Australian companies are on high alert as quantum computing races towards shattering modern encryption, threatening to expose the nation’s most sensitive data unless defences are upgraded fast.

On Tuesday, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) released its Annual Cyber Threat Report 2024-2025.

In addition to finding that Australians have continued to report cybercrime incidents once every six minutes, the report warned businesses should prepare for a significant shakeup to modern cryptography.

According to the report, the development of a cryptographically relevant quantum computer (CRQC) is “on the horizon”.

Such a device would be capable of “breaking contemporary public key cryptography”, enabling cybercriminals to crack and access encrypted data in ways not previously possible.

Minister for Defence Richard Marles said that while CRQCs are “still a few years down the track”, he warned Australians will indeed see the advent of much more powerful computers that are able to break [the] encryptions that exist today.

“It’s important that companies are getting ready for that world.”

What is post-quantum cryptography?

Conventional data encryption typically relies on cryptographic algorithms to scramble sensitive data so it can only be viewed by intended parties.

Advancements in quantum computing, however, are expected to one day offer cybercriminals access to systems capable of breaking these algorithms – an event commonly forewarned as ‘Q-Day’.

The ACSC report explained businesses should prepare for the likelihood of such computers by adopting ‘post-quantum cryptography’.

In practice, this would mean using encryption products that incorporate quantum-resistant algorithms – math so complex it’s considered difficult for both classical and quantum computers.

Speaking in Canberra on Tuesday, Marles emphasised there are already existing products for companies to protect themselves.

“It’s really important that they get on board with those products as soon as possible,” said Marles.

Andrew Wilson, chief executive of encryption specialist Senetas, encouraged organisations to “begin their quantum-safe migration without delay” by using “dedicated encryption systems to safeguard sensitive and high-value data”.

Wilson told Information Age there was also a “harvest-now, decrypt-later” threat which meant criminals who have stolen encrypted data may eventually be able to make use of it “once a quantum computer becomes available”.

“The report sends a clear message,” said Wilson.

“This is a critical national security challenge that Australian organisations must address immediately.”

Throw out the old tech

The report recommended businesses and network owners also focus on three other “big moves” to prepare for future cybersecurity challenges: implementing best-practice logging; managing third-party risk; and replacing legacy IT systems.

“Keeping legacy IT on a network increases the likelihood of a cybersecurity incident,” read the report.

“It can also make any cybersecurity incident that does occur much more impactful.”

The issue is particularly rife in government, with more than 70 per cent of Commonwealth entities still relying on legacy IT systems that “are costly to maintain, pose significant cybersecurity vulnerabilities, and inhibit innovation”, according to consulting firm Mandala.

The ACSC report urged businesses to “eliminate the risks associated with legacy IT” by replacing it with systems which are still receiving support.

Where this isn’t possible, the ACSC said “temporary measures” should be adopted to mitigate some of the risk.

“Old IT systems are gateways for cybercriminals,” said Marles.

Notably, Microsoft’s Windows 10 operating system reached end-of-life earlier this week, setting a three-year deadline before the vendor stops providing security updates to paying users.

Hackers zero in on Aussie IDs

In the foreword of the report, Marles said cybercriminals had “relentlessly targeted Australians” over the past year.

As ransomware attacks and data breaches increased in frequency, reporting tool ReportCyber received more than 84,700 cybercrime reports for the 2024-25 financial year.

This marked a small three per cent decrease, though Australians still averaged one report every six minutes.

Over 42,500 calls were made to the Australian Cyber Security Hotline – a 16 per cent increase for the service and an average 116 calls per day – while 30 per cent of self-reported cybercrime for individuals was identity fraud, marking the most reported category and an eight per cent increase from the year prior.

The cost of self-reported cybercrimes averaged $36,633 per person, with online shopping fraud and online banking fraud being the second and third-most common.

Businesses meanwhile suffered a significant increase in costs following a cybercrime incident, climbing 50 per cent to an average of $80,850.

“[Cybersecurity] is an area that is having a big impact on our economy, and it’s really important that everyone – companies and individuals alike – are doing everything they can to ensure the public cyber health of our nation,” said Marles.