Why Every Business Needs to Be Y2Q Ready

Key Takeaways:

• Y2Q readiness is not just a future cybersecurity issue. Sensitive data stolen today could potentially be decrypted later when quantum capabilities mature.

• Businesses should begin by finding where encryption is used across systems, vendors, applications, certificates, backups, cloud services, identity systems, and data flows.

• NIST has already released finalized post quantum cryptography standards, which means companies can begin planning practical migration steps now.

• Regulated industries may feel the pressure earlier, but every business that stores customer, employee, financial, health, legal, operational, or proprietary data has exposure.

• The practical goal is not panic. It is crypto visibility, vendor accountability, data governance, and a realistic transition roadmap.

Every business has a cybersecurity problem it probably has not fully mapped yet.

It is not ransomware. It is not phishing. It is not a lost laptop. Those are still real problems, of course. But Y2Q, often used to describe the years leading up to a quantum computing environment capable of breaking widely used encryption, creates a different kind of risk. It is quieter. It sits under the surface. And for many companies, it is easy to postpone because the most serious impact may not show up tomorrow morning.

That is exactly why it matters now.

Today’s business systems depend heavily on encryption. It protects banking sessions, VPNs, email, file transfers, cloud applications, software updates, identity systems, payment workflows, employee records, medical information, contracts, and intellectual property. Most executives do not think about encryption unless something breaks. It is supposed to be invisible. That invisibility is useful, until the business needs to understand where encryption is being used, which algorithms are in place, which systems can be updated, and which vendors are ready for the next cryptographic era.

Here’s the thing. Y2Q readiness is not about predicting the exact date a powerful quantum computer becomes a practical threat. No one can give that date with certainty. It is about recognizing that cryptographic migration takes time. Large organizations often need years to inventory systems, understand dependencies, replace outdated technology, test new approaches, update procurement standards, and coordinate with vendors. Even smaller businesses may discover that their exposure is scattered across cloud platforms, SaaS tools, network devices, backups, remote access systems, and third party service providers.

NIST has already moved this from theory into planning territory. In August 2024, NIST released three finalized post quantum cryptography standards, FIPS 203, FIPS 204, and FIPS 205, covering general encryption and digital signatures. NIST also stated, “We encourage organizations to begin their transition to these standards immediately to ensure their data remains secure in the quantum era,” according to Dustin Moody, who leads NIST’s post quantum cryptography standardization project.

That does not mean every company must rip and replace systems overnight. In fact, that would be unrealistic and potentially risky. It means businesses should start the disciplined work of discovery.

The first step is understanding where sensitive data lives and how it is protected. That includes data in motion, data at rest, archived data, backups, customer files, employee records, contracts, source code, financial models, health records, legal documents, and confidential deal materials. A surprising amount of risk comes from old systems that nobody wants to touch because they still work. Those systems may be deeply embedded in billing, operations, manufacturing, customer support, or compliance workflows.

The second step is building a cryptographic inventory. That sounds technical, but the business logic is simple. You cannot protect what you cannot find. Which systems use public key encryption? Which certificates are active? Which VPNs, firewalls, authentication systems, databases, and applications rely on algorithms that may need to change? Which vendors have a quantum readiness roadmap? Which contracts require updates? Which systems are too old to support future standards?

This is where many businesses will run into a familiar problem. Their technology environment grew over time, not from a clean master plan. Some systems were inherited through acquisitions. Some were installed by former employees. Some were added quickly during remote work transitions. Some are managed by vendors. Some are business critical but poorly documented. Y2Q readiness forces a useful conversation that companies should probably be having anyway: do we really understand our technology dependencies?

The concern is not only future decryption. It is also “harvest now, decrypt later.” IBM describes this as an active risk in which cybercriminals collect encrypted data today with the goal of decrypting it later when a cryptographically relevant quantum computer is available. That matters for any data with a long shelf life. Think employee Social Security numbers, medical records, customer financial information, merger documents, legal files, trade secrets, source code, insurance records, government related information, and long term contracts.

For some businesses, the most urgent issue may be compliance. Financial services, healthcare, defense, government contractors, utilities, telecom providers, law firms, insurance companies, and companies supporting critical infrastructure may face earlier scrutiny from customers, auditors, regulators, cyber insurers, or enterprise procurement teams. But this is not limited to regulated sectors. A manufacturer with valuable designs, a software company with source code, a real estate firm with investor documents, or an MSP serving multiple clients may all hold data that could become more valuable if decrypted later.

CISA has warned critical infrastructure and government leaders to prepare for the transition to post quantum cryptography. Mona Harrington, then acting assistant director of CISA’s National Risk Management Center, said, “Critical infrastructure and government leaders must be proactive and begin preparing for the transition to post quantum cryptography now.”

That quote is aimed at critical infrastructure, but the lesson travels well. Waiting until the market panics is not a strategy. By then, vendors may be overloaded, legacy systems may be harder to replace, and rushed decisions may create operational issues.

Procurement also needs to change. Businesses should begin asking vendors direct questions. Do your products support NIST approved post quantum standards? What is your migration roadmap? Do you maintain a cryptographic bill of materials? How are you handling certificates, key exchange, digital signatures, firmware updates, APIs, and third party components? When will your products support hybrid or quantum resistant approaches? What should customers do today to avoid creating more cryptographic debt?

That last phrase matters. Cryptographic debt is what happens when companies keep buying or deploying systems that will need to be replaced or reworked later. It is similar to technical debt, except it touches trust, identity, confidentiality, and system integrity. IBM recommends updating procurement processes to focus on solutions and services that support post quantum cryptography to help prevent new cryptographic debt.

The practical roadmap does not need to be dramatic. Start with awareness. Assign ownership. Identify sensitive long life data. Inventory cryptography. Review vendors. Prioritize systems by business impact. Update procurement language. Test carefully. Build crypto agility into future systems so algorithms can be changed without redesigning everything. Then revisit the plan regularly as standards, vendor support, and regulatory expectations evolve.

For many businesses, Y2Q readiness will also overlap with AI readiness. Both require better data governance. Both require knowing who can access what. Both expose weak documentation, stale permissions, shadow systems, and vendor dependencies. A company preparing its data for AI adoption may already be doing some of the work needed for quantum readiness, especially around data classification, access controls, backups, monitoring, and vendor review.

No one should present Y2Q as a reason to panic. That is not helpful. But treating it as a far off science project is also risky. The standards are here. Government guidance is moving. Major technology vendors are building programs around it. Attackers may already be collecting data that could become vulnerable later.

Every business needs to be Y2Q ready because encryption is not just an IT issue. It is the trust layer underneath modern commerce. It protects customers, employees, partners, transactions, contracts, intellectual property, and operations. Businesses that start now can move carefully. Businesses that wait may be forced to move quickly.

That is usually when security gets expensive.

See also: Top 10 Steps to Become Y2Q Ready

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 9-11, 2027 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 9-11, 2027, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing


 

Loading
Share via
Copy link
Powered by Social Snap