law firms, accountancy firms, and financial advisers hold data with retention periods measured in years or decades. The review question is: what data do we hold, how long does it need to remain confidential, and does the system protecting it have a post-quantum migration path? This is a data management exercise, not a technical project. It does not require specialist cryptographic knowledge.

If you operate your own servers or VPN: plan for software updates. Most TLS libraries (OpenSSL, LibreSSL, wolfSSL) are adding post-quantum support. Most commercial VPN products have or will publish post-quantum migration roadmaps. For a self-managed small business system, the migration is primarily a matter of keeping software current and confirming that the updated versions include post-quantum support. It is not a full architecture replacement.

Review your cyber insurance policy's definition of appropriate encryption. Insurers are beginning to ask about post-quantum cryptography in cyber insurance renewals. The benchmark for what counts as "appropriate" encryption will shift over the next five years as post-quantum standards become the industry norm. Businesses that can demonstrate a migration plan and current software, even without having fully completed the transition, will be better positioned than those with no documented position at all.

Businesses holding personal data should note that data protection law requires appropriate security for that data, but the applicable instrument depends on where you operate. UK businesses are subject to UK GDPR (retained under the Data Protection Act 2018); EU businesses are subject to EU GDPR (Regulation (EU) 2016/679). Both instruments require under Article 5(1)(f) that personal data be processed with appropriate security, including "integrity and confidentiality." As post-quantum cryptography becomes the recognised technical baseline, which NIST IR 8547 from November 2024 and the "state of the art" standard shared across both instruments together suggest is in progress [INFERRED: the "state of the art" connection between NIST IR 8547 and GDPR/UK GDPR Article 5(1)(f) is a legal-interpretive inference; it has not been tested in enforcement as of the knowledge cutoff for this article], the standard of what counts as appropriate will evolve. Businesses holding personal data with long retention requirements should factor this into their planning.

An honest framing of the risk timeline

This is a 10 to 15 year trajectory, not a 12-month emergency. The appropriate response for small businesses is awareness and preparation, not crisis-mode action. The businesses most exposed are those that take no action at all: those that ask no questions of their providers, do not assess their long-lived data exposure, and discover in 2030 that their systems are no longer considered adequate against industry security standards.

For most small businesses, post-quantum migration will happen through software updates and provider migrations rather than through any internal security project. The cost is primarily IT time for applying updates and asking the right questions of suppliers. It is not a capital project.

The post-quantum standards are published. The migration is under way at the infrastructure level. The question is whether your specific systems and suppliers are part of it.

Practical checklist for SMB owners

  • Ask each of your top cloud and software providers: "Do you have a post-quantum cryptography roadmap? When will your platform support it?"
  • If you hold medical, legal, or financial records: identify which systems protect that data and ask those providers the same question.
  • Keep your website hosting, TLS certificates, and cloud services current. Post-quantum migration will flow through standard software updates if your platforms are current.
  • If you operate your own mail server, file server, or VPN: check your server software's post-quantum update plan.
  • Review your cyber insurance policy wording on "appropriate encryption." The baseline will shift over the next five years.
  • If any of your enterprise or government clients ask about your cryptographic posture: have a simple answer ready. It can be: "We use managed cloud services whose providers are actively migrating to post-quantum standards."

Sources

Steven Vaile is Director at Quantum Security Defence. View on LinkedIn | View Team | QSecDef Events