As the field of quantum computing reaches the early stages of widespread practical usage, cybersecurity specialists are warning the world that long-established encryption protocols will eventually be rendered crackable within mere seconds.
Related: Post-Quantum Security Considerations for the Financial Industry
Some predict that the majority of traditionally encrypted data could be vulnerable as soon as within the next decade. Malicious actors are already exploring quantum-based hacks today. Such actors may already be harvesting encrypted data now, with a view to accessing the decrypted contents with quantum-driven decryption soon.
Preparing for the quantum threat
In the race to defend against Y2Q, businesses can and should start preparing now and get ready for these new, quantum-related risks by following some key steps.
- Start by identifying their organization’s level of ‘quantum awareness’ and evaluate their ‘crypto readiness’. Most organizations are quantum-unaware and have not started scoping out post-quantum threats, while quantum-aware organizations are taking steps to build familiarity with quantum computing developments and forecasts. Similarly, crypto-advancing organizations have begun identifying their critical data and use of cryptography, while crypto-agile organizations have already implemented processes and resources to replace their existing algorithms and protocols.
- Once this initial step has taken place, firms should evaluate the scale of upcoming system migration by identifying systems and encryption mechanisms to be addressed. Creating a systems inventory identifying locations containing sensitive data, and listing all encryption mechanisms used by the systems that contain sensitive data, is important.
- Bolster cryptography practices by centralizing management of keys and certificates, instilling standards for encryption mechanisms, and implementing change management for encryption solutions. To achieve this, firms should consider deploying encryption mechanisms based on data sensitivity — upgrading current IT systems so they can support secure encryption practices such as key rotation and distribution; automating processing to minimize manual interactions; and deprecating insecure protocols and security mechanisms throughout the system landscape.
- Develop a playbook to detail the steps needed to replace an encryption platform. It would be prudent to trial the playbook through a pilot or prototype to ensure the steps can be successfully executed, and to estimate the time required for its roll out.
- Modify systems to facilitate the upcoming work to come, by separating data based on its sensitivity to help set priorities for remediation of encryption risks.
- Initiate organizational change management efforts to build a strong risk culture and risk-based mindset throughout the organization, underpinning objectives such as raising staff awareness and starting the dialogue with customers and third-party providers about quantum risk.
Start planning now for any replacements of hardware, software, and processes using today’s public-key cryptography. Taking steps now will be the most expedient route to protection in future.
This article was originally published to CybersecAsia on November 22, 2022.