Quantum Risk Is Rising

Quantum computing is increasingly viewed as a genuine cyber-risk, not just a distant technical concept.

Intelligence and industry reports warn that state-sponsored actors are preparing for a future where quantum machines could undermine today’s encryption systems - a threat the Australian Signals Directorate (ASD) also recognises.

ASD guidance states that organisations should stop using traditional encryption (such as RSA and ECC) by 2030 as part of Australia’s post-quantum cryptography (PQC) roadmap. Importantly, this does not make existing cybersecurity frameworks obsolete. The NIST Cybersecurity Framework - along with the ASD Information Security Manual - still applies. What must evolve are the controls, particularly the cryptographic standards and transition planning.

In light of this, here are five things every organisation should do now -

1. Identify long-lived sensitive data

Some information must remain confidential for many years - legal records, intellectual property, archived communications, and customer data. Adversaries may already be capturing encrypted data today so they can decrypt it later when quantum capability arrives (“harvest now, decrypt later”). Understanding where this long-life data lives is the first step.

2. Design for crypto-agility

Systems should be built so encryption methods can be updated without major redesign. This flexibility will help organisations shift to post-quantum algorithms smoothly once they are fully adopted. Avoid locking yourself into today’s cryptographic tools for the next decade.

3. Assess suppliers and partners

Your security is influenced by your supply chain. Cloud platforms, software providers, and hardware vendors should all have post-quantum migration plans. Organisations may need to include PQC timelines and readiness obligations in contracts.

4. Update your controls, not your whole framework

The NIST framework and ASD ISM remain the right guides for managing cyber risk. The strategy doesn’t change - but the controls do. This includes updating algorithm choices, phasing out old cryptography, and validating new post-quantum tools. ASD guidance already outlines the 2030 shift organisations must prepare for.

5. Run practical rehearsal exercises

Transitioning to PQC is a multi-year programme. Organisations should run tabletop exercises to test migration steps, fallback options, and operational implications. This builds capability and confidence long before formal changes are required.

Why must boards act now?

Directors cannot afford to wait until quantum computers are mainstream. The AICD and ASD emphasise that boards must understand quantum risk, oversee transition planning, and ensure adequate investment.

With the 2030 deadline approaching, post-quantum cryptography should already be part of board-level cyber discussions. Investing in education and planning today protects long-term organisational resilience.

If you’d like to learn more, please make contact - I can present this topic to your board or executive team.