Generative AI certainly has made waves, but quantum computing could be the most disruptive technological revolution since the Internet. Although still in development, its potential to dismantle current encryption standards with ease is prompting urgent conversations within the technological sphere.
The core concern surrounds the capabilities of a cryptanalytically relevant quantum computer (CRQC), which is a machine that can easily break traditional public key cryptography (PKC) algorithms. Thankfully, CRQCs are currently unavailable, but the development trajectory of quantum computing suggests these could emerge by 2037, if not five years earlier. Quantum computing has always been a bit of a moving target and it has always simultaneously seemed right around the corner and quite far off at the same time.
Quantum-safe encryption: what it is and why it matters
From a security standpoint, a huge concern is that most legacy encryption algorithms widely used today are not resistant to quantum attacks. That is why quantum-safe encryption, also known as post-quantum cryptography (PQC), has become a critical area of focus. These new methods are invaluable as they are designed to secure sensitive data, access, and communications in the age of quantum computing.
The good news is that the cybersecurity industry is actively working on quantum-safe encryption algorithms to mitigate these risks.
The quantum-safe algorithms that matter
The National Institute of Standards and Technology (NIST) has standardised three encryption algorithms that offer protection against quantum-enabled threats. These are intended to replace traditional encryption models with quantum-resistant alternatives.
Each algorithm addresses a specific cryptographic need, from secure key exchanges to digital signature verification:
● ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism – formerly known as Kyber) enables two parties to securely exchange a shared secret key over a public channel, in a way that remains resistant to quantum attacks.
● ML-DSA (Module-Lattice-Based Digital Signature Algorithm – formerly known as CRYSTALS-Dilithium) provides a secure method to generate and verify digital signatures.
● SLH-DSA (Stateless Hash-Based Digital Signature Algorithm – formerly SPHINCS+) is a stateless, hash-based signature scheme that provides quantum-resistant digital signatures.
Major platforms are adopting these algorithms. Microsoft, for example, has launched its Quantum Safe Programme and integrated these algorithms into its open-source cryptographic library, SymCrypt, which is used in Windows 10 & 11, Windows Server, and Azure. Microsoft 365 now supports ML-KEM, with ML-DSA and SLH-DSA support coming soon.
How to prepare your business against encryption attacks
So, what can businesses do to prepare for “Q-Day” – the day quantum computers become capable of breaking current encryption standards? First, organisations must identify where vulnerable cryptographic algorithms are currently in use across their systems. With this understanding, they can look for services and providers offering quantum-safe encryption solutions. These technologies will form the backbone of secure communication in the post-quantum era.
As recommended by NIST and other agencies, organisations should look to create a quantum-readiness roadmap, which includes:
● Forming a cross-functional team to evaluate the current quantum risks in different areas of the organisation.
● Prioritising systems that require immediate upgrades or future-proofing.
● Planning the integration of the previously mentioned PQCs.
For cloud-based systems, businesses should communicate with their service providers to understand their quantum-readiness plans, as an organisation may do so if they use Microsoft’s services, for example.
The threat of “harvest now, decrypt later”
However, preparing to use quantum-safe algorithms shouldn’t be the only concern for security leaders. They also need to consider how to prevent encrypted data from being
stolen in the first place. Even without broad access to quantum computers, malicious actors are still stealing encrypted data, with the intention to decrypt it once quantum capabilities become widely accessible. Thankfully, there are simpler but robust prevention techniques organisations should rely on to reduce the risk of data being captured in the first place.
Reducing human error: a critical step in quantum-safe cybersecurity
Despite sophisticated cybersecurity technology, human error accounts for 95% of breaches. Social engineering attacks, which exploit trust, urgency, or fear, can easily grant an attacker access to systems. Employees who lack technical training are often the weakest link, but there are ways around this problem.
Security awareness training is the foundation. AI-powered training tools, such as phishing simulations, are another effective strategy. They help employees identify and respond to threats in real time, reinforcing good habits through experience. These initiatives create a proactive security culture, making every individual an active participant in the organisation’s cyber defences.
Incorporating Zero Trust principles in a cybersecurity strategy is another powerful approach to safeguard against breaches. Its principles require that all connections and requests be continuously verified, reducing the risk of impersonation or unauthorised access. Even a registered device on a familiar network should be treated with suspicion.
In addition, organisations should apply the principle of least privilege, granting users only the minimum level of access needed to perform their roles. The organisations that take the lead in adopting quantum-safe encryption (while equipping their people with the knowledge to spot and defend themselves against evolving threats) will not only be better protected but will also become the new standard of trust and security in the quantum age.
Now is the time to build before quantum disruption forces your organisation to rebuild under pressure and attack.
