Over half of organizations believe that current datasets are already threatened by future advances in quantum computing, according to a new study by Deloitte.
In the survey of more than 400 cybersecurity professionals, 50.2% of respondents said their organization is at risk of ‘harvest now, decrypt later’ attacks, whereby cyber-criminals extract encrypted data in anticipation of the time quantum computers are able to break existing cryptographic algorithms.
This phenomenon is known as ‘Q Day,’ which experts believe will occur in the next 5-10 years. Without the development of quantum secure encryption, this could potentially leave all digital information vulnerable to threat actors.
Speaking in the Q3 2022 edition of Infosecurity Magazine, Joseph Carson, chief security scientist and advisory CISO at Delinea, explained: “Quantum computing exposes a serious risk to one of the most foundational building blocks of the security industry, and that is encryption since everything in the digital world that we encrypt with a private key today will be possible to decrypt with a quantum computer in the near future.”
Encouragingly, nearly half of respondents (45%) in the Deloitte survey expect their organization to complete assessments of potential post-quantum encryption vulnerabilities within the next 12 months, with an additional 16.2% predicting this process will be undertaken in the next two to five years.
However, many organizations appear to have a reactive attitude to adopting new methods of cryptography. Around a quarter (27.7%) believe advances in their organization’s quantum computing security risk will most likely follow regulatory pressure to adopt legislation or policies or demand from leadership. Others admitted it would take a cyber incident, such as exfiltration of sensitive data, to drive action in this area (11.7%) or client or shareholder demand (6.8%).
Colin Soutar, Ph.D., US quantum cyber readiness leader and Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP, commented: “It’s encouraging to see that so many of the organizations with quantum computing awareness are similarly aware of the security implications that the emerging technology presents. But, it’s important to note that ‘harvest now, decrypt later’ attacks are something all organizations – whether or not they’re considering leveraging quantum computing – stand to face in a post-quantum world.
“As quantum awareness grows within boardrooms, C-suites and security teams, we’re hopeful that organizations’ efforts to prepare for post-quantum cyber risk management will grow as well.”
Currently, work is ongoing to develop quantum-secure cryptography. The US Department of Commerce’s National Institute of Standards and Technology (NIST) is in the process of selecting the encryption algorithms to become part of its planned post-quantum cryptographic (PQC) standard.
During Infosecurity Magazine’s upcoming Online Summit – North America 2022, a panel will discuss how organizations can prepare for the post-quantum era.