336-886-3282[email protected]
Preferred Data Logo
Schedule

Post-Quantum Cryptography: Why North Carolina Businesses Should Start Preparing Now

Quantum computing threatens to break today's encryption within a decade. Attackers are already harvesting encrypted data for future decryption. Learn the practical 4-phase PQC preparation roadmap for NC businesses.

Cover Image for Post-Quantum Cryptography: Why North Carolina Businesses Should Start Preparing Now

A growing consensus among cybersecurity professionals, federal agencies, and standards bodies is sounding an alarm that most businesses have not yet heard: the encryption protecting your data today will be breakable by quantum computers within the next decade. Adversaries know this, and according to cybersecurity researchers, they are already acting on it through a strategy called "Harvest Now, Decrypt Later" (HNDL).

State-sponsored threat actors and sophisticated criminal organizations are systematically collecting encrypted data from businesses, government agencies, and critical infrastructure with the intention of decrypting it once quantum computing reaches sufficient capability.

Key takeaway: NIST finalized its first three post-quantum cryptographic standards (FIPS 203, 204, and 205) in 2024, signaling the quantum threat is serious enough for federal standardization now, years before quantum computers reach cryptographic relevance. Any data with a lifespan exceeding 10 years is at risk from harvest-now-decrypt-later attacks happening today.

Prepare your North Carolina business for the post-quantum transition. Preferred Data Corporation provides cybersecurity assessments and technology consulting for businesses across the Piedmont Triad and Research Triangle. BBB A+ rated since 1987. Call (336) 886-3282 or request a consultation.

Understanding the Threat

What Is Harvest Now, Decrypt Later?

HNDL is not a theoretical future attack. It is happening now. Adversaries intercept and store encrypted data, including network traffic, stored files, email communications, and database backups, with the knowledge that quantum computers will eventually be able to decrypt it.

The economics are straightforward:

  • Storage is cheap: Cloud storage costs pennies per gigabyte
  • Encrypted data is small: VPN traffic, email, and file transfers are easily captured and stored
  • The payoff is enormous: Trade secrets, financial records, client data, and intellectual property retain value for decades
  • There is no defense after capture: Once data is harvested, no future action by the victim can protect it

According to The Hacker News, "any data requiring long-term security, such as trade secrets or classified designs, is vulnerable because its lifespan will inevitably outlive its current encryption."

When Will Quantum Computers Break Current Encryption?

The timeline for when a quantum computer will crack RSA-2048 or ECC (Elliptic Curve Cryptography) is debated, but most credible estimates converge on 2030-2035:

  • NIST considered the threat serious enough to finalize PQC standards in 2024
  • NSA has been requiring quantum-resistant algorithms for national security systems since 2022
  • Google, IBM, and Microsoft are all investing billions in quantum computing research
  • China's quantum program is advancing rapidly with state-level funding

The critical insight is that data stolen today and stored for future decryption has zero protection against that eventuality, regardless of how strong the encryption was when applied.

What Encryption Is Affected?

Most encryption used by businesses today is based on mathematical problems that quantum computers can solve efficiently:

AlgorithmUsed ForQuantum Vulnerable?
RSA (2048, 4096)SSL/TLS, email encryption, digital signaturesYes
ECDSA / ECDHTLS 1.3, SSH, code signingYes
AES-128File encryption, disk encryptionWeakened (needs AES-256)
AES-256File encryption, disk encryptionResistant
SHA-256Hashing, integrity checksWeakened but usable

The asymmetric algorithms (RSA, ECC) used for key exchange and digital signatures are the most vulnerable. Symmetric algorithms like AES-256 remain resistant but may need larger key sizes.

Why This Matters for North Carolina Businesses

Defense Contractors and CMMC

North Carolina's Piedmont Triad and Research Triangle are home to a significant concentration of manufacturers serving defense supply chains. These organizations face compounded risk:

  • CMMC (Cybersecurity Maturity Model Certification) requirements will increasingly incorporate PQC readiness as federal standards evolve
  • NIST 800-171 controls that currently mandate encryption will eventually require quantum-resistant algorithms
  • Controlled Unclassified Information (CUI) flowing between prime contractors and subcontractors is a prime HNDL target
  • Supply chain data is only as secure as its weakest link. A component supplier in High Point or Durham may be the entry point

Organizations that begin PQC planning now will be positioned for compliance when requirements formalize. Those that wait will face rushed, expensive migrations under regulatory pressure.

Learn about Preferred Data's CMMC compliance services

Manufacturing

NC manufacturers hold proprietary designs, production processes, and trade secrets that represent decades of competitive advantage. If this data is harvested today and decrypted in 2032:

  • Product designs and engineering specifications could be replicated by competitors or nation-state actors
  • Quality processes and manufacturing techniques that differentiate a company become public knowledge
  • Vendor pricing and supply chain arrangements expose competitive positioning
  • Customer lists and contract terms provide intelligence to competitors

For furniture manufacturers in High Point, precision manufacturers in the Triad, and biotech/pharma companies in the Triangle, proprietary data is the business. Its protection must outlast the quantum threat timeline.

Healthcare

Healthcare organizations in Winston-Salem, Charlotte, Raleigh-Durham, and the broader Piedmont region handle Protected Health Information (PHI) that must remain confidential for decades:

  • Patient medical records have no expiration on sensitivity
  • HIPAA requires "reasonable and appropriate" safeguards, which will evolve to include PQC
  • Research data at Triangle-area institutions represents years of investment

Financial records, legal documents, and client communications handled by professional services firms across NC contain information whose sensitivity persists well beyond any quantum computing timeline.

NIST Post-Quantum Standards: What You Need to Know

In 2024, NIST published three post-quantum cryptographic standards after an 8-year evaluation process:

FIPS 203 (ML-KEM): Module-Lattice-Based Key-Encapsulation Mechanism

  • Replaces RSA and ECDH for key exchange
  • Used in TLS, VPN, email encryption
  • Three security levels: ML-KEM-512, ML-KEM-768, ML-KEM-1024

FIPS 204 (ML-DSA): Module-Lattice-Based Digital Signature Algorithm

  • Replaces RSA and ECDSA for digital signatures
  • Used in code signing, document signing, authentication
  • Three security levels matching different risk profiles

FIPS 205 (SLH-DSA): Stateless Hash-Based Digital Signature Algorithm

  • Alternative signature scheme based on hash functions
  • More conservative mathematical assumptions
  • Larger signatures but well-understood security properties

These standards are the foundation for the global transition to quantum-resistant cryptography. Major vendors (Microsoft, Google, Cloudflare, AWS) are already incorporating them into products and services.

A Practical 4-Phase Roadmap for NC Businesses

Post-quantum cryptography migration does not require immediate replacement of every system. It requires planning and awareness now, with implementation phased over the next several years.

Phase 1: Inventory and Classify (Start Now)

Identify where encryption is used:

  • VPN connections (site-to-site, remote access)
  • Email encryption (TLS, S/MIME, PGP)
  • File and disk encryption (BitLocker, FileVault)
  • Database connections and at-rest encryption
  • Cloud service connections (Microsoft 365, Google Workspace, AWS)
  • Web applications (SSL/TLS certificates)
  • Code signing and software distribution
  • IoT and operational technology (OT) connections

Classify data by sensitivity and lifespan:

Data CategoryTypical LifespanHNDL Risk Level
Trade secrets / IP20+ yearsCritical
Patient health recordsPermanentCritical
Defense / CUI data25+ yearsCritical
Financial records7-10 yearsHigh
Client contracts5-10 yearsHigh
Internal communications1-3 yearsMedium
Marketing materials< 1 yearLow

Document your cryptographic dependencies:

  • Which vendors handle your encryption?
  • What algorithms do they use?
  • Do they have published PQC roadmaps?

Phase 2: Assess Vendor Readiness (2026-2027)

Ask critical questions of your technology vendors:

  • Does your product support FIPS 203/204/205 algorithms?
  • What is your PQC migration timeline?
  • Can your product operate in hybrid mode (classical + PQC simultaneously)?
  • How will the transition affect performance and compatibility?

Major vendor PQC status (as of early 2026):

  • Microsoft: Investigating PQC for Windows, Azure, and M365. No firm migration timeline for enterprise customers yet
  • Google: Chrome has experimental PQC support for TLS. Google Cloud evaluating broader rollout
  • Cloudflare: Already offering PQC-enabled TLS connections on some services
  • AWS: AWS KMS supports post-quantum TLS for key exchange
  • Cisco/Fortinet: Firewall and VPN vendors evaluating PQC integration for future firmware

Evaluate your managed IT provider's PQC awareness. This is a differentiator. Providers planning for the transition will serve clients better than those who have not engaged with the topic.

Phase 3: Begin Migration (2027-2029)

Prioritize high-value, long-lifespan data for early migration:

  • VPN and site-to-site connections carrying sensitive data between locations
  • Backup encryption for data that must remain confidential for decades
  • Email encryption for communications containing trade secrets or CUI
  • Database encryption for customer records, financial data, and IP

Implement cryptographic agility where possible:

  • Configure systems to support both classical and PQC algorithms
  • This allows gradual migration without breaking interoperability
  • Test PQC algorithms in non-production environments first

Update key management practices:

  • PQC algorithms use larger key sizes (ML-KEM-768 public keys are ~1,184 bytes vs. 256 bytes for ECDH)
  • Key storage, distribution, and rotation processes may need updating
  • Hardware Security Modules (HSMs) will need firmware updates for PQC support

Phase 4: Validate and Maintain (Ongoing)

  • Test PQC implementations for compatibility, performance, and interoperability
  • Monitor NIST guidance for updates to standards and compliance requirements
  • Maintain a cryptographic inventory as a living document
  • Track vendor updates for PQC-capable firmware and software releases
  • Plan for regulatory changes as CMMC, HIPAA, and other frameworks incorporate PQC requirements

The Cost of Waiting

Every major security transition follows the same pattern. Organizations that plan early spend less and experience less disruption. Those that wait until mandates arrive scramble, pay premium rates, and accept higher risk during compressed timelines.

Historical examples:

  • SHA-1 to SHA-256 migration (2017): Organizations that planned had 2+ years of smooth transition. Those that waited faced emergency certificate replacements and browser warnings
  • TLS 1.0/1.1 deprecation (2020): Early adopters migrated seamlessly. Laggards had customer-facing outages when browsers dropped support
  • Windows Server 2012 R2 end of life (2023): Planned migrations cost a fraction of emergency replacements

The PQC transition will be larger and more complex than any of these. Every encrypted connection, certificate, key, and algorithm across your entire technology stack will eventually need updating.

Key takeaway: The businesses that start inventory and planning now will have a smooth, affordable transition over several years. The businesses that wait will face compressed timelines, vendor capacity constraints, and potential compliance gaps as federal requirements evolve faster than unprepared organizations can respond.

How Managed IT Services Help

For small and mid-sized businesses without dedicated security architects, PQC preparation is best handled through a managed IT partner that:

  • Understands the threat landscape and can translate it into business-relevant risk assessments
  • Maintains vendor relationships and tracks PQC readiness across your technology stack
  • Manages cryptographic inventories as part of ongoing security operations
  • Plans and executes migrations with minimal business disruption
  • Monitors compliance requirements across CMMC, HIPAA, NIST, and other frameworks

Learn about Preferred Data's cybersecurity consulting services

About Preferred Data Corporation

Preferred Data Corporation (PDC) is a managed IT and cybersecurity services provider headquartered in High Point, North Carolina, serving businesses across the Piedmont Triad and Research Triangle. With over 37 years of experience and deep expertise in compliance frameworks including CMMC, NIST 800-171, and HIPAA, PDC helps manufacturers, defense contractors, healthcare organizations, and growing businesses prepare for evolving cybersecurity challenges.

Discuss your organization's PQC readiness:

Frequently Asked Questions

Do I need to replace all my encryption right now?

No. PQC migration is a multi-year process. The immediate priority is inventory (know what encryption you use and where) and classification (identify which data has a lifespan exceeding the quantum threat timeline). Actual algorithm replacement will happen gradually as vendors release PQC-capable products.

Is quantum computing actually a real threat to my business?

Yes, but not in the way most people think. The threat is not that a quantum computer will attack your network tomorrow. The threat is that data stolen today, while encrypted with current algorithms, will be decryptable in the future. If your business has trade secrets, patient records, defense data, or other long-lived sensitive information, it is already a target for HNDL collection.

What is cryptographic agility and why does it matter?

Cryptographic agility means designing systems that can switch between encryption algorithms without major rearchitecture. This is important because the PQC landscape is still evolving, and you may need to update algorithms as standards mature. Systems built with agility in mind can adapt; rigid systems require expensive replacements.

Will PQC affect system performance?

PQC algorithms generally require more computational resources than current algorithms. Key sizes are larger, and some operations take longer. For most business applications (email, VPN, web), the impact will be negligible on modern hardware. For high-throughput applications or IoT devices with limited resources, testing is important.

My managed IT provider has never mentioned PQC. Should I be concerned?

This is a reasonable question to ask your provider. PQC awareness is becoming a differentiator among managed IT and cybersecurity firms. At minimum, your provider should be tracking vendor PQC roadmaps and planning for the transition. If they are not, it may indicate a broader gap in forward-looking security planning.

Does CMMC require post-quantum cryptography?

Not yet. Current CMMC requirements reference NIST 800-171, which mandates FIPS-validated encryption but does not yet specify PQC algorithms. However, as NIST PQC standards are adopted into federal requirements, CMMC will follow. Defense contractors who begin PQC planning now will have a compliance advantage.

Support