Most businesses unprepared for post-quantum world, study finds

Over half of businesses (61%) are not and will not be prepared to address the security implications of quantum computing (PQC), according to a study by research company Ponemon Institute.

The biggest challenges are not having enough time, money or expertise to prepare, with only 30% of respondents allocating budget for PQC readiness.

According to the survey— taken from 1,426 IT and IT security practitioners in the US (605), EMEA (428) and Asia-Pacific (393) regions — time is of the essence.

Under half (41%) of business leaders expressed concern about having less than five years to prepare for the change.

Almost half of respondents also said that their organisations’ leadership is only somewhat aware or completely unaware about the security implications of quantum computing.

While quantum computing can solve problems too complex for classical computers, it can make cracking encryption much easier, posing an enormous threat to data and user security.

The survey found that three quarters of businesses are concerned that advanced attackers could conduct “harvest now, decrypt later” attacks, in which they collect and store encrypted data with the goal of decrypting the data in the future.

But only 23% of respondents said they have a strategy for addressing these security implications.

Bigger enterprises, such as HSBC, BT and IBM are currently trialling alternative ‘Q-safe’ methods of encryption.

Yet, as it stands, the majority of businesses remain in the dark about the characteristics and locations of their current cryptographic keys.

Around half (52%) of businesses are currently taking an inventory of the types of cryptography keys used. And 39% are prioritising cryptographic assets.

So what can be done?

According to Ponemon, to secure information assets and the IT infrastructure, organisations need to improve their ability to effectively deploy cryptographic solutions and methods.

Most respondents said their organisations do not have a high ability to drive enterprise-wide best practices and policies, detect and respond to certificate/key misuse, remediate algorithm remediation or breach and prevent unplanned certificates.

Businesses also need to shift investment into hiring people with the right expertise – something they do recognise, the report claims. Over half of businesses (55%) have ranked hiring qualified personnel as the most important strategic priority for digital security.

This is followed by achieving crypto-agility (51%), which is the ability to efficiently update cryptographic algorithms, parameters, processes and technologies to better respond to new protocols, standards and security threats.

To be ready for post-quantum computing, businesses also need to have a strategy that includes backing by senior leadership, visibility into cryptographic keys and assets, and centralised crypto-management strategies that are applied consistently across the enterprise with accountability and ownership.

Resources are available to help organisations prepare for a safe post quantum computing future, such as ANSI X9’s Quantum Risk Study Group and NIST’s post-quantum cryptography project. 60% of respondents are very knowledgeable about these groups.

The US and Chinese governments along with various other groups such as the World Economic Forum are also formulating standards to help mitigate threats to quantum computing.