Equinet Academy
Cyber risk in Singapore is no longer a peripheral IT issue. As a regional hub for finance, healthcare, logistics, and digital infrastructure, Singapore-based organisations are high-value targets for cybercriminal syndicates and state-linked threat actors. Attacks are increasingly aimed at disrupting essential services, exploiting trusted access within supply chains, or extracting ransoms through operational paralysis.
The Cyber Security Agency of Singapore (CSA) reports that in 2024, Singapore experienced a significant rise in cyber threats, led by increased phishing, ransomware, and malware infections. Phishing cases grew by 49% to about 6,100 incidents, with the banking and financial services sector most heavily targeted. Ransomware attacks also increased by 21%, reaching 159 reported cases. Infected computer systems rose sharply by 67% to 117,300 in 2024.
CSA attributed much of this activity to botnet-driven attacks, noting that many infections involved older malware that could have been prevented with existing security measures. The consequences extend beyond immediate financial loss, often triggering regulatory investigations, contractual breaches, and long-term damage to reputation.
The Cybersecurity Act provides a structured national framework to address these realities. For organisations, it establishes clear responsibilities, enforceable standards, and a consistent approach to managing cyber risk as part of core business operations.
Source: SINGAPORE CYBER LANDSCAPE 2024/2025
Enacted in 2018, the Cybersecurity Act is Singapore’s primary legislation governing the protection of computer systems essential to national and economic stability. It is administered by the Cyber Security Agency of Singapore (CSA), which serves as the central authority for cybersecurity oversight, coordination, and enforcement.
The Act was introduced in response to:
Rather than focusing solely on penalties, the Act emphasises prevention, preparedness, coordinated response, and recovery. It applies to both public and private sector entities whose systems support essential services.
Over the past few years, cybersecurity trends highlighted in the Singapore Cyber Landscape (SCL) reports have increasingly materialised into real and pressing threats. Among these, ransomware has emerged as the most severe, evolving from simple file encryption into complex, multi-layered attacks involving data exfiltration, double or even triple extortion, and service disruption.
Its widespread impact across sectors such as healthcare and manufacturing demonstrates how damaging and scalable these attacks have become. At the same time, supply chain attacks have become a significant concern, as attackers exploit vulnerabilities in third-party vendors and service providers to bypass traditional security defences.
Incidents such as SolarWinds and Kaseya illustrate how a single compromised supplier can cascade across multiple organisations. In parallel, the rapid expansion of Internet of Things (IoT) devices continues to introduce new vulnerabilities, driven by weak authentication, outdated firmware, and limited visibility across networks.
As digital ecosystems become more interconnected, these threats collectively highlight the increasing complexity of cybersecurity risks and the need for stronger, more integrated security strategies.
Cyber attackers in Singapore keep changing how they work, going after banks, hospitals, infrastructure operators, and public trusts. Recent assessments by national authorities highlight four dominant categories of cyber threats affecting organisations operating in Singapore.
Phishing remains the most prevalent cyber threat in Singapore. Attackers increasingly use impersonation techniques, spoofed domains, and social engineering to deceive individuals into revealing credentials, financial information, or access to internal systems.
Banking and financial services, government agencies, and e-commerce platforms are among the most commonly impersonated entities, reflecting attackers’ focus on trust-based exploitation.
According to the Singapore Cyber Landscape 2024/2025 report by CSA Singapore, approximately 6,100 phishing attempts were reported in 2024, representing a 49% increase from the 4,100 cases recorded in 2023.
Although this reflects a 28% decline from the 8,500 cases observed in 2022, phishing activity remains persistently high. The reported figures likely represent only a fraction of actual incidents, as many cases go unreported unless financial losses are involved.
The report also found that 12% of analysed phishing emails contained AI-generated content, indicating a continued, though still emerging, use of artificial intelligence by threat actors to enhance phishing tactics, slightly down from 13% in 2023.
The scale and persistence of phishing campaigns underline the importance of user awareness, email security controls, and rapid incident reporting mechanisms.
Ransomware continues to threaten organisations, especially those running essential services or complex digital systems. Attackers encrypt data and lock down operations, then threaten to leak stolen information to force victims into paying.
According to the Singapore Cyber Landscape 2024/2025 report by CSA Singapore, ransomware cases in Singapore increased to 159 incidents in 2024, marking a 21% rise from 132 cases in 2023. This upward trend reflects the broader global surge in ransomware activity.
The sectors most affected were manufacturing, professional services, and infocomm technologies (ICT). Notably, professional services entered the top three most impacted industries for the first time since CSA began tracking ransomware trends, underscoring the growing need for stronger cybersecurity measures within this sector.
Ransomware incidents typically result in extended downtime, costly recovery efforts, and potential regulatory and reputational consequences, making preparedness and incident response capability critical for organisational resilience.
Infected computer infrastructure remains a persistent concern in Singapore’s cyberspace. Large numbers of compromised systems are linked to malware infections, often orchestrated through botnets controlled via command-and-control servers.
These infected devices may be used to propagate malware, conduct distributed denial-of-service (DDoS) attacks, or support broader criminal operations.
The number of infected systems in Singapore increased significantly from approximately 70,200 in 2023 to 117,300 in 2024, representing a 67% rise. This surge was largely driven by the growing number of botnet-infected devices.
The increase is likely linked to the continued exploitation of n-day and zero-day vulnerabilities in networking infrastructure, edge systems, and outdated Internet of Things (IoT) devices, allowing threat actors to bypass detection mechanisms and maintain persistent access.
Supporting this trend, cybersecurity firm Recorded Future noted in its 2024 Malicious Infrastructure Report that attackers are actively building botnets by indiscriminately compromising IoT devices globally, particularly end-of-life or unpatched small office and home office (SOHO) routers, according to the Singapore Cyber Landscape 2024/2025 report by CSA Singapore.
Notably, many infections involve older malware strains that could have been mitigated through basic security hygiene, such as timely patching, endpoint protection, and network monitoring.
Website defacement incidents, while less disruptive than ransomware or large-scale breaches, continue to occur and pose reputational risks to affected organisations. Such attacks typically involve unauthorised modification of website content to display political messages, propaganda, or vandalism.
Website defacement incidents in Singapore declined from 108 cases in 2023 to 67 cases in 2024, representing a 38% decrease and continuing the downward trend observed since 2022.
This reduction may be attributed to several factors, including hacktivists shifting their activities to alternative platforms such as social media, adopting other attack methods like ransomware or distributed denial-of-service (DDoS) attacks, and improvements in basic cybersecurity practices among website owners, as reported in the Singapore Cyber Landscape 2024/2025 report by CSA Singapore.
Although defacements may not always result in data loss, they signal underlying security weaknesses and can erode public trust, particularly when they affect government agencies or public-facing services.
Together, these threat trends illustrate that Singapore’s cyber risk environment is broad, persistent, and increasingly opportunistic. Organisations must address not only advanced attacks, but also foundational security gaps that enable common threats to succeed.
Aligning with the Cybersecurity Act’s requirements through risk assessments, incident reporting, access controls, and workforce training remains essential to maintaining operational resilience in this evolving landscape.
Critical Information Infrastructure (CII) refers to computer systems necessary for the continuous delivery of essential services, where disruption would have a significant impact on public safety, economic security, or national defence.
The Cybersecurity Act identifies 11 essential sectors, including:
The CII designation is issued by the Commissioner of Cybersecurity. Once designated, organisations are subject to heightened legal and operational obligations. This reflects recognition that certain entities carry systemic risk, where failure could cascade across industries and public services.
Research shows critical infrastructure sectors are under near-constant cyberattack, with infrastructure systems worldwide experiencing millions of attacks annually, such as more than 420 million attacks on critical infrastructure in one year, equating to about 13 attacks per second.
CII owners must implement cybersecurity measures proportionate to their system’s function and risk profile. These are enforceable legal obligations, not voluntary best practices.
Under the Cybersecurity Act, owners of Critical Information Infrastructure (CII) must conduct cybersecurity audits at least once every two years using an approved auditor. These audits assess both compliance with the Act and risks/threats facing the CII, helping organisations identify control gaps and strengthen their security posture.
These measures impose discipline on cybersecurity governance and ensure security controls evolve alongside emerging threats.
CII owners must report qualifying cybersecurity incidents to CSA within prescribed timelines. Reportable incidents include those that disrupt essential services, compromise system integrity, or pose a risk of wider impact.
CSA is empowered to:
Centralised coordination prevents fragmented responses and enables rapid threat intelligence sharing across sectors.
Case study (SingHealth): Post-incident findings highlighted that delays and bottlenecks in escalation can hinder timely containment and coordinated response. Singapore’s policy direction reinforces that early incident reporting enables CSA to intervene sooner, build national situational awareness, and warn other sectors to prevent similar attacks from spreading.
The Cybersecurity Act introduces a licensing regime for providers offering high-risk services such as:
Licensed providers must meet standards of competence, integrity, and governance. This reduces the risk of engaging unqualified vendors and strengthens trust across the cybersecurity ecosystem.
A recent industry summary indicates that 81% of companies outsource cybersecurity functions to external service providers, reflecting how common it is for organisations to leverage third-party expertise for parts of their security operations.
Timeline and Attack Route of the SingHealth Breach
In 2018, SingHealth, Singapore’s largest public healthcare cluster, suffered a targeted advanced persistent threat (APT) attack that compromised the personal data of approximately 1.5 million patients. The incident remains the most significant cybersecurity breach in Singapore’s history.
Healthcare systems have since been formally designated as Critical Information Infrastructure (CII) under the Cybersecurity Act, reflecting direct regulatory learning from this real-world failure.
Following the detection of anomalous activity, CSA led forensic investigations and coordinated remediation efforts. Under the Cybersecurity Act, CSA now has explicit legal authority to direct incident response, mandate corrective measures, and coordinate intelligence sharing across sectors.
These powers convert cybersecurity from organisational discretion into regulated operational discipline.
A government-appointed Committee of Inquiry identified governance and technical failures, directly influencing enforcement standards under the Cybersecurity Act. Today, CII owners must demonstrate:
These requirements are enforceable and grounded in national-level inquiry rather than theoretical guidance.
Although non-CII organisations are not directly regulated, many are affected indirectly through supply-chain, contractual, and sectoral requirements. Organisations supporting CII entities are increasingly required to demonstrate cybersecurity maturity as a condition of doing business.
Supply-chain cyberattacks have increased by over 300% globally, making alignment with Cybersecurity Act principles a commercial necessity.
Compliance delivers tangible organisational benefits:
A 2025 industry report finds that 96% of CEOs consider cybersecurity fundamental to business growth and stability, and many organisations prioritise preparedness to limit damage and maintain operations during attacks.
This underscores the value organisations place on structured cybersecurity compliance and resilience strategies.
CSA has enforcement powers, including:
Beyond fines, non-compliance exposes organisations to operational disruption, litigation, and reputational damage. The average cost of a major cyber incident in Asia-Pacific exceeds SGD 4.34 million.
Organisations seeking alignment with the Cybersecurity Act should focus on structured capability development rather than ad-hoc controls.
Cybersecurity training is foundational to reducing risk because human behavior remains one of the most exploited vulnerabilities. Organisations may invest heavily in technology, but attackers routinely bypass these defenses by targeting people through phishing, social engineering, and credential theft. Clicking malicious links, reusing passwords, or mishandling sensitive data still enable most successful breaches.
Effective training closes this gap by building awareness and judgment across the workforce. Instead of treating employees as the weakest link, it teaches them to recognise suspicious activity, understand common attacks, and respond when incidents occur. This includes knowing when and how to report threats, which matters for early detection and containment.
Over time, consistent training programmes foster a security-conscious culture where good cyber hygiene becomes part of everyday operations, reducing reliance on reactive controls and strengthening overall organisational resilience.
Expert consultation and independent assessment give organisations objective insight into their cybersecurity posture, free from internal assumptions or bias. External assessors evaluate systems, processes, and governance against CSA requirements and recognised standards like ISO 27001 and NIST. This outside perspective often reveals gaps, misconfigurations, or weaknesses that internal teams miss due to familiarity or competing priorities.
Beyond identifying issues, independent assessments help organisations prioritise fixes based on risk and impact. Expert guidance turns findings into practical recommendations, supporting smarter investment in controls and demonstrating due diligence to regulators, boards, and partners. Organisations gain a clearer view of their risk exposure and a structured path to strengthen resilience in line with regulatory and industry expectations.
Practical toolkits and frameworks provide organisations with structured, repeatable methods for implementing cybersecurity requirements without starting from scratch.
Standardised templates for risk assessments, incident response plans, asset inventories, and compliance documentation translate regulatory expectations into concrete operational steps.
This reduces ambiguity, shortens implementation timelines, and ensures that critical controls are applied consistently across teams, systems, and business units.
By using established frameworks aligned with CSA guidance and international standards, organisations can embed cybersecurity into day-to-day operations more effectively. Toolkits support clearer role definition, smoother coordination during incidents, and more reliable documentation for audits and regulatory reviews.
Over time, this consistency strengthens governance, improves response effectiveness, and enables organisations to scale cybersecurity practices as their digital environments grow more complex.
The Cybersecurity Act makes one thing clear: cybersecurity is no longer optional or purely technical. It’s a matter of national resilience, organisational accountability, and executive responsibility.
Built on real incidents and backed by regulatory authority, the Act ensures that weaknesses in one organisation don’t cascade into systemic failures across essential services and digital supply chains.
For organisations, alignment isn’t just about meeting legal requirements. It’s about building the capability and discipline to operate confidently when cyber threats are constant and evolving. Compliance frameworks and technical controls only work when people understand risks, spot incidents early, and know how to respond.
This is where structured cybersecurity training becomes a critical enabler. Equinet Academy offers practical, industry-relevant programmes that directly support organisational readiness and resilience:
By combining regulatory alignment with targeted skills development, organisations move beyond checkbox compliance towards sustainable cyber resilience. Investing in training ensures that cybersecurity responsibilities are understood across the organisation, strengthening operational confidence and enabling businesses to remain compliant, trusted, and resilient in Singapore’s highly interconnected digital economy.
Article Written By
Marvin is an enthusiastic content writer who loves crafting lively, engaging articles, blogs, and digital materials that speak directly to the right audiences. He brings a cheerful curiosity and a playful creativity to every project, always eager to produce content that sparks a smile, connects with readers, and delivers real results.
Article Written By
Marvin is an enthusiastic content writer who loves crafting lively, engaging articles, blogs, and digital materials that speak directly to the right audiences. He brings a cheerful curiosity and a playful creativity to every project, always eager to produce content that sparks a smile, connects with readers, and delivers real results.
Receive the latest blog articles right into your inbox.
Reader Interactions