SME Cybersecurity: Quantum will not hit most UK SMEs first; but it will change encryption expectations. Learn PQC steps SMEs can take now.
SME cybersecurity: will quantum computing affect the majority of UK SMEs?
Quantum computing is moving from “research headline” to “security planning input”. For most UK SMEs, quantum will not be the thing that breaches you this year, but it will quietly change what “good encryption” means over the next few years, especially if you handle long-lived sensitive data or sell into larger supply chains. Here’s how it develops, how it gets executed in real systems, and what to do without turning it into a science project.
Quantum is not tomorrow’s ransomware; it is tomorrow’s broken trust model. Attackers do not need a quantum computer in your car park to make this your problem. They can steal encrypted data today and decrypt it later when quantum capability matures, a risk widely described as “harvest now, decrypt later”. If you store client contracts, HR records, legal files, or R&D that must remain confidential for years, this is an SME issue, not just a government one.
What “quantum” and “post-quantum cryptography” mean in plain English
Quantum computing uses quantum properties to solve certain maths problems far faster than classical computers. In cyber terms, the big concern is cryptography.
Public-key cryptography underpins secure websites (TLS), VPNs, software updates, and digital signatures. Some widely used public-key schemes could be weakened by a sufficiently capable quantum computer.
Post-quantum cryptography (PQC) means new cryptographic algorithms designed to resist attacks from both classical and quantum computers. The goal is continuity: the internet still works, but with quantum-resistant maths under the bonnet. NIST has already finalised its first PQC standards, which is a clear signal that migration is no longer hypothetical.
Where quantum risk shows up for UK small businesses
For most SMEs, the near-term exposure is indirect and operational:
* Your cloud and software suppliers will change cryptography under you. Expect updates to VPNs, browsers, identity platforms, and certificate services. NCSC is already publishing practical “next steps” guidance for organisations preparing for PQC.
* Supply chain pressure will increase. Larger customers will ask what you are doing about quantum-safe encryption, particularly in regulated sectors and long-term contracts.
* Data you keep for years becomes the priority. If a breach today exposes encrypted archives, the encryption might not protect you forever. That matters for UK GDPR security measures because confidentiality is not a one-off checkbox. The ICO explicitly positions encryption as an example of an appropriate technical measure, with suitability depending on context and risk.
To keep this grounded: the typical SME still gets hit by phishing, credential theft, and misconfiguration. The UK Government’s Cyber Security Breaches Survey 2025 reports 43% of businesses experienced a breach or attack in the last 12 months. Fixing the basics remains the highest return.
