Organisations are unprepared to face two critical cryptographic deadlines that will significantly impact their data security and Web services, according to a study by Entrust, a provider of identity-centric security solutions.
The results show that shrinking certificate validity windows and the accelerating timeline for quantum computing are increasing organisational risk, while visibility and readiness remain limited.
The study, released this week, was conducted by Ponemon Institute and sponsored by Entrust. It covered 4,000 IT and security professionals worldwide, including 482 from Singapore.
Nearly half of cybersecurity practitioners in Singapore (49 per cent) believe a quantum computer capable of breaking today’s widely used RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography) cryptographic encryption could emerge within the next five years.
This concern aligns with guidance from the United States National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), which call for deprecating RSA and ECC encryption by 2030 and their disallowance by 2035.
In Singapore, the Cyber Security Agency (CSA) has begun preparing organisations for this shift. It has launched a Quantum-Safe Handbook and a Quantum Readiness Index in 2025 to support migration toward quantum-safe cryptography.
At the same time, organisations need to deal with dramatically shorter digital certificate lifespans. A CA/Browser Forum mandate by a consortium of certificate authorities and software developers will rapidly shrink public trust certificate validity windows, from 398 days to 200, to 100, and ultimately 47 days by 2029.
These changes are intended to reduce risk and strengthen digital trust, but organisations must be able to have faster renewal cycles and automation at scale.
According to the Entrust report, the ability to automate certificate replacement at scale is as important as the transition to quantum-safe cryptography.
Despite the urgency, just 33 per cent of organisations in Singapore are preparing for post-quantum cryptography (PQC), down from 36 per cent in 2023.
Just 43 per cent claim full visibility into certificates in their enterprises, which makes it challenging to implement quantum-safe algorithms and infrastructure. Some 62 per cent find managing cryptographic assets extremely or very difficult.
In the event of a successful quantum attack, Singapore respondents are worried about losing access to encrypted critical infrastructure (58 per cent) and exposure of long-term sensitive data (56 per cent) that includes financial records and health information.
“The fact that 67 per cent of respondents report that their organisations are not preparing to transition to post-quantum cryptography is a sign that the cryptographic landscape is changing faster than most organisations can keep up,” said Greg Wetmore, vice-president of product development at Entrust.
It is not a question of whether quantum computers will be disruptive, but how quickly organisations can adapt their infrastructure to tackle what’s ahead, he added.
The key barrier to post-quantum readiness is limited visibility into cryptographic assets, said 38 per cent of respondents. Other readiness gaps have also worsened, including the lack of expertise (40 per cent, up from 23 per cent previously), and concerns around testing systems and managing the transition (37 per cent, from 33 per cent).
When organisations lack visibility into where cryptographic keys and certificates are located, how they are used, and their expiry dates, they are unable to automate renewal workflows, adopt quantum-safe algorithms, or prevent the outages caused by expired certificates.
“The gap between awareness of the quantum threat and action is widening,” said Mike Baxter, president and chief technology and product officer at Entrust.
“The path forward starts with building cryptographic visibility and automation,” he advised. “Then it becomes about implementing quantum safe cryptographic infrastructure with PQ-ready HSMs and PQ-ready PKI, which are the fundamental building blocks organisations require to address the quantum threat.”
