Think you can ignore quantum computing? Think again.

Even before the algorithms are officially approved this summer, CIOs should start taking steps. Moody recommends they start by doing a cryptographic inventory to see which public key crypto systems they and their partners use. This isn’t easy, but several vendors are developing tools to help with that process.

CIOs can also ensure they assign somebody to lead in the transition, and that they have the funding and expert staff they need. Organizations can also start testing the algorithms in their environments and check their supply chain partners are doing the same.

Jeff Wong, global chief innovation officer at EY, says even if they’re not yet required to make a change, CIOs can already start planning NIST-approved algorithms into their cybersecurity upgrades. “Companies often have three-to-four-year cybersecurity upgrade cycles,” he says. “If there’s a possibility quantum computing can crack keys within five years, and your upgrade cycle is three to four years, you have to start taking action in a year or so.”

Another thing CIOs should do is protect against “store-now, decrypt-later” attacks. Hackers may be collecting encrypted data already that they can decrypt once quantum computers become big enough and reliable enough to run Shor’s algorithms. Some industries are more affected than others, such as healthcare, financial services, and higher education, where medical records, financial information, and academic records need to be protected for a lifetime. But virtually all sectors should be concerned with personal identifiable information (PII) that needs to be protected indefinitely.

EY

According to Wong, CIOs should consider securing data in transit to protect against these kinds of attacks, especially for government-related contracts. “Companies may not be talking about it out loud,” he says. “But we’re hearing through our friends in the ecosystem that government suppliers and companies in industries including financial services are already planning to encrypt their communications for this very reason.”

But some organizations in financial services have been very open about getting a head start. “We’re keeping a close eye on the work of NIST as they standardize PQC protocols,” says Philip Intallura, global head of quantum technologies at HSBC. “Preparing for this new type of cryptography is a core part of HSBC’s quantum program.”