Quantum computing uses quantum mechanics to find fast and complete answers to complex problems. According to Carrie Peter, Managing Director at Impression Signatures, “Although it sounds futuristic, quantum computing is advancing at a rapid rate – certainly faster than expected. Today, many countries are already in possession of their own quantum computers, with quantum computing even being available as a SaaS solution.”
As is the case with most technological developments, however, the opportunities offered by quantum computing are equalled by the threats this advanced computer science introduces. “The evolution of quantum computing puts the security of any data available in the digital space in jeopardy,” warns Carrie.
Breaking the barrier
IBM recently published an article about quantum computing, noting that “quantum technology will soon be able to solve complex problems that supercomputers can’t solve, or can’t solve fast enough.” But what if the problem it’s trying to solve, is breaking through security firewalls or encryptions?
“This poses a massive threat to encryption as a quantum computer could decrypt traditional encryption in a fraction of the time. While this surely won’t halt the evolution of the quantum computer, it does mean that security must be bolstered,” adds Carrie. Thankfully, global standards and security bodies have been hard at work developing and testing a new set of post-quantum encryption algorithms, with the first three standards being released on 13 August 2024.
Standards
In the USA, as published by the National Institute of Standards and Technology (NIST), these new standards include: the Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption; FIPS 204, intended as the primary standard for protecting digital signatures; and FIPS 205, also designed for digital signatures and employing the Sphincs+ algorithm.
In parallel, as standards and security measures are fortified against the threats of quantum computing, it is essential that organisations begin paying attention to post-quantum cryptography (PQC).
Coming to market
“Somewhat short-sightedly, many business leaders are countering the argument for PQC with the misguided belief that we are ‘years’ away from commercially available quantum computers,” says Carrie. “The reality is that these computers are already being miniaturised and will likely come to market much sooner than expected.”
Additionally, putting PQC measures in place now will protect data from nefarious strategies such as Store-Now Decrypt-Later (SNDL). “This cyber threat entails the storing of large amounts of encrypted data now, in an effort to decode and use it later, once quantum computers become more widely available.”
Digital lives
As HP puts it, “A sufficiently powerful quantum computer will break the cryptography we rely on in our digital lives. An attacker can intercept and store encrypted data today, and when quantum computers become feasible, the attacker could decrypt the stored data.”
Carrie motivates that companies need to start thinking about PQC now, because some devices (such as cars) that are being produced today will most certainly be on the road when quantum computing is proliferated. “In 2023, the US government already put out a mandate that companies must transition onto PQC as soon as possible. Now, with the release of the new standards it is critical to take the need to transition onto PQC seriously.”
Four Steps to Protecting Your Business
According to Forbes magazine “2025 could mark the arrival of ‘Q-Day’. This is a theoretical point in time when quantum computers become powerful enough to render many methods of encryption redundant with severe consequences for privacy and security.”
As this sector transforms, there are four essential steps to protecting businesses now, and well into the future:
Step 1: Create an Encryption Inventory
Think of this as a digital safety audit. As part of the audit, the IT team or provider creates and supplies a comprehensive list of all the places where the business uses encryption. Here it is essential that organisations review and revise how they store their customer data, their email systems, how financial transactions are processed, the management of cloud services, access to remote work tools, and website security certificates.
Step 2: Secure Unencrypted Data
For smaller business that don’t encrypt their data, the duty of protection remains their responsibility. Here organisations can take cost-effective, yet highly practical and impactful steps to securing their datasets.
To protect customer data stored on computers, free tools like VeraCrypt empower users to create encrypted containers for sensitive files, saving them in a digital safe. To secure email communication, services like ProtonMail offer free encrypted email accounts.
For password management tools like Bitwarden (free tier available) store passwords in an encrypted vault and can generate strong unique passwords. Lastly, to assist in encrypting mobile devices it is essential that businesses make use of the built in encryption freely available on both Android and iPhone devices – just turn it on in settings.
These are just some examples of how small enterprises can protect their data without a large capital outlay.
Step 3: Identify the Business’ Crown Jewels
Focus on what needs protection in the medium to long term. Pay close attention to: customer data that must be protected for years; trade secrets and intellectual property; financial records that need long-term storage; legal documents and contracts; healthcare records; and research and development information.
Which data would harm our business if exposed in five to 10 years? What information are we legally required to protect? Which systems contain our most sensitive customer data? These are key questions to ask.
Step 4: Stay Informed About Security Standards
Quantum computing adoption will follow standards. Schedule quarterly reviews with the business’ IT team or provider to consider the quantum progress and the relevant response, and include PQC updates in regular security meetings.
