Harvest now, decrypt later (HNDL) is an active cybersecurity threat
We’re living in a time when data isn’t just information, it’s strategy, value, and liability. The assumption that encrypted data is safe? That’s a temporary truth. The most significant threat you’re likely not preparing for is called “Harvest Now, Decrypt Later” or HNDL.
Here’s how it works. Hackers steal encrypted data today and store it. Right now, it may be unreadable. But once quantum computing, or other breakthrough tech, reaches maturity, that same encrypted data could be easily decoded. They don’t need to destroy networks. They don’t need to disrupt systems. They just need time, and patience. You won’t even know it happened until years down the line when long-forgotten communications, contracts, or trade secrets are suddenly exposed or weaponized.
Most businesses assume current encryption standards are bulletproof. They’re not. Encryption relies on the fact that certain problems take classical computers a long time to solve. Quantum computing changes that. The clock is ticking, and our current encryption won’t hold up forever.
This isn’t a theory. According to Whitfield Diffie, Turing Award winner and the person who helped invent public-key cryptography, HNDL has already been proven in real-world use. U.S. intelligence used this method after WWII to intercept and later decrypt Soviet communications. The same thinking is now applied by bad actors looking to expose commercial, political, and strategic data.
Executives need to shift how they think about data protection. The idea that encryption offers permanent safety is outdated. The threat has already started. You just won’t feel the damage until it’s too late to fix.
Highly sensitive, long-term data is vulnerable to future decryption
Not all data is equally valuable. Knowing what matters, and for how long, is where critical leverage exists. Long-term sensitive data is where the real risk lies. Think proprietary designs. Long-cycle research. Legal documents. Health records. Communications tied to leadership or regulatory action. Once leaked, you cannot take it back, and you can’t put that value back in the bottle.
The important piece here isn’t volume, it’s persistence. If data has value ten years from now, and it’s encrypted using today’s standards, you’re already exposed. For example, data like intellectual property, government communication, or confidential investor strategies remains sensitive for decades. So if it’s harvested now, it can absolutely be used later once decryption becomes trivial.
Dr. Raluca Ada Popa, who leads security research at Google DeepMind, was direct about this risk. She emphasized that many businesses mistakenly assume they can ignore the problem simply because quantum attacks haven’t materialized yet. That logic fails under scrutiny. Attackers don’t need to crack encryption today. They just need to store it and wait.
It’s also worth noting that the first targets of quantum-level attacks won’t be low-value data. The decryption process, at least initially, will be expensive. That makes targeted, sensitive information, like R&D roadmaps, confidential litigations, or wealth disclosures, priority number one.
For a C-suite leader, this isn’t an isolated IT concern. It’s a long-term strategic risk. The value of your confidential data multiplies in the hands of someone who knows how to use it, especially if they got it when you weren’t looking. The responsibility is clear: secure the data that truly matters, before it becomes leverage for someone else.
Indicators suggest HNDL is already evolving as data theft rises
The signs are already on the board. While quantum computers capable of large-scale decryption aren’t widely available yet, cybercriminals aren’t waiting. The first stage of HNDL, stealing encrypted data, is in full swing. That tells you everything you need to know about where this is heading.
In 2023, data compromises surged by 78%. That’s not normal growth, that’s acceleration. And here’s the part that matters for long-term strategy: 91% of ransomware attacks now involve data theft, not just system disruption. Hackers are moving from short-term disruption to long-term asset capture. Only about 57% of affected victims are even notified that their data has been stolen. The rest don’t know what’s missing, or for how long it’s been exposed.
The success of HNDL depends on this exact lack of visibility. Once the data is stolen, it just waits. There’s no explosion or alert. Then, when technology catches up, it becomes readable, and useful.
Dr. Michele Mosca, a quantum computing researcher from the University of Waterloo, estimated in 2015 that there was a 1 in 7 chance RSA-2048 encryption would be broken by 2026. His updated forecast: a 50% probability it could be broken by 2031. A decade ago, that number would have seemed speculative. Now, even basic quantum hardware is outperforming classical systems in specific tasks. The direction is clear.
For C-suite leaders, this should shift the conversation from hypothetical to operational. This threat is playing out in two phases. Phase one, data collection, is here. Phase two, decryption, is trending toward inevitability. Waiting is not a strategy. It’s a failure mode.
Transitioning to Post-Quantum Cryptography (PQC) is critical for future-proofing data security
There’s no long-term data protection strategy that holds without post-quantum cryptography. PQC is not a nice-to-have. It is now a necessary asset in defending value, business continuity, and trust.
NIST, the U.S. government’s standards body, has already selected and published new post-quantum encryption algorithms. These aren’t experimental; they’re designed specifically to resist attacks from both traditional and quantum computers. According to their guidance, current encryption methods that depend on asymmetric key systems should be phased out by 2030. That window is already narrowing.
Mark Horvath, who leads quantum cryptography strategy at Gartner, mapped this clearly: asymmetric cryptography will start to fail by 2029, and could be fully compromised by 2034. Organizations that haven’t transitioned by then will need to do it fast, which means higher cost, more risk, and larger operational disruption. If done proactively, the process is controlled, strategic, and budgeted. If delayed, it’s reactionary.
For leaders managing highly regulated environments, intellectual capital, or long-cycle innovation, PQC isn’t a technical detail, it’s a board-level issue. Regulators aren’t going to accept the excuse that “no one saw it coming.” The shift has already started. The tools are available. The talent is ready.
The choice now sits with leadership: act when you can control the terms, or be forced to act when you can’t.
Effective defense requires a proactive, phased transition strategy to PQC
If the objective is to protect your organization’s critical data for the next decade or more, a structured, phased approach to implementing post-quantum cryptography (PQC) isn’t optional. It’s the only way to manage risk at scale without unnecessary disruption.
This starts with education. The leadership team and core security staff need a clear understanding of what PQC is, where it fits in the security framework, and why now is the right time to act. You don’t need every employee to be an expert, but your policy, engineering, and compliance teams must be aligned on why this matters and how to execute a transition plan.
Next, map out where encryption is used across your organization. Most enterprises have outdated cryptography embedded in systems, devices, applications, and vendor integrations, some of it forgotten or undocumented. You can’t protect what you don’t track. Conducting a full audit builds the baseline.
You also need to understand the data you’re protecting. Focus on information that is valuable both now and in the future, especially intellectual property, legal documents, strategic plans, and customer data governed by long-term compliance regulations. That becomes your migration priority.
Then comes implementation. Select PQC algorithms certified by NIST, test them internally, and start integrating them into new systems while phasing out legacy encryption. This is not a quick fix. It requires pilots, testing environments, and staged rollouts across business units.
Equally important, involve your external partners early. If your vendors or cloud providers are lagging in PQC readiness, your broader environment remains exposed. Collaboration here is part of your frontline defense.
This isn’t something you delegate fully to IT. It’s a cross-functional priority, cybersecurity, legal, compliance, infrastructure, and strategy. You need alignment on budget, pace, and technical feasibility. When done as a system-wide upgrade, the risk drops sharply, and you retain control over the path forward.
Delaying the transition to PQC incurs higher long-term costs and risks
Every leadership team faces resource constraints, money, time, infrastructure compatibility. But waiting to address quantum threats doesn’t save you anything long-term. It costs more.
Most legacy systems weren’t built with change in mind. Upgrading cryptography baked into hardware, firmware, or customized platforms is time-intensive and technically complex. Delaying only increases the urgency and expense when quantum attacks start translating into real-world breaches.
When the shift from classic to post-quantum encryption becomes urgent, say, post-2028, the migration won’t be optional. It will be fast, reactive, and expensive. That’s when prices go up, specialists get harder to secure, and projects take longer to implement. Introducing new cryptographic standards under pressure almost guarantees operational risk and higher failure rates.
Even beyond operational strain, think about the reputational damage. If long-sensitive data held by your organization suddenly shows up decrypted or misused, the trust cost is exponential. Regulatory consequences can follow quickly. The financial penalties tied to mishandling customer data, health records, or confidential negotiations will likely outweigh any prior cost avoidance.
Investing in a controlled shift to PQC now puts your organization ahead of the curve. It gives you room to budget effectively, test thoroughly, and train teams without disruption. This is a future-looking posture that decides not just how well you respond to risk, but whether you control the timing of that response.
Put simply, organizations that delay the transition will pay more for less flexibility. Those who act now will define the standard others follow.
Key executive takeaways
- HNDL is already happening: Bad actors are harvesting encrypted data today in anticipation of using quantum computing to break it later. Leaders should assume that long-game threats are in motion, even without visible breaches.
- Long-term sensitive data is the real risk: Data with extended strategic value, IP, legal, financial, or regulatory, must be prioritized for future-resistant protection. Executives should assess which assets remain valuable over time and ensure they are encrypted with post-quantum cryptography.
- Data theft trends support the HNDL threat: A 78% rise in breaches in 2023 and the surge in ransomware-linked data theft confirm the groundwork for HNDL is active now. Leadership teams must shift their view of data security from short-term to lifecycle-focused.
- PQC is now a strategic security requirement: NIST-endorsed post-quantum algorithms are available and ready for deployment. Future-proofing data protection requires early adoption, and leadership must embed PQC into security roadmaps now.
- PQC transition must be planned, phased, and cross-functional: Defending against quantum-era breaches demands detailed asset audits, team education, integration testing, and partner alignment. Leaders should fund and formalize a company-wide migration strategy.
- Delay increases long-term cost and breach impact: Migrating to PQC under pressure, post-breach or post-quantum breakthrough, compounds risk, expense, and operational disruption. Executives should act while timelines are flexible and implementation is controlled.
