At its annual Trust Summit conference, DigiCert released the results of a global study exploring how organisations are addressing the post-quantum computing threat and preparing for a safe post-quantum computing future.
Key findings reveal that while IT pioneers are concerned about their ability to prepare in the timeframes needed, they are hampered by obstacles which include lack of clear ownership, budget, and executive support.
Quantum computing
Quantum computing harnesses the laws of quantum mechanics to solve problems too complex for classical computers.
With quantum computing, however, cracking encryption becomes much easier, which poses an enormous threat to data and user security.
Seismic event
Forward-thinking organisations that have invested in crypto agility will be better positioned to manage"
“PQC is a seismic event in cryptography that will require IT pioneers to begin preparation now,” said Amit Sinha, CEO of DigiCert.
"Forward-thinking organisations that have invested in crypto agility will be better positioned to manage the transition to quantum-safe algorithms when the final standards are released in 2024."
Study highlights
Ponemon Institute surveyed 1,426 IT and IT security practitioners in the United States (605), EMEA (428), and Asia-Pacific (393) who are knowledgeable about their organisations’ approach to post-quantum cryptography.
Key findings from the study, sponsored by DigiCert, include:
- Sixty-one percent of respondents say their organisations are not and will not be prepared to address the security implications of PQC.
- Almost half of respondents (forty-nine percent) say their organisations’ leadership is only somewhat aware (twenty-six percent) or not aware (twenty-three percent) about the security implications of quantum computing.
- Only thirty percent of respondents say their organisations are allocating a budget for PQC readiness.
- Fifty-two percent of those surveyed say their organisations are currently taking an inventory of the types of cryptography keys used and their characteristics.
Challenges for a safe post-quantum computing future
Ransomware and credential theft are the top two cyberattacks experienced by organisations in this study
Key findings indicate that security teams must juggle the pressure to keep ahead of cyberattacks targeting their organisations while preparing for a post-quantum computing future.
Only fifty percent of respondents say their organisations are very effective in mitigating risks, vulnerabilities, and attacks across the enterprise. According to the research, ransomware and credential theft are the top two cyberattacks experienced by organisations in this study.
- Budgets for PQC
Forty-one percent of respondents say their organisations have less than five years to be ready. The biggest challenge is not having enough time, money, and expertise to be successful.
Currently, only 30 percent of respondents say their organisations are allocating budget for PQC readiness.
- Characteristics of cryptographic keys
36 percent of respondents are determining if data and cryptographic assets are located on-premises
Many organisations are in the dark about the characteristics and locations of their cryptographic keys. Only slightly more than half of respondents (52 percent) say their organisations are currently taking an inventory of the types of cryptography keys used and their characteristics.
Only 39 percent of respondents say they are prioritising cryptographic assets and only 36 percent of respondents are determining if data and cryptographic assets are located on-premises or in the cloud.
- Centralised crypto-management strategy
Very few organisations have an overall centralised crypto-management strategy applied consistently across the enterprise.
Sixty-one percent of respondents say their organisations only have a limited crypto-management strategy that is applied to certain applications or use cases (36 percent), or they do not have a centralised crypto-management strategy (25 percent).
- Cryptographic solutions and methods
Organisations do not have a high ability to drive enterprise-wide best practices and policies
To secure information assets and the IT infrastructure, organisations need to improve their ability to effectively deploy cryptographic solutions and methods.
Most respondents say their organisations do not have a high ability to drive enterprise-wide best practices and policies, detect and respond to certificate/key misuse, remediate algorithm remediation or breaches, and prevent unplanned certificates.
- Hiring and retaining qualified personnel
Organisations recognise they lack the expertise to stay out in front of post-quantum requirements. As a result, hiring and retaining qualified personnel is the most important strategic priority for digital security (55 percent of respondents). This is followed by achieving crypto-agility (51 percent of respondents), which is the ability to efficiently update cryptographic algorithms, parameters, processes, and technologies to better respond to new protocols, standards, and security threats, including those leveraging quantum computing methods.
To be ready for post-quantum computing, organisations need to have a strategy that includes backing by senior leadership, visibility into cryptographic keys and assets, and centralised crypto-management strategies that are applied consistently across the enterprise with accountability and ownership.
