Risk assessments are a cornerstone of any robust security strategy. They help identify, evaluate, and mitigate threats before they cause material impact to an organization. The threat landscape changes rapidly, and risk assessments need to adapt to take into consideration emerging technologies and threats that come from them. One of the most significant emerging threats is quantum computing which has the potential to break current encryption, so organizations need to ensure their risk assessments include post-quantum readiness.
Understanding the Quantum Threat
Cryptographic algorithms such as RSA and ECC are foundational components that have been securing data, communications, and online transactions for the past few decades. They rely on highly complex mathematical problems to secure our day-to-day digital experiences. However, quantum computers are exponentially faster than current (or classical) computers. This means they have the potential to break traditional encryption in hours if not minutes. Becoming quantum resistant will take time which makes it imperative for organizations to begin preparing today.
Why Post-Quantum Readiness
Data Retention Requirements: Sensitive data such as government intelligence, financial records, Personal Identifiable Information (PII), and Personal Health Information (PHI), require long-term availability and confidentiality. Nation-state and criminal actors have already created attack campaigns to capture encrypted data today and decrypt it once quantum computers become available to them. This is known as “harvest now, decrypt later” attacks or HNDL.
Regulatory Compliance and Standards: Governments and regulatory bodies are preparing for the quantum threat. In August of 2024, the National Institute of Standards and Technology (NIST) released the first set of post-quantum cryptographic algorithms. Many countries are leveraging NIST to plan migrations. PCI DSS has been updated about every 2 years so we can expect language around quantum resistance in the next update. In the proposed updates to HIPAA there is inclusion of quantum computing threats as well.
Supply Chain and Competitive Advantage: In a hyperconnected world, organizations want to do business with other trusted organizations and will require them to demonstrate their security posture. Integrating post-quantum security measures now ensures continued trust from clients and partners while demonstrating forward-thinking leadership in cybersecurity.
Incorporating Post-Quantum Readiness into Risk Assessments
To effectively incorporate post-quantum readiness into risk assessments, organizations should:
Identify vulnerable systems: Evaluate where encryption is used and determine which systems would be most affected by quantum computing advancements.
Develop a migration plan: Transitioning to post-quantum cryptographic (PQC) will take time. Organizations should create a phased strategy to become quantum safe.
Collaborate with industry leaders: Engage with cybersecurity communities, regulatory bodies, and experts to help you on your journey.
Gain Crypto-agility: Implement a change management platform to switch vulnerable keys as necessary without compromising your security or downtime.
Final Thoughts
Quantum computing represents a paradigm shift that cannot be ignored. By integrating post-quantum readiness into your cybersecurity frameworks now, organizations can safeguard their data, maintain compliance, and stay ahead of potential threats. The quantum future may not be here yet, but the time to prepare for it is now.
We are here to help, you don’t have to do this alone. Quantum Xchange is recognized as a quantum-technology innovator and committed to protect the world’s data from advances in computing and sophisticated criminal actors. Contact one of our experts to help you on your journey.
Contact Us
