Recent reports of Chinese researchers successfully using quantum computers to crack widely used encryption methods have sent shockwaves through the cybersecurity community. While large enterprises may have more resources to address this emerging threat, small-to-medium businesses (SMBs) seem left wondering about the implications and how to protect themselves. Let’s break down this complex situation and explore key takeaways for SMB leaders.

Understanding the quantum threat

Quantum computers leverage the principles of quantum mechanics to perform certain calculations exponentially faster than classical digital computers that rely on binary representations of data. This includes the ability to potentially break widely used encryption methods like Rivest-Shamir-Adleman (RSA) encryption, which is used by web browsers, VPNs, email servers, and chips that form the backbone of much of our online infrastructure. Given that large enterprise migrations can take four to six years to complete and that migrating to post-quantum cryptographic (PQC) recommendations requires device manufacturers and component makers to upgrade ciphers on supported communications hardware and networking equipment—or replace them outright—it seems likely that this transition will take even longer. The day Quantum cracks encryption, dubbed Q-Day, seems to me likely to happen this decade, but it’s also an event we’ll hear about after the fact, like news circulating now about researchers claiming to have achieved it for the first  50-bit RSA integer decomposition, which is still far from 2048-bit or 4096-bit RSA encryption commonly used for sensitive data today. 

What happened?

Researchers at Shanghai University claim to have used a D-Wave quantum computer to successfully attack the Rivest-Shamir-Adleman (RSA) encryption method. They also suggest their approach could target the Advanced Encryption Standard (AES). While the full details and replication of these results are still pending, the implications are significant for businesses of all sizes that rely on these encryption methods for secure communications and data protection.

D-Wave quantum computers cost around $15M to purchase but can be rented as a cloud service for about $2,000 per hour. News reports have shared that the researchers’ findings show D-Wave’s quantum technology can efficiently target encryption systems that protect sensitive information globally. The Global Risk Institute, a Canadian organization that assesses the financial risk of potential world events, surveyed cryptography experts last year and found they believe quantum computers will be able to crack RSA-2048 encryption within 24 hours by mid-century. Others, including Apple, have similarly warned of this looming threat, which Apple is attempting to mitigate via its new PQ3 security protocol for iMessage to better protect customers’ data from being decrypted and exposed post-Q-Day (whenever it arrives).

How could this impact SMBs?

The potential for quantum computers to break current encryption methods poses several risks for SMBs:

  1. Data vulnerability: Sensitive business data, customer information, and communications protected by current encryption methods could become vulnerable.
  1. “Harvest now, decrypt later” attacks: Adversaries might collect encrypted data now, with plans to decrypt it once sufficiently powerful quantum computers become available.
  1. Supply chain risks: Even if an SMB doesn’t handle highly sensitive data directly, their business partners or customers might, making the SMB a potential weak link in the security chain.
  1. Compliance challenges: As encryption standards evolve to address quantum threats, SMBs may need to update their systems to maintain regulatory compliance.

What can SMBs learn from this?

While the quantum threat may seem distant, PQC preparedness involves a couple of concerns within the cybersecurity domain: data at rest and data in transit. Both are heavily reliant upon traditional computing encryption techniques today that Q-Day will render useless with sufficient funds and access to the Quantum computers needed to crack it. As a result, here is what I recommend:

  1. Understand your encryption usage: Know where and how your business uses encryption, including in communications, data storage, and third-party services.
  1. Catalog the sensitivity of data at rest and in transit throughout your system, reduce it where possible, and prioritize upgrading remaining data relying on lower-level encryption (e.g., 256-bit) to higher-level encryption (e.g., 2048-bit), especially for sensitive data that will need to remain secure for many years (aka data with long lifespan).
  1. Update your risk mitigation and incident response plans to include protocols to follow if various categories of data are discovered after the fact to have been potentially compromised (unencrypted) by Q-Day news.
  1. Design for crypto-agility, where feasible, enables devices and systems to be able to quickly swap out cryptographic algorithms to allow for a more rapid migration to quantum-resistant alternatives as they become accessible.
  1. Follow basic cybersecurity best practices around key management (ensure cryptographic keys are properly generated, stored, and rotated periodically), authentication (implement multi-factor authentication and other identity verification methods to reduce solely relying on encrypting vulnerable data), network segmentation (separating critical systems and data to limit the spread of potential breaches) and periodic security audits (continuously assessing your overall security posture, as well as those of your 3rd party suppliers and vendors to verify compliance to applicable laws, regulations and best practices).
  1. Stay informed: Keep up with developments in post-quantum cryptography standards, like the National Institute of Standards and Technology’s ongoing efforts to standardize quantum-resistant algorithms.

The bigger picture: cybersecurity and business value

This latest report of a quantum computing breakthrough serves as a reminder of how rapidly the cybersecurity landscape can change. For SMBs, there are valuable lessons about the relationship between cybersecurity and overall business health:

  1. Trust is a valuable asset: In an era where quantum computers might threaten data security, demonstrating robust and forward-thinking security measures can be a competitive advantage.
  1. Proactive planning matters: SMBs that start preparing for the post-quantum era now will be better positioned to weather the transition smoothly.
  1. Cybersecurity is a business issue: The potential impact of quantum computing on encryption demonstrates how cybersecurity directly affects core business operations and strategy.
  1. Supply chain security is crucial: SMBs need to consider not just their own security posture but also that of their vendors and partners in light of emerging quantum threats.

The takeaway

The quantum computing breakthrough serves as a powerful reminder that in the rapidly evolving digital world, SMBs must stay vigilant and forward-thinking in their approach to cybersecurity. By understanding the implications of quantum computing, implementing quantum-resistant strategies, and viewing cybersecurity as an integral part of business strategy, SMBs can transform potential quantum threats into opportunities for enhanced security and trust. Remember, in the world of cybersecurity, preparation is key. Start planning for the post-quantum era today.

Jeanine Johnson Jeanine Johnson is a renowned cybersecurity strategist with 25+ years of experience driving security as a competitive edge for billion-dollar companies. Ms. Johnson has repeatedly demonstrated how cybersecurity can bolster brands, increase margins, and grow revenues. She is currently on the Boards of PJM Interconnection, and privately held cybersecurity and clean-tech startups. Previously, she served as Vice President (VP) Head of Product Security at Netgear, Head of App Security at Apple, and as a McKinsey & Co. Consultant on digital transformations after earlier engineering leadership roles at Microsoft and Amazon. Ms. Johnson has launched several spin-offs and startups, including as Chief Technology Officer (CTO) of PeerSpace.com and was shortlisted for Entrepreneur of the Year in 2019 at the Women in IT Awards in Silicon Valley. Ms. Johnson is a National Association of Corporate Directors (NACD) Fellow and a Doctoral candidate researching cybersecurity through the School for Engineering and Applied Science at George Washington University in Washington DC. She earned two engineering degrees from the University of Missouri, and a Master in Business Administration (MBA) from Cornell University.
Back to top