How can businesses address the looming risks of quantum computing?
Organisations must prepare to deal with emerging threats such as hack now, decrypt later attacks - or face dire consequences.
Companies of all industries and sizes, from M&S to Jaguar Land Rover, have experienced the shockwaves that a security breach can cause, impacting volumes of data and customer trust. And despite quantum computing not being mainstream just yet, threat actors are already stealing encrypted data with the plans to decrypt it later when quantum power becomes available. While regulated industries like finance, healthcare and defence are already acting on this, many others risk falling behind.
The era of quantum computing is now on our doorstep, meaning threat actors are already evolving their tactics so that they can reap the rewards from this new technology. Imagine your assets as a treasure chest, stored under lock and key; threat actors are attempting to steal the chest, knowing that later they will be able to work out how to unlock it at a later date. "Hack now, decrypt later” (HNDL) means that criminals are stealing encrypted data, knowing that they will be able to utilise quantum decryption tools. This approach means that even data that is protected by encryption codes is at risk.
This changes the threat landscape significantly. The current average recovery time from a cyber incident is 7.34 months, however with HNDL, businesses could feel the ramifications for months, if not years, to come.
As quantum computing becomes more advanced, how can you truly future-proof sensitive data?
Data at rest is data at risk
It is estimated that by 2040, quantum computers will be able to decrypt widely used cryptographic algorithms. Known as ‘Q-Day’, this is when businesses will feel the full force of HNDL. Commonly used algorithms that protect data in today’s threat landscape will essentially be made redundant.
This is especially risky for data at rest, which constitutes the majority of a business’s data. Data at rest is information that is stored and parked in databases, waiting to be used. This ranges from employees' personal details to bank account information. With classical encryption methods, this data is left vulnerable to cyberattacks.
Businesses must act now to avoid the sudden effects of post-quantum decryption. Beginning to adopt post-quantum encryption techniques will support businesses to transition their data to more secure environments without scrambling for a complete overhaul of data security systems.
Each line of defence counts
The first step businesses must take is strengthening their front-line defence against cyber attackers, this is their employees. Committing to regular training to help staff to understand and recognise the threat landscape as it evolves, from spotting phishing emails to identifying abnormal activity, is crucial for businesses to respond effectively to breaches as and when they occur.
Businesses must also take proactive measures to secure their data. Using approved post-quantum encryption tools is a great foundation. Tools, such as AI, can monitor patterns and apply access controls to classified information that will also ensure they are compliant with global security regulations. AI solutions can also help organisations to manage and accelerate re-encryption of data and retrofit classically encrypted storage systems.
READ MORE: Countdown to Q-Day: How to prevent a quantum decryption disaster
While these measures are important, organisations cannot rely on encryption strategies alone. The shift to post-quantum security requires strengthening governance and risk management practices.
Businesses must evaluate which data is most sensitive, determine how long it needs to remain secure, and ensure that re-encryption efforts are aligned with broader security and regulatory requirements. This alignment is becoming increasingly important as policymakers push for stronger safeguards around sensitive data.
Regulation to reduce the risk
Internationally, authorities are legislating to ensure that the most valuable, private information is kept safe from evolving cyber threats. In 2024, more than 54% of organisations experienced a cyber-attack, with one in five of those businesses unable to recover their lost data.
To tackle growing cyber threats, the EU’s Network and Information Security Directive 2 (NIS2) came into force at the end of last year, outlining stringent risk management and response to mitigate the effects of growing cyber threats.
READ MORE: When will quantum computing have its "ChatGPT moment"?
Article 21 of NIS2, for example, emphasises the availability and reliability of critical data, supported by applying access controls and continuous measures to ensure data safety.
With the UK expected to unveil the Cyber Security and Resilience bill this year, it is clear that global institutions are taking proactive precautions to ensure that businesses are well equipped against the evolving threat landscape. Aligning with internationally adopted regulations means that businesses that adopt post-quantum encryption are better equipped to meet evolving requirements, and they can protect their data from becoming a sitting duck to attackers.
Playing the long game with data security
As the quantum era looms, every line of an organisation’s defence will play a critical role in ensuring that data stays safe from prying eyes. Businesses who play the long-game, future proofing their data with the advanced methods available today will be best prepared when Q-Day comes.
For industries where private information records are stored for decades, a data security plan that looks to the future will be especially critical. Quantum computing is coming. But post-quantum encryption has already arrived, and is ready to protect your data today, from being accessed tomorrow. Retrofitting data with advanced encryption methods and consistently training employees and systems against cyberthreats will best prepare businesses for the future.
Grant Caley is UKI Solutions Director at NetApp
