Only 5% of Enterprises Have Implemented Quantum-Safe Encryption – Infosecurity Magazine

The majority of enterprises across the US, UK, and Australia have yet to adopt post-quantum cryptography (PQC), despite a widespread belief that quantum computing will soon undermine current encryption methods. A recent survey conducted by DigiCert revealed that only 5% of organizations have implemented quantum-safe encryption. In contrast, over half of the respondents expressed feeling “very prepared” (38%) or “extremely prepared” (19%) for the impending threats posed by cryptographically relevant quantum computers (CRQCs).

These advanced computing systems possess the capability to solve mathematical problems foundational to modern asymmetric encryption, potentially jeopardizing the security of various online activities, including emails, financial transactions, and VPN usage. Notably, 69% of the surveyed executives anticipate that these machines could be operational within five years.

Currently, the threat landscape is evolving, with Europol issuing alerts regarding “store now, decrypt later” (SNDL) attacks. In such scenarios, malicious actors capture substantial amounts of encrypted data with the intent of deciphering it once CRQCs become available.

Nonetheless, experts argue that expecting a breakthrough in five years may be overly optimistic. As noted by the Chief Technology Officer (CTO) of the National Cyber Security Centre (NCSC), Ollie Whitehouse, adapting to PQC will require a transformative overhaul of a decade or more for organizations within the UK. Given the intricacies of this challenge, larger enterprises operating in critical sectors are encouraged to begin planning their shift towards quantum-safe practices. A warning from British banking association UK Finance in 2023 underscored this necessity.

Whitehouse emphasized the magnitude of this transition, stating that it represents a complex initiative that may dwarf previous challenges, such as addressing the Millennium Bug.

To navigate this impending shift, Kevin Hilscher, a senior director at DigiCert, described the move to PQC as a pivotal moment for enterprise security. He urged organizations to commence their quantum readiness strategies, starting with crucial tasks such as asset discovery, risk evaluation, and establishing crypto-agility. According to Hilscher, the foundational work undertaken today will determine which organizations will maintain their resilience and trustworthiness in a future where quantum computing is prevalent.

To aid organizations in this transition to PQC, DigiCert offers four essential steps:

1. Conduct an inventory of cryptographic assets, including both certificates and algorithms. Organizations should categorize these assets by their criticality and identify those that require upgrades or replacements.
2. Focus on replacing long-term trusted encryption algorithms, especially those used for trusted roots and firmware for enduring IoT devices.
3. Experiment with and implement PQC algorithms within the organization. Developers of cryptographic libraries and security software need to start incorporating these algorithms into their products without delay.
4. Achieve crypto-agility, which involves enhancing visibility into cryptographic assets and establishing efficient methods for deploying encryption technologies while being responsive to emerging security challenges.

As the quantum threat looms, organizations are advised to take these proactive steps to safeguard their data and infrastructure.