Two software developers holding laptop with coding interface walking towards desk and sitting down

How to protect your business from quantum cyber threats

Shield your data against the risks of quantum computing with data protection that provides benefits today and prepares you for tomorrow.

In brief

    • Preparing for post-quantum encryption is an investment in the future, and helps reduce risk, manage cost and provide for more effective data management today.
    • Quantum threats are not just a distant concern – hackers are targeting encrypted data today knowing that the technology to decrypt is coming soon.
    • CISOs have a critical role in aligning leadership behind the need for enhanced data protection as part of their company’s quantum computing conversations.

    It’s easy to downplay threats that seem far away in an uncertain future. It’s the reason that, as a storm approaches, residents of hurricane zones debate staying or evacuating their homes. And it’s this dynamic American corporations are currently facing as they weigh the transformational pros and concerning cons of quantum computing. For all its estimated benefits to organizations, people and the planet, quantum technology will also irrevocably change the face of cyber threats and the effectiveness of security tools, technologies and processes currently available to protect against them.

    Predictions indicate that the potential scale and pace of quantum-driven breaches would create significant risk for companies’ operations, data and supply chains. With increased exposure arising from everything from state-sponsored hacking to the sharing of data with third-party vendors, cloud-based applications, and remote working, a company’s systems will be increasingly more vulnerable to the risks of post-quantum cyber breaches. However, as companies face an ongoing influx of data and cybersecurity risks increase, it’s easy to understand why resources and budgets are focused on immediate and tactical needs rather than preparing for a strategic transition to stronger post-quantum encryption standards that are now just starting to be developed.

    The current impact of quantum

    According to the EY Quantum Readiness Survey 2022, 81% of the 500 C-suite executives surveyed believe quantum computing will be sufficiently mature to disrupt business by 2030. The National Institute of Standards and Technology (NIST) has recommended a quantum-resistant public key encryption algorithm, with more to follow, giving organizations time to transition to improved encryption standards before quantum computing evolves.

    This creates an opportunity for chief information security officers (CISOs) to enhance current data management processes that will strengthen data protection today as a stepping-stone to preparing for the protection protocols they will need in the future.

    How EY can help

    According to SandboxAQ, an artificial intelligence (AI) and encryption inventory and risk identification platform, harvest-now-decrypt-later (HNDL) attacks – where cybercriminals capture encrypted data now to decrypt when greater quantum computing power emerges – are on the rise. The current HNDL activity is a call to action for companies to increase the speed at which they take additional steps to prioritize data protection.

     

    An opportunity – and time – for CISOs to take the lead

     

    Aligning resources for a quantum initiative starts with senior leadership. Yet, since the expected impact of quantum can’t be clearly defined and there is a lack of coordinated government mandates, some leaders question to what degree this should be a current priority and how great the disruption will truly be. CISOs can frame the post-quantum cyber future not in terms of the scale of the problem, but in the immediate pragmatic steps that can be taken to enhance data management and security protocols to benefit their organization today and serve as the initial steps to prepare to transition to post-quantum encryption in the future.

     

    CISOs can take a leadership role as companies assess post-quantum computing impact and strategies – ensuring data management is on the agenda – and can help create a cross-functional steering group if one doesn’t exist. This will align the CISO, chief technology officer (CTO) and chief information officer (CIO) to not only plan enterprise-wide data management strategies that will reduce post-quantum risks, but also determine how to best resource next steps, whether internally or with external advisors knowledgeable about quantum cybersecurity.

     

    Strategic imperative: focus on data to protect for the future

     

    Forward-thinking organizations have started planning for quantum disruption, identifying critical steps  that will position them to capitalize on quantum benefits and reduce potential risks. While this process will include transitioning to quantum-resistant encryption algorithms as they become available, enhancements to data management and security are required in the short term. By assessing current protocols, creating a roadmap for a future state that will be “transition ready” and shifting data to more secure environments, companies can strengthen current protections and meet future threats with more appropriate processes and safeguards in place.

    Quantum isn’t a “what-if.” It’s a guaranteed event, and current protections will become ineffective against quantum threats in the known future. Organizations can do the advance work that enables more effective data management and strengthens data protections today, while laying the groundwork for a smoother transition to post-quantum encryption standards in the near future. Taking time to act now will better position businesses to strengthen their defenses against the quantum storm clouds gathering on the horizon.

    Summary 

    Organizations today remain focused on rising “traditional” cyber threats, but the prospect of quantum computing’s impact on cybersecurity efficacy will soon dramatically change their priorities. As quantum technologies progress and hackers prepare for greater computational abilities, every organization’s data is coming under greater threat. It’s time for CISOs to act now, before quantum capabilities become mainstream. Preparation today will help protect your organization now – and in a post-quantum future.

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.