AlixPartners for youNewsroomOur firmContactAlumniAccessibility tools
What we doOur peopleCareersInsights

Data encryption forms the backbone of modern cybersecurity, with end users and data processors operating with the understanding that only vetted and approved parties will have access to their data. The stronger algorithms used to encrypt data are currently impossible to break without many years of processing by supercomputers. However, progress in the rapidly developing field of quantum computing, which has seen more than $55 billion in investment by global powers, might soon allow malicious actors to break commonly used encryption methods and steal high value data, such as trade secrets. How should businesses manage a confidentiality risk that isn’t a matter of if, but when? 

In this article, we discuss quantum computing and what differentiates it from classical computing. We will highlight some predicted applications of quantum computing, including the encryption-breaking Shor’s algorithm. Finally, we discuss the actions that firms should be considering now to prepare for the commercialisation of quantum computing, i.e., Year to Quantum (Y2Q). 

What is quantum computing and why is it different? 

Quantum computers work differently from the computers we are used to in our daily lives. They make clever use of two fundamental rules of quantum physics: superposition and entanglement. The technical details are exceedingly complicated and out of scope for this article1, but can be summarised by stating that qubits—the quantum analogue to regular bits, which are the basic building blocks for all computing systems—can: 

  1. Be any combination of 0 and 1 simultaneously (as opposed to only 0 or 1, which is true for classical bits), allowing for a much greater amount of information to be stored in a smaller number of qubits.  
  2. Affect one another instantaneously, which lets researchers efficiently process multi-qubit states. 

Exploiting these effects allows a quantum computer (in some cases) to store and process exponentially more information than a classical computer. 

This exponential power boost does, however, come at a steep cost. Where classical computers have been optimised and miniaturised to the point where extremely capable devices fit in your pocket, quantum computers require such specialised environments and technology (in particular, they currently require operating temperatures far below room temperature) that they are room-filling devices reminiscent of the first classical computers. As such, their operation is currently limited to large institutions, be it government, academic, or commercial.  

It is likely that for the nearer term, the eventual operating model for quantum computing will keep this institutional basis intact. Quantum computing’s operations are too complex and expansive, and its use cases too specialised, to justify wide distribution. Instead, quantum computing capabilities are expected to be available through the cloud, with a few operators selling remote access to their quantum computers. 

What problems can quantum computing address for businesses? 

The question, though, is what quantum computers will be used for. While many niche applications have been suggested—for example in materials science—so far, few “killer apps” have been identified. Some of the applications being discussed are in multi-variate optimisation (which suffers from severe constraints on in-and output speeds) or “Quantum Machine Learning” (where it is largely unclear what benefit quantum computing brings over the current state of the art, other than generating synthetic data to train models). Other applications might yet be found, but all will have to overcome the peculiar challenges quantum computing hardware poses. 

There is, however, one application that stands out—and which therefore is mentioned in any article discussing quantum computing. This is Shor’s algorithm: a quantum computing algorithm that can find the prime factors of an input number exponentially faster than a classical computer can. Interest in Shor’s algorithm stems from two factors: 

  1. It is proven to be exponentially faster than classical algorithms provided a sufficiently large quantum computer is available. 
  2. Prime factorisation lies at the heart of Diffie-Hellman, RSA, and other forms of encryption. 

As RSA encryption forms the primary basis of encrypted digital communications used globally, a real-world interpretation of Shor’s algorithm would therefore be a major cybersecurity threat to businesses and nation states. 

There are a few caveats here. Firstly, the threat from Shor’s algorithm arises only when sufficiently large quantum computers of high-enough fidelity exist. This is far from the current situation, with both the number of error-corrected qubits and the number of operations able to be performed on them orders of magnitude below what would be necessary. It is unclear on what timescales a meaningful implementation of Shor’s algorithm can be expected, with estimate ranging from years (in the U.S. the National Institute of Standards and Technology, more commonly known as NIST, has estimated that by 2029, quantum computers will be able to break existing public key infrastructure) to decades.  

Secondly, while Shor’s algorithm breaks RSA encryption, there are other encryption protocols that do not rely on prime number factorisation and that are therefore as yet safe—in fact, a subfield of quantum computing focused on quantum encryption is seeking to leverage the nature of quantum physics to invent new encryptions safe even from quantum computers. More information on preparing for post-quantum cryptography can be found in a National Cyber Security Centre whitepaper

When should businesses act? 

While the commercialisation of quantum technology may be on the distant horizon, organisations should act now for two reasons: 

  1. So as to minimise the impact of “harvest now, decrypt later” attacks.
  2. To position the organisation to capitalise on quantum encryption, the foundational requirements may take multiple years to implement. 

What actions should businesses be taking now? 

  1. Understand the business data: the first step involves identifying and inventorying the high value data that the business is processing and storing. All data should have a clear data owner that understands the value of the data and the risk to the organisation in the event that the data was leaked.  
  2. Evaluate the safeguards: encryption should be the last layer of protection for organisational data. The value of the data and the regulatory implication of a data breach should be evaluated against implementing key security controls, such as: 
    1. Access control: Access to the data should be restricted to employees based on the need-to-know principle and reviewed periodically. 
    2. Monitoring: Logging should be enabled for all databases housing key business data and continuously monitored for suspicious activity, such as repeated access attempts or access outside of business hours. 
    3. Data loss prevention: Solutions that identify and block large volumes of data from leaving the perimeter of the organisation should be implemented and tested to measure efficacy. 
  3. Rehearse breach scenarios: For many businesses, a data breach is not a matter of if, but when. To enable an effective response to a data breach, organisations should rehearse scenarios involving the compromise and exfiltration of sensitive data, such as customer records or intellectual property. This enables the key decisionmakers to align on the decisions and any changes to business strategy that would be required, while also allowing gaps in the response process to be addressed. 
  4. Plan to implement post-quantum cryptography: Three post-quantum cryptography standards have been approved by NIST that will protect the confidentiality of data from quantum computers for the foreseeable future. Conversations should be initiated about plans for supporting the quantum-resistant cryptography with the vendors of products processing high value information. Technical system and risk owners of both enterprise and bespoke IT should begin financial planning for updating their systems to use post quantum cryptography, such that upgrades can be planned to take part within technology refresh cycles and implementation. Finally, businesses should establish a working group to monitor developments in post quantum standards and regulations. 

AlixPartners works with senior leaders across organisations using a risk-based approach to identify the most critical assets and data to the business and evaluate the key controls that need to be implemented. A QuickStrike assessment of the cybersecurity programme is a helpful way for organisations to understand the critical assets and key gaps in controls, enabling targeted investment in security. If you would like to discuss our QuickStrike assessment, please contact one of our experts below. 

Authors