Singapore’s cybersecurity conundrum: High awareness, lingering risk

Families and multi-generation households offer an example, with Schomburgk emphasising that parents can help build digital hygiene early, showing children what phishing looks like, helping them recognise warning signs, and giving them ownership of online safety. He says that even seniors, when given simple tools and guidance, can become careful and enthusiastic learners of good cyber habits.

Organisations: Culture over checklists

Turning to the workplace, Schomburgk observes that companies in Singapore report strong adoption of MFA—about 60 % of Singapore organisations say they require MFA across all applications, compared with a global average of 48 %. 

Yet that leaves meaningful gaps. Many employees still rely on insecure authentication methods like SMS codes, and nearly one in three say they’ve never received formal cybersecurity training.

“Security training shouldn’t be just a yearly compliance box to tick,” Schomburgk insisted. “It should be part of company culture — reinforced through micro-learning and simulated phishing exercises.” He argued that as remote and hybrid work rose, every device becomes a potential entry point. “Convenience and security must coexist,” he said. “If you make protection harder than it needs to be, people will avoid it.”

Researchers support his view: analysts note that while MFA has become mainstream, the devil is in the details — type of MFA, integration across applications, and consistent enforcement matter just as much as raw adoption numbers.

AI-driven threats and the illusion of safety

One critical shift in Singapore’s threat landscape is the increasing sophistication of AI-driven phishing and social engineering. Schomburgk warns that attackers now use deep-fakes, multilingual campaigns and even conversational bots to exploit human trust. “What used to take hours can now be done in seconds — and in multiple languages,” he says.

This is borne out by survey data: 85 % of Singapore respondents believe phishing attempts are becoming more sophisticated. 

The global findings indicated that only about 30 % of respondents globally correctly identified a genuine email in tests, and only around 46 % could correctly identify an AI-generated phishing message. 

Schomburgk used this to stress the need for phishing-resistant authentication — not just awareness campaigns. “Even if you’re deceived, attackers can’t exploit credentials that aren’t stored or transmitted in vulnerable ways,” he says.

The road ahead: Simpler, stronger habits

Despite strong indicators of awareness and adoption, Schomburgk is clear that real change comes when protective measures become effortless. “Knowledge doesn’t always lead to change,” he remarks. “People think passwords are ‘good enough’ until they experience a breach.”

He highlights that newer tools — passkeys, hardware security keys and true password-less methods — are becoming viable for everyday users, not just enterprises. While there is scepticism that they’re expensive or complex, he says the opposite: “When people see logging in is faster, password resets are fewer, and access is easier, they embrace it naturally.”

Market analysts forecast significant growth in such authentication solutions in Singapore and the region, as companies and individuals align with regulatory pressures and digital-economy demands.

A cyber-safe culture starts with you

For Schomburgk, cybersecurity is ultimately a collective mission. He notes that about 43 % of Singaporeans remain unsure if their accounts are truly secure, despite high adoption of MFA. 

His simple guidance: use phishing-resistant authentication wherever possible, keep devices and apps updated, and always verify unexpected requests through trusted channels.

He also emphasises that organisations can drive national change. “Workplaces are where most people learn security behaviours,” he says. “By embedding good practices — like mandatory MFA, regular refreshers and consistent training — companies can raise the country’s overall digital resilience.”

When asked what he would say to Singaporeans who think cybersecurity is someone else’s job, his answer is firm yet encouraging: “It’s your responsibility to lock your own digital doors. Cybersecurity isn’t about fear, it’s about empowerment.”