Post-Quantum Encryption: Why MSPs Must Prepare Now 

One thing Grandma Tardanico knew how to do was keep a secret. Trust me, she would flaunt that she knew something you would love to hear, but it was never actually revealed thanks to her iron constitution and code of honor. Drove me crazy…but what if a single server could reveal all her secrets without her even getting a vote?  

Quantum computing will fundamentally change cybersecurity. While today’s encryption standards, which include RSA and Elliptic Curve Cryptography (ECC), remain secure against traditional computing, future quantum computers will eventually break many of the cryptographic protections organizations rely on every day. The reality for a modern CISO is that your organization and your clients will demand answers well before those answers are 100% baked, so trust, but verify please.  

The greatest concern is not necessarily when quantum computers become capable of doing this, but that threat actors may already be collecting encrypted data today with plans to decrypt it later. This “Harvest Now, Decrypt Later” strategy creates a long-term risk for organizations that store sensitive data with extended retention requirements. 

To address this challenge, the National Institute of Standards and Technology has developed new Post-Quantum Cryptography (PQC) standards designed to resist both classical and quantum attacks. As these standards become widely adopted, organizations will need to transition from traditional encryption methods to quantum-resistant alternatives. In other words, use quantum to fight quantum. We are once again and in a different way discussing the Skynet scenario from Terminator.  

For Managed Service Providers, this presents both a challenge and an opportunity. 

Most organizations do not have a complete inventory of where cryptography is used within their environment. Encryption is embedded throughout firewalls, VPNs, cloud platforms, identity systems, databases, applications, backups, and endpoint security tools. Before any migration can occur, businesses must first understand their actual dependencies. 

MSPs are uniquely positioned to help customers prepare by providing: 

• Cryptographic asset discovery and inventory 

• Quantum readiness assessments 

• Vendor and application compatibility reviews 

• Certificate and PKI modernization planning 

• Ongoing monitoring of post-quantum standards and vendor roadmaps 

I believe the transition will not happen overnight. For many years, organizations will operate hybrid environments containing both traditional and post-quantum encryption technologies. Managing compatibility, performance, certificate lifecycles, and vendor support will become increasingly important as adoption accelerates. 

Vendor readiness is another critical factor. Organizations should begin engaging with firewall, cloud, security, identity, and application providers to understand their post-quantum migration strategies. Waiting until standards become mandatory could result in haphazard upgrades, increased costs, and operational risk. 

Hopefully, large scale quantum attacks are still many years away. And seriously, what assets do we have that are going to be targeted first?  Corporations that inventory their cryptographic assets, evaluate vendor readiness, and develop migration roadmaps today will be far better positioned to adapt as the industry evolves. 

For MSPs, post-quantum cryptography is more than a future technology discussion. It represents an opportunity to provide strategic guidance, strengthen customer relationships, and help clients navigate one of the most significant cybersecurity transitions of the next decade…or months…or weeks. I voted for decades.  

I’d like to hear how other teams are thinking about post-quantum readiness. 

If cryptographic inventory, vendor readiness, or migration planning is on your radar, let’s continue the conversation.