March 1, 2023
You already know that cybersecurity is crucial to protect your organization from a wide range of threats. However, with the rise of quantum computing, a new level of risk has emerged that must be addressed to maintain the security of your sensitive data. Recent reports in the security community have raised concerns that researchers may already be able to break a common type of cryptography on an existing quantum computer, which reiterates the seriousness of this risk - and how ill-prepared we are if such a report turns out to be true.
To help you prepare for this risk, one critical step you can take is to conduct a Quantum Risk Assessment (QRA). A QRA is a process that provides a comprehensive overview of your organization's risk landscape and informs decision-making on how to manage quantum risks. It involves a series of discussions between the QRA project lead and organizational experts in various domains within the project scope, but it does not require or involve direct interaction with the technical infrastructure or sensitive information.
During a QRA, the following topics are explored:
This area of discussion is intended to establish an understanding of the corporate environment in which business functions operate. This includes a high-level view of the organizational structure, a definition of the business functions within the scope, external business entities and their role relative to the organization, training and resources assigned to employees, specifically security and technology departments, a high-level description of the quantity and type of sensitive information, and an overview of the corporate decision-making process.
Technology architecture refers to the processes, systems, and networks that make up the infrastructure supporting the business function. This includes system and network diagrams to provide a high-level understanding of the internal and external delivery of information, inventory and lifecycle management for systems, critical technology and applications, any cloud or internet-based services with access to sensitive information, including applications, databases, document management systems or other repositories, tools and processes that furnish employees with remote access to sensitive data, systems, tools, and applications that rely on or furnish security capabilities or cryptographic keys or functions.
This discussion is broader in scope than the specific architecture and functions being analyzed. Here we review organizational policies, practices, training, and other factors that establish the framework that governs all operations within the entire organization. This includes policy/guidance documents relating to information management, processes for enforcing security, role definitions for any roles with privileged access to data, other recent risk assessments, types of Threat Actors relevant to the organization, external organizations who may receive security reports, and the level of awareness of quantum technology.
By conducting a QRA, you can better understand the quantum risk landscape of your organization and make informed decisions on how to manage these risks. Additionally, the steps involved in a QRA are easy to include in regular business planning and should be considered as part of your overall cybersecurity hygiene.
It's essential to note that the potential for quantum computing to break encryption means that traditional cybersecurity measures may no longer be effective. This underscores the urgency to take action and prepare for the risks associated with quantum computing.
A Quantum Risk Assessment is a vital first step to take in managing quantum risks to your organization. The recent reports of quantum computing breakthroughs only highlight the seriousness of this risk and the need for action. By conducting a QRA, you can better prepare your organization for the challenges that quantum computing presents and maintain the security of your sensitive data.
One interesting thought and one interesting link. Every other Wednesday.