Security Briefing - May 2026

The Quantum Clock Just Moved

Two breakthroughs on a single day rewrote the encryption timeline. Here is what changed and what your business should do about it.

What Happened

On March 30, 2026, two research teams dropped results that caught the entire security industry off guard.

Google Quantum AI published a paper showing that ECC-256 encryption - the same kind protecting your banking, your email, and your VPN - could be broken with roughly 500,000 physical qubits in just 9 minutes. For context, Google's own 2022 estimate required 13 million qubits. That is a 96% reduction in four years.

Oratomic and Caltech demonstrated a version of Shor's algorithm that could work with as few as 10,000 qubits. At that count it would take about 3 years of continuous computation - not practical yet. But scale to 26,000 qubits and it drops to roughly 10 days.

AI accelerated both of these breakthroughs. The optimization techniques that drove these numbers down were themselves products of machine learning research.

Sources: Google Quantum AI (March 30, 2026); Oratomic/Caltech (March 30, 2026)

Harvest Now, Decrypt Later

This is the part most business owners miss.

Adversaries - nation-states, organized crime groups, competitive espionage operations - are already collecting encrypted data from networks, cloud services, and email traffic. They cannot read it today. They are storing it and waiting for quantum hardware to catch up.

If someone copied your encrypted files in 2024, and a capable quantum computer comes online in 2029, those files get opened retroactively. The breach already happened. You just do not know it yet.

This is called "harvest now, decrypt later." It means the window to protect sensitive data is not 2029. It is right now. Anything encrypted with today's standard algorithms and intercepted today is already at risk.

The Timeline

The industry shifted its deadlines within days of the March breakthroughs.

2022 Google estimates 13 million qubits needed to break ECC-256. Quantum threat treated as distant.
March 25, 2026 Google sets its own post-quantum cryptography (PQC) migration deadline for 2029.
March 30, 2026 Google Quantum AI and Oratomic/Caltech publish breakthroughs. Qubit requirements drop dramatically.
April 7, 2026 Cloudflare moves its post-quantum deadline from 2035 to 2029, calling the research "a real shock."
2029 New industry target for completing migration to quantum-resistant encryption.
2030 / 2035 NIST IR 8547: current encryption algorithms deprecated by 2030, fully disallowed by 2035.

Sources: Google (March 25, 2026); Cloudflare blog (April 7, 2026); NIST IR 8547

3 Things Your Business Should Do This Week

You do not need a quantum computer to prepare for one. These are practical steps any small or mid-size business can take right now.

  1. Audit your encryption exposure Know what you are protecting and how. What encryption does your email use? Your VPN? Your cloud storage? Your backups? If you cannot answer those questions, you cannot plan a migration. Start with an inventory.
  2. Lock down access controls today Quantum threats target encryption, not authentication. But weak passwords and missing two-factor authentication (2FA) make you vulnerable to threats that already exist. Deploy a password manager across your team. Turn on 2FA everywhere it is available. These steps protect you now and reduce your attack surface for the future.
  3. Start the conversation with your vendors Ask your cloud providers, email hosts, and software vendors: "What is your post-quantum migration plan?" If they do not have one, that tells you something. If they do, you need to understand the timeline and what it requires from you.

How We Can Help

GM Associates works with small and mid-size businesses to close security gaps before they become incidents. We do this work every day.

Ready to start? Call us or send an email.

716-462-5573

[email protected]