It may sound like science fiction, but quantum computing is on track to crack the encryption protecting your most sensitive data. Patient attackers are already harvesting, waiting for the technology to spring the locks. The ASD has set a deadline and a readiness plan. The countdown is on.
Many assume encryption has them covered
Most organisations encrypt their stored data, run their network traffic through encrypted tunnels and rely on protected VPNs, email and cloud platforms. Even if someone does breach the perimeter, encryption is the second line of defence that keeps the data unreadable.
While this holds today, current public key encryption has an expiry date. The Australian Signals Directorate (ASD) has stated that organisations should have a refined plan in place by the end of 2026 and complete their transition to quantum-resistant encryption by the end of 2030.
What quantum computing changes
Current encryption works because the mathematical puzzles behind it are so complex that a conventional computer would take millions of years to crack them. A quantum computer will potentially solve those same puzzles within hours.
When that happens, the most widely used encryption protocols – the public-key systems like RSA and Diffie-Hellman that protect data in transit over secure VPN connections and underpin encrypted data stores – become ineffective. The ASD’s latest Cyber Threat Report identifies preparing for post-quantum cryptography as one of four “big moves” Australian organisations need to make, alongside managing third-party supply chain risk.
This doesn’t mean all encryption will become worthless overnight. Symmetric encryption like AES-256 remains largely resistant to quantum computing. The specific vulnerability lies in public-key cryptography, which is embedded into many systems that transmit or authenticate data across a network. For most organisations, that means the exposure is broad.
The slow heist: harvest now, decrypt later
Attackers are already stealing encrypted data from organisations around the world. They can’t read it today, but they’re storing it and waiting for quantum computing to unlock it.
For organisations holding data with a long shelf life, the harvest now, decrypt later risk is already here, even if the technology to exploit it hasn’t arrived yet. Defence blueprints, patient records and financial records don’t expire. You can steal them today, crack the encryption in a few years and they’re still valuable.
If the encryption protecting them can be broken by then, the damaging breach has already happened. And the harvesting may be harder to detect than you think.
There’s a false sense of security around overlay technologies. Many organisations rely on encrypted tunnels, such as SD-WAN, and assume the underlying network is protected by default. If someone accesses the underlying infrastructure and harvests encrypted traffic, the teams monitoring the overlays may never notice.
The ASD's timeline
The ASD has published a clear transition plan for organisations to move from current encryption to quantum-resistant alternatives, known as post-quantum cryptography (PQC).
End of 2026
Have a refined transition plan in place.
End of 2028
Begin implementing PQC, starting with critical systems and sensitive data.
End of 2030
Complete the transition. Cease use of traditional public key cryptography.
Under the Security of Critical Infrastructure Act 2018 (SOCI Act), critical infrastructure operators and government suppliers will likely face mandatory requirements and contractual obligations. Whether for compliance or not, if your organisation holds sensitive data, you should treat this timeline as your own. If you connect to government networks via VPN or handle data on behalf of government clients, the encryption securing those connections is part of the equation.
Double-check your locks
The good news is that post-quantum cryptography is a managed transition, and the first step is understanding where you stand by building an inventory of how and where encryption is used across your environment:
- Data at rest: Storage, databases and backups. What encryption protocols are protecting them?
- Data in transit: VPNs, email and data transfers between systems. Which connections rely on public key encryption?
- Certification and authentication: Digital certificates, code signing, identity verification. Which of these depend on algorithms that won't survive quantum computing?
From there, it’s a matter of identifying what requires a configuration update, what needs new hardware and what can wait. Some upgrades are straightforward. Others take planning and investment, which is why the ASD recommends starting now.
Assess your network and security
At Nexon, a security assessment maps your encryption landscape, including what you’re running, what’s on the approved list and what needs upgrading. From there, we build a remediation path to identify configuration changes, new hardware requirements and alignment to the ASD’s timeline.
Starting early gives you more time and more options. A cyber security assessment is a practical place to begin.
Garth Sperring is General Manager – Network & Cyber at Nexon Asia Pacific. For more information about assessing your encryption readiness and preparing for post-quantum cryptography, contact us at nexon.com.au/nexon-cyber.
About Nexon Asia Pacific
Nexon is an award-winning digital and IT services partner for mid-market, enterprise and government organisations across Australia. We offer clients a uniquely broad suite of solutions requiring end-to-end capabilities coupled with specialist expertise in security, cloud and digital solutions. As a certified and accredited local and state government provider, CREST and ISO-certified, Nexon partners with world-class technology vendors to deliver innovative and integrated solutions.
To find out about Nexon, call us at 1300 800 000 or visit nexon.com.au
References: Australian Signals Directorate (ASD)
More articles to explore
