Firms should start building quantum-ready data security 'by end of 2022'

With the power and potential of quantum computing offering huge opportunities for businesses of all industries, the clamour to invest in the technology is growing. However, rushing into the market without properly accounting for data privacy concerns could have serious consequences.

A quantum computer can identify one item in a list of one trillion in about one second – a process a classical computer would take about a week to achieve. That example is a small – but by no means extensive – example of how revolutionary the advent of quantum computing could be. It is also an illustration of just why quantum technologies are capturing the imaginations of organisations around the world at present.

According to one study, by McKinsey & Company, this gold-rush for quantum technology could lead to a global market value of as much as $1 trillion by 2035.

As a result, governments are supplying tax breaks to tech companies investing in R&D to make the innovation a reality. Soon, businesses will be able to leverage quantum technologies to make significant breakthroughs in areas such as health and manufacturing – but there is also the potential for the technology to fall into the hands of hostile actors.

According to Mindaugas Bazys, a Cyber Security Expert with PA Consulting Group, organisations cannot afford to neglect data privacy in the quantum age. In an opinion piece for the advisory firm’s website, Bazys warned that the ability of quantum computers to factor so many possibilities, so quickly has “serious implications for data privacy” – especially if the technology is used by hackers to break through a company’s data encryption schemes.

Bazys explained, “With quantum technologies rapidly maturing, responding to this must be a priority for privacy leaders. Organisations need to review their privacy strategy, build flexibility so they can respond to an evolving market, and educate people at all levels about quantum’s possibilities.”

Review and design flexibly

“Quantum computers will be able to break current encryption standards, such as RSA, challenging the GDPR security principle,” Bazys went on. “With encryption often essential to securing personal data, adopting quantum-resistant cryptography will be key to protecting people and complying with privacy regulations. Crucially, this means quantum safe encryption needs to be in place before a quantum computer that can crack public-key cryptography (PKC) exists.”

As such, PA recommends that organisations have a quantum-secure privacy strategy in place by the end of 2022, analysing existing technical and organisational security measures to ensure data security is resilient in the future. To start with, firms will need to examine their existing technological infrastructure; identifying weak-points to strengthen, rather than waiting to respond to a data breach later.

This will become particularly important as 2022 will see the introduction of quantum safe encryption standards – which will accelerate the transition away from, and/or increase the security of, PKC. However, quantum-secure privacy strategies will need to have a global outlook, and also need to carefully analyse and consider the impacts of cross-border data transfers.

Meanwhile, not all the impacts of quantum technology are foreseeable today, so plans for new security measures will need to be flexible, in order to respond to future legislative changes. For example, Bazys noted that it currently takes an organisation an average of 200 days to detect a data breach, but with quantum sensing technology, there will be more efficient early warning systems.

He went on, “Current data breach reporting requirements (such as within 72 hours for GDPR) are likely to change to account for a drastically reduced intrusion detection time. Quantum-secure privacy strategies will recognise fast developing technologies and bake in the ability to pivot in an evolving regulatory landscape.”

“A quantum-secure privacy strategy would incorporate simulating breach response exercises with a much shorter reporting timeframe than today’s, helping to futureproof your organisational incident response processes.”

Educate people at all levels

As with any change programme, adapting the culture of a company’s workforce is crucial to success. Even with the right planning and technology in place, educating your workforce at all levels is arguably the most important part of privacy resilience, and ensuring that as new products and services are developed, people facing those new challenges are prepared to evolve with the situation.

“For example,” Bazys stated, “quantum technologies are set to enhance the optimisation of targeted advertising through more complex data analysis and behaviour simulations. This raises significant privacy challenges, such as ensuring you have the appropriate legal basis to use the technology in such a way. An organisation aware of privacy principles, as well as quantum technologies, will be better equipped to harness the opportunities that quantum technologies bring, with privacy at the core.”

Concluding, the PA expert pointed out that with quantum technology quickly maturing, starting to change an organisation’s thinking around data privacy is crucial – and sooner rather than later. By acting today to review privacy strategy with quantum technology in mind, firms can position their organisation to protect customers’ privacy in the quantum age.