From e-payments to tax filing, today’s digital transactions will become unsafe in the coming years when the encryption protecting them can be cracked by more powerful quantum computers. Yet, the “quantum-safe migration” to tougher encryption is taking place slowly in Singapore.
In a study released last month, cybersecurity firm Entrust revealed that only 33 per cent of Singapore organisations are transiting to post-quantum cryptography.
This is actually down from 36 per cent in 2023, despite deadlines nearing to switch over to new cryptography technologies that can protect against quantum computers.
Worryingly, less than half of organisations in Singapore have full visibility into the certificates used across their environments.
If you can’t find what you want to protect, you can’t protect them at all, never mind putting up the systems in place to defend against new threats.
The finding is a surprise, given the clear guidelines from United States’ standards authorities and Singapore’s cybersecurity agency in recent years, says Lawrence Tan, head of technical sales consulting for digital security for Asia-Pacific and Japan at Entrust.
Organisations have to step up now, especially when hackers are already stealing data to be decrypted later with more powerful computers, he stresses.
That’s not to mention that the migration takes years because it impacts so many systems that are at the heart of operations, he tells Techgoondu in this month’s Q&A.
NOTE: Responses have been edited for style.
Q: The study from Entrust recently paints a worrying picture of organisations not being ready for a post-quantum world. Is it surprising, given the clear guidelines given by NIST (National Institute of Standards and Technology) in the United States, for example?
A: NIST finalised its first set of post-quantum cryptography standards in 2024, including algorithms such as Crystals-Kyber and Crystals-Dilithium, which are expected to replace widely used encryption systems like RSA and ECC over time.
Beyond defining the new algorithms, NIST has also outlined a migration timeline that plans to deprecate RSA and ECC by 2030 and fully disallow them by 2035. That direction is increasingly being echoed globally, with similar transition planning emerging across jurisdictions such as the European Union, Canada, and Australia.
At the same time, organisations themselves recognise that the quantum threat may arrive soon. Our latest study found that nearly half (49 per cent) of cybersecurity leaders in Singapore believe a cryptographically-relevant quantum computer could emerge within the next five years.
Given these signals from both global regulators and industry, it is somewhat surprising that preparation levels remain low. The reality is that transitioning cryptographic infrastructure is complex and time-consuming.
In Singapore, only 33 per cent of organisations are actively transitioning to post-quantum cryptography, highlighting a clear and concerning gap between awareness and action.
A key challenge hindering efforts to transition is that many organisations still lack basic visibility into their cryptographic environments. In many cases, security teams do not have a clear inventory of where cryptographic assets such as certificates, keys, and algorithms are deployed across systems, applications, and cloud environments.
Without that visibility, it becomes extremely difficult to modernise cryptographic infrastructure, automate certificate and key management, or adopt crypto-agile architectures that allow organisations to update algorithms as standards evolve.
This is why solutions that provide centralised visibility and management of cryptographic assets are becoming increasingly critical as a foundational step, as organisations prepare for the transition to quantum-safe security.
Q: Given that the Singapore government is pushing for post-quantum measures of late, do you expect more organisations to be revving up efforts to be prepared in the next 12 to 18 months?
A: Yes, we definitely expect momentum to increase. Singapore has taken a proactive approach to quantum readiness through initiatives such as the National Quantum Strategy, which is investing in research and infrastructure to strengthen the country’s long-term competitiveness in quantum technologies.
Regulators like the Monetary Authority of Singapore (MAS) are also encouraging organisations to begin preparing their cryptographic environments for a post-quantum future.
These developments signal that organisations are beginning to recognise that preparation cannot be delayed. Over the next 12 to 18 months, we expect many organisations to start assessing their cryptographic environments and building migration roadmaps.
We are already seeing early signs of this shift across the region. For example, one Asia-Pacific national defence organisation worked with Entrust to centralise visibility and automate lifecycle management of cryptographic assets across a complex hybrid environment.
This gave security teams clearer insight into encryption dependencies and allowed them to prioritise certificate renewal and policy enforcement more consistently – an important step before planning future algorithm transitions.
More broadly, we’re seeing growing interest from enterprises looking to improve visibility over their keys and certificates, and to build the crypto-agile foundations needed to support a gradual transition to quantum-safe cryptography.
Q: Getting ready for a post-quantum world isn’t a simple task. Briefly, what are the first steps that organisations here should take?
A: The first step is establishing clear ownership of the organisation’s cryptographic strategy. Preparing for post-quantum cryptography is not just a technical upgrade – it also involves people and processes.
An assigned individual or a dedicated team needs to be responsible for defining the organisation’s policies, practices, and transition roadmap for managing cryptographic assets in a post-quantum future.
This is a real challenge today. Our research shows that 34 per cent of Singaporean organisations report a lack of clear ownership as one of the main obstacles to managing and deploying public key infrastructure (PKI), a foundational part of digital security.
The next step is identifying where sensitive data resides and how it moves across systems. Organisations need to understand which data must remain confidential for many years and therefore requires stronger protection against future quantum attacks.
From there, organisations should gain visibility into their existing cryptographic assets. According to our recent study, less than half (43 per cent) of organisations in Singapore report having full visibility into the certificates used across their environments.
Many organisations underestimate how widely cryptographic controls are embedded across their infrastructure – in applications, devices, APIs (application programming interfaces), and cloud services. Without knowing where cryptography is being used, it becomes extremely difficult to plan a transition to quantum-safe algorithms.
Finally, organisations should begin building crypto-agility into their systems, which means having the ability to update cryptographic algorithms without major disruption to services.
Achieving this requires a combination of people, processes, and technology – including clear governance structures, risk and compliance processes, as well as infrastructure designed to support cryptographic change and manage assets consistently across environments.
In practice, organisations need to build capabilities around three key pillars – visibility into cryptographic assets, control over how they are managed, and automation of lifecycle processes such as certificate renewal and key management.
Starting early is crucial, as the cryptographic transition will affect many systems across an organisation and may take several years to complete.
Establishing ongoing governance around the management of current cryptographic assets ensures organisations can continue adapting their security posture as standards evolve and new threats emerge.
Q: Given all the data harvesting today by hackers, do you think organisations would be ready for when a quantum computer finally breaks the encryption in just a few years’ time?
A: One of the key concerns around quantum computing is the concept of “harvest now, decrypt later”. Attackers may already be collecting encrypted data today with the expectation that future quantum computers will eventually be able to decrypt it.
In that sense, the threat has already arrived, and organisations cannot afford to wait for a cryptographically relevant quantum computer to arrive before taking action.
This is particularly concerning for sensitive data that must remain confidential for long periods – such as financial records, healthcare information, intellectual property, or government data.
In Singapore, 58 per cent of respondents expressed concern about losing access to encrypted critical infrastructure, while 56 per cent highlighted the risk of long-term sensitive data – such as financial records and health information – being exposed if quantum attacks were to become viable.
The focus should be on protecting data today. Organisations need to begin identifying where sensitive data resides, improving visibility into their cryptographic assets, and building crypto-agile infrastructure so they can transition to quantum-safe algorithms over time.
Preparing early allows organisations to move deliberately rather than react under pressure once quantum capabilities become viable. Waiting for a cryptographically relevant quantum computer before preparing would already be too late.
