Tackling the uncertainty of post-quantum cryptography starts now
The lack of crypto standards to protect information from the use of quantum computers is a threat. This means that risk assessment, planning and mitigation implementation must start now and that the plan must be reviewed regularly in the coming years.
Today, crypto security is often transparent to the user, making services and devices easy to use. It also makes it difficult for organisations to know what kind of security measures their information is protected with.
While everyone is affected by the uncertainty of the timing of a successful attack, many organisations lack people with the technical skills needed to update the risk landscape and implement mitigation measures. This includes a lack of crypto knowledge, knowledge of the practical security limits of current crypto standards, and knowledge of the current use of cryptography in third-party products (including cloud solutions).
Currently, there are no standards in place that are expected to be resistant to quantum computers in 10-15 years.
Leaders’ next smart move: Quantum-safe capabilities
We have already seen in 2022, that a new proposed crypto standard (Rainbow) may be vulnerable to attacks from current computers. And now it's happened again in 2023 with another algorithm, CRYSTALS-Kyber.
The security of an algorithm is based on the fact that no one has figured out a way to break it within a reasonable time. Even if post-quantum crypto (PQC) standards are coming, one should expect that they will need multiple iterations of implementations, as seen by the developments of the past two years.
An organisation should therefore expect it will take several rounds of work to improve security.
Executives and cybersecurity experts don't see the threat in the same way.
A coherent story is needed that shows the possible impact of the quantum computing threat on information security and thus on the organisation. Leaders need to know how long it takes to plan and transition an organisation to quantum-secure capabilities. It is crucial that the mitigation actions are flexible, as they will change over time.
Resilience is about the ability to prevent, respond to, recover and learn from disruptions. It should be a key priority for any business.
Citizens are worried
When citizens do not feel protected, their trust in markets is threatened and they become less inclined to buy goods or services. That raises numerous commercial threats for many organisations.
A new PA survey has shown that 84 per cent of people are more worried about the future (compared to 2-3 years ago). Citizens were already concerned about the issues of data protection and cyber risks, and new risks have taken centre stage: a steep rise in the cost of living, energy insecurity, political instability and war, climate change and rising social inequality.
Priority of high security level
Many sectors need to act now: defence, critical infrastructure, high-security companies, highly regulated business sectors, including manufacturers of long-lasting products such as cars.
If risk management is seen as a compliance issue and a cost, many organisations will focus on short-term commercial goals rather than strategic risks. This may mean that organisations lack the resources to update their current position, devise an action plan and – especially – to implement the plan.
New EU legislation, such as the Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA), provides guidance. With regulatory risks changing and evolving faster, organisations may need to call on new services, such as advice or support to address cyber threats.
A pragmatic approach is therefore both alpha and omega. Every company must make a professional assessment of risk and ensure the implementation of an effective plan.