Nov 20 2024
Security

How Small Businesses Should Approach Cybersecurity in the Post-Quantum Era

Quantum computing can introduce challenges to the backbones of most modern cybersecurity protocols. Follow these steps to protect your business’ data.
Andrew Jenkins
by

Andrew Jenkins has worked as an information analyst for an intelligence agency in Washington, D.C., for over 14 years. He is the author of the 2022 book, The Devil Made Crypto.

Quantum computers have long been touted as the next step in technological and scientific evolution. As these models advance, however, they risk jeopardizing contemporary encryption protocols businesses use daily to protect their sensitive data. And that’s a threat no business can afford to ignore.

Thankfully, governments, businesses, and public and private institutions foresaw this threat and collectively worked to develop a solution: a set of encryption protocols resistant to quantum computers known as post-quantum cryptography.

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

na-prrcloud-static-2024-na-desktop na-prrcloud-static-2024-na-mobile

 

PQC, The New Standard in Cryptography

Post-quantum cryptography (PQC) in composed of quantum-resistant algorithms created to protect contemporary computer systems from cybercriminals who may use quantum computers to commit cyberattacks.

Recently, the National Institute of Standards and Technology announced the release of the first three new quantum-resistant algorithms and urged agencies to start migrating to them immediately.   

These new algorithms take the place of our modern algorithms, such as Advanced Encryption Standard (AES), Rivest-Shamir-Adleman (RSA), Diffie-Helman, Elliptic Curve Cryptography (ECC), etc. And because of their unlined lattice- and hash-based cryptographic properties, the new algorithms are said to be resistant to post-quantum cyberattacks.  Adopting these algorithms will reduce or eliminate many of the post-quantum threats cybercriminals pose to business IT systems.

RELATED: Get the right solutions and services to help your small business.

The Three Biggest Post-Quantum Threats to Small Businesses

Cyberattacks on small businesses have been on the rise in recent years, and the results are devastating. It could take a small business 24 hours or longer to recover from a cyberattack and cost an average of $ 21,659.

IT leaders must be aware of the most common types of post-quantum cyberattacks that could impact small businesses.

  • Data compromise: Cybercriminals could compromise company data by gaining access to business plans, user credentials, employee records, bank statements, earnings reports, intellectual property, clients’ personal information and more.
  • Digital signature compromise: Public key cryptography enables digital signature capabilities so a cybercriminal can forge digital signatures on sensitive organizational correspondence and documents such as emails, memorandums, paychecks, contracts, purchase orders, financial transactions, audit records, legal documents and more.
  • Harvest now, decrypt later: To the untrained professional, post-quantum cyberattacks may appear to be a tomorrow problem. However, post-quantum cyberattacks are in fact an urgent  problem today due to  a concept called harvest now, decrypt later. For example, if cybercriminals steal sensitive company data today, they could store the data until they acquire a quantum computer strong enough to decrypt it, even if that takes several years.

UP NEXT: What are the security implications of quantum computing?

Take these Steps to Mitigate Quantum Risk

Mitigating quantum risk will not be a fast (or easy) process. It may take several years to put all the necessary physical, operational, administrative and technical measures in place. That’s precisely why businesses should start the PQC migration process without delay.

Below are four steps to get you started:

1. Get leadership on board

Let’s face it, very little can happen without leadership support. And whether you want to admit it or not, teams need leadership assistance and influence to be successful. Not only can they provide the funds, personnel and policies required to complete the migration, but they can set the company vision for the migration, get other departments involved and deal with any change management issues that arises. Having executive buy-in is crucial and will make the effort much easier.

2. Run a risk analysis and determine your network security posture

Before implementing PQC, IT leaders should identify the network’s strengths and weaknesses. One of the best ways to do this is by performing a risk analysis.  

Typically, a formal risk analysis includes:

  • Identifying and prioritizing the risks
  • Analyzing the risks to determine their qualitative and quantitative impact on your business
  • Determining the best risk mitigation strategies to strengthen your network security posture

Other factors worth considering are: the encryption algorithms your systems currently use (AES, RSA, ECC, hybrid, etc.) and their characteristics;  the kinds of data stored on your systems and how you will prioritize them (by sensitivity and/or importance), where your data is located and stored (servers, hard drives, remote, cloud, etc.); the amount of time and effort it will take to replace your current encryption algorithms with PQC algorithms (i.e., determining your “crypto agility”). IT leaders may also consider hybrid models that integrate both contemporary cryptography and PQC; the regulatory updates you must make once the migration is complete. 

3. Calculate the cost of a PQC migration

Small businesses have tight budgets and must be targeted with their tech spending. So, calculate the PQC migration cost carefully. The greatest expense will be replacing and updating legacy systems that do not support PQC algorithms. Depending on the size and knowledge of the IT department, you may also include costs for hiring a PQC consultant, training IT employees or even hiring new IT employees. Remember, PQC is new, and you may not have a solid idea of the total cost until you become familiar with the intricacies of PQC migration, so take it one step at a time.

4. Establish a governance committee

A governance committee, typically made up of leaders and experts from various departments, can guide the migration process to the finish line. You will need an IT leader to serve as the committee’s CTO. That person will set the agenda for the migration process and make sure all the departments meet agreed upon deadlines. You don’t need a large business to establish a governance committee, it only takes a few leaders to be successful.

Don’t Wait to Establish Defenses Against Quantum Computing

To date, quantum computers are not scalable enough to defeat modern encryption algorithms; however, the quantum community is steadily making progress. The current consensus is that the quantum threat won’t be fully realized until at least the mid-2030s.  Between now and then, small businesses have an opportunity to reinforce their networks before post-quantum cyberattacks become a reality.

By migrating to PQC and following these cybersecurity practices, small businesses can withstand the threats of the post-quantum era.

Chayanan/Getty Images

More On

Related Articles

Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report