Singapore’s cybersecurity conundrum: High awareness, lingering risk

Singapore presents a compelling paradox in cybersecurity: residents and organisations rank among the most aware in the Asia-Pacific region, yet many still fall prey to basic threats. According to the 2025 Global State of Authentication survey, conducted among 18,000 employed adults across nine countries, including Singapore, there is a striking disconnect between what people think they’re doing and what they are actually doing. 

Geoff Schomburgk, Regional VP for Asia Pacific & Japan at Yubico, describes the situation bluntly: “I think Singaporeans recognise the dangers of phishing, but many also believe they’re too smart to fall for it.” That belief, he says, leads to complacency: skipping verification steps, reusing passwords, or dismissing multi-factor authentication (MFA) as “overkill”.

And the numbers back him up. In Singapore:

• 78 % of respondents say they use MFA for personal accounts. 
• Yet 63 % still rely on usernames and passwords for personal log-ins, and 58 % for work accounts. 
• Even with high concern about AI-driven threats (89 % of Singapore respondents), nearly half (44 %) admit that they interacted with a phishing message in the past year.

Put simply, Singaporeans might know the risk, but many aren’t acting in fully protective ways.

The personal side of the equation

At the individual level, Schomburgk emphasises that stronger awareness does not automatically yield safe habits. “Passwords persist because they’re familiar,” he says. “People assume they ‘just work’, without realising how easily they can be stolen or guessed.”

He points out that the risk often starts at home: work and personal lives have blurred, so reusing weak credentials or using the same password across streaming, shopping and banking can open a door to more serious compromise. “Attackers don’t separate work and home,” he notes.

That rings true when matched to Singapore’s broader cyber context. A Cyber  Security  Agency  of  Singapore (CSA) survey found that about 1 in 3 respondents reported a cyber incident in 2022, and about 4 in 10 believe they are likely to fall victim to online scams. 

Families and multi-generation households offer an example, with Schomburgk emphasising that parents can help build digital hygiene early, showing children what phishing looks like, helping them recognise warning signs, and giving them ownership of online safety. He says that even seniors, when given simple tools and guidance, can become careful and enthusiastic learners of good cyber habits.

Organisations: Culture over checklists

Turning to the workplace, Schomburgk observes that companies in Singapore report strong adoption of MFA—about 60 % of Singapore organisations say they require MFA across all applications, compared with a global average of 48 %. 

Yet that leaves meaningful gaps. Many employees still rely on insecure authentication methods like SMS codes, and nearly one in three say they’ve never received formal cybersecurity training.

“Security training shouldn’t be just a yearly compliance box to tick,” Schomburgk insisted. “It should be part of company culture — reinforced through micro-learning and simulated phishing exercises.” He argued that as remote and hybrid work rose, every device becomes a potential entry point. “Convenience and security must coexist,” he said. “If you make protection harder than it needs to be, people will avoid it.”

Researchers support his view: analysts note that while MFA has become mainstream, the devil is in the details — type of MFA, integration across applications, and consistent enforcement matter just as much as raw adoption numbers.

AI-driven threats and the illusion of safety

One critical shift in Singapore’s threat landscape is the increasing sophistication of AI-driven phishing and social engineering. Schomburgk warns that attackers now use deep-fakes, multilingual campaigns and even conversational bots to exploit human trust. “What used to take hours can now be done in seconds — and in multiple languages,” he says.

This is borne out by survey data: 85 % of Singapore respondents believe phishing attempts are becoming more sophisticated. 

The global findings indicated that only about 30 % of respondents globally correctly identified a genuine email in tests, and only around 46 % could correctly identify an AI-generated phishing message. 

Schomburgk used this to stress the need for phishing-resistant authentication — not just awareness campaigns. “Even if you’re deceived, attackers can’t exploit credentials that aren’t stored or transmitted in vulnerable ways,” he says.

The road ahead: Simpler, stronger habits

Despite strong indicators of awareness and adoption, Schomburgk is clear that real change comes when protective measures become effortless. “Knowledge doesn’t always lead to change,” he remarks. “People think passwords are ‘good enough’ until they experience a breach.”

He highlights that newer tools — passkeys, hardware security keys and true password-less methods — are becoming viable for everyday users, not just enterprises. While there is scepticism that they’re expensive or complex, he says the opposite: “When people see logging in is faster, password resets are fewer, and access is easier, they embrace it naturally.”

Market analysts forecast significant growth in such authentication solutions in Singapore and the region, as companies and individuals align with regulatory pressures and digital-economy demands.

A cyber-safe culture starts with you

For Schomburgk, cybersecurity is ultimately a collective mission. He notes that about 43 % of Singaporeans remain unsure if their accounts are truly secure, despite high adoption of MFA. 

His simple guidance: use phishing-resistant authentication wherever possible, keep devices and apps updated, and always verify unexpected requests through trusted channels.

He also emphasises that organisations can drive national change. “Workplaces are where most people learn security behaviours,” he says. “By embedding good practices — like mandatory MFA, regular refreshers and consistent training — companies can raise the country’s overall digital resilience.”

When asked what he would say to Singaporeans who think cybersecurity is someone else’s job, his answer is firm yet encouraging: “It’s your responsibility to lock your own digital doors. Cybersecurity isn’t about fear, it’s about empowerment.”