\n
Every security leader BlackBerry surveyed in Singapore knew the same thing: consumer messaging apps are being used inside their organisation for sensitive work. All of them, 100 percent, acknowledged it, the only country in the study to reach complete awareness. And 94 percent confirmed the app in question is usually WhatsApp, well above the 83 percent global average and the highest rate anywhere surveyed.<\/p>\n
That is the uncomfortable opening to \u201cThe State of Secure Communications 2026<\/u>\u201d, a BlackBerry Secure Communications study of 700 security decision-makers across government and critical infrastructure organisations in Singapore, Canada, the United Kingdom and the United States, conducted by OnePoll. For one of the world\u2019s most digitally advanced markets, the Singapore findings describe a wide gap between how secure leaders feel and how exposed they actually are, and the report traces that gap to a single misunderstanding about what end-to-end encryption<\/b> (E2EE) really protects.<\/p>\n
The numbers behind the headline are stark. Some 40 percent of Singapore respondents estimate that more than half of their organisation\u2019s mission-critical conversations took place on consumer apps over the past three months, against a global average of 27 percent. The average estimated share of sensitive conversations happening on consumer platforms is 36.9 percent, again the highest globally:<\/p>\n<\/p>\nTable of contents<\/p>\n
<\/default:svg><\/button><\/p>\n\n1. Encryption blindness<\/li>\n 2. The threats they fear are the ones encryption ignores<\/li>\n 3. The threat is not theoretical here; it has already happened<\/li>\n 4. Why nobody puts WhatsApp down<\/li>\n 5. Strong procurement, pointed at the wrong target<\/li>\n 6. A correction happening in real time<\/li>\n 7. Crisis tools that fold under pressure<\/li>\n 8. What to do before the next compromise<\/li>\n<\/ol>\n<\/section>\n\n
\nWhatsApp leads the list of apps in use<\/li>\n Teams at 56 percent,<\/li>\n Personal email at 47 percent<\/li>\n Telegram at 41 percent<\/li>\n SMS at 31 percent<\/li>\n WeChat at 26 percent<\/li>\n iMessage at 17 percent<\/li>\n<\/ul>\n<\/div>\nWhatsApp, in other words, has quietly become the default channel for work that should never have left a controlled environment, creating what the report calls a single point of failure on a foreign-controlled platform.<\/p>\n
Encryption blindness<\/h2>\n\nJonathan Jackson, Field CISO for APAC at BlackBerry Secure Communications<\/p>\n
Photo: Blackberry<\/p>\n<\/figcaption><\/figure>\n
The thing holding this behaviour up is a belief that encryption has it covered. Across all four markets, 88 percent of security leaders said they were confident in their messaging apps, yet 90 percent of those relying on E2EE held at least one fundamental misconception about what it protects. Singapore\u2019s misconception rate matched that of 90 percent, which BlackBerry frames bluntly in the interview version of the research, titled \u201c88% Confident, 90% Misled\u201d.<\/p>\n
\u201cThe security industry has gradually allowed the label E2EE to become shorthand for secure,\u201d said Jonathan Jackson, Field CISO for APAC at BlackBerry Secure Communications. \u201cConsumer platforms built their entire marketing identity around that label. That doesn\u2019t mean security professionals are failing. They\u2019re responding rationally to the information they\u2019ve been given.\u201d The deeper problem, he said, is that encryption only protects one layer, message content in transit, while leaving identity, device integrity and metadata exposed. Adversaries do not need to break it. They work around it, through users, devices and verification.<\/p>\n
What sets Singapore apart is the depth of the misunderstanding. Asked what E2EE actually does, 52 percent believed it prevents backdoor access, 51 percent thought it protects message content, and 49 percent assumed personal metadata is safeguarded. Some 70 percent believed E2EE alone makes a communications system secure, and 11 percent were unsure, nearly double the global average of 6 percent. The reality is narrower than any of that: E2EE secures content in transit, but it does not verify who you are talking to, stop impersonation or deepfakes, hide metadata, or protect a compromised device.<\/p>\n
Christine Gadsby, BlackBerry\u2019s Chief Security Advisor for Secure Communications, puts the identity gap in one line. \u201cA phone number is not a verified identity,\u201d she said. \u201cConsumer messaging apps encrypt content in transit, but they don\u2019t verify who you\u2019re communicating with, a gap that recent global advisories show is already being exploited.\u201d<\/p>\n
The threats they fear are the ones encryption ignores<\/h2>\n\nThere is a misplaced feeling of security around encryption<\/p>\n
Photo: Pexels<\/p>\n<\/figcaption><\/figure>\n
Here is the paradox at the centre of the Singapore data. The risks local leaders rank as their top concerns are precisely the ones E2EE does nothing about. Metadata leakage tops the list at 65 percent (against 55 percent globally), followed by impersonation and deepfakes at 59 percent (50 percent globally) and telecom infrastructure compromise, also 59 percent and the highest rate of any country. Confidence in protection against device compromise is the lowest in the study, with only 61 percent expressing net confidence versus a 72 percent global average, and just 10 percent saying they are very confident.<\/p>\n
So the awareness is there. As the report puts it, this is not a lack of risk awareness but a behavioural gap: leaders clearly see the structural threats, yet day-to-day tool choices are still driven by immediacy, integration and cost, especially when a risk like metadata exposure feels indirect or probabilistic. Jackson breaks down what that gap costs when something goes wrong. On identity, an attacker who takes over an account inherits a trusted one, and every instruction or alert sent from it becomes suspect, which he calls operational paralysis rather than theoretical risk. On devices, encryption protects the channel, not the endpoint, so a compromised phone can leak plaintext before encryption is ever applied. And on metadata, even with content encrypted, who is talking to whom, when and how often can expose command structures and signal activity before a single message is read. For a government, a bank or an infrastructure operator, he notes, that metadata is itself an intelligence asset.<\/p>\n
The threat is not theoretical here; it has already happened<\/h2>\n\nA slew of messageing apps are insecure<\/p>\n
Photo: Pexels<\/p>\n<\/figcaption><\/figure>\n
Singapore\u2019s situation is more difficult than most because the network beneath those apps has already been hit. In February 2026<\/u>, the Cyber Security Agency of Singapore and the Infocomm Media Development Authority disclosed that the China-linked espionage group UNC3886 had run a deliberate, well-planned campaign against the country\u2019s telecommunications sector, with all four major operators, M1, SIMBA Telecom, Singtel and StarHub, among those targeted. The disclosure followed Coordinating Minister for National Security K. Shanmugam\u2019s July 2025 warning<\/u> that an advanced persistent threat actor was inside the country\u2019s critical infrastructure, and the multi-agency response was codenamed Operation Cyber Guardian. Investigators found the intruders accessed some systems but did not disrupt services or steal customer data.<\/p>\n
That history shows up directly in the survey, where 59 percent of Singapore respondents worry their networks could be monitored or disrupted, the highest figure globally. Jackson reads the combination as awareness that has not yet changed behaviour. \u201cOrganisations know their telco infrastructure has been targeted, but the instinct is to treat that as an infrastructure problem rather than a communications tool problem,\u201d he said. \u201cThe two are connected.\u201d The 2026 threat picture, he argues, is a hybrid one: campaigns like Salt Typhoon, which sat undetected in US telecom networks for nearly two years harvesting calls, SMS and metadata, and UNC3886 targeted the network, while newer campaigns hit the app layer at the same time, run by the same state-backed actors.<\/p>\n
Then there is the local, app-level proof. On 12 March 2026, Jackson said that the Singapore Police issued an advisory warning about active WhatsApp account takeovers<\/u> through one-time password exploitation and social engineering, with attackers spreading laterally through trusted contacts. \u201cThe Singapore Police advisory is significant because it confirms this is active, real-world exploitation in the ASEAN region, and not a European or American problem being monitored from a distance,\u201d he said. \u201cSingapore organisations need to treat this as a domestic threat requiring a domestic response.\u201d<\/p>\nWhy nobody puts WhatsApp down<\/h2>\n\nDespite the issues, we love WhatsApp too much to stop using it<\/p>\n
Photo: Pexels<\/p>\n<\/figcaption><\/figure>\n
If the risk is this well understood, why does the behaviour persist? Jackson\u2019s answer is an availability gap. \u201cKnowing the risk doesn\u2019t resolve the operational problem of what to use instead when partners, agencies, and supply chain contacts are all on WhatsApp,\u201d he said.\u00a0<\/p>\n
Consumer apps win by making it frictionless to message across organisational and jurisdictional lines, which is fine for friends and family but not for sensitive government or commercial work. A secure alternative, he argues, has to match that ease, or the behaviour will not shift, no matter how high the risk awareness climbs.<\/p>\n
The encouraging signal in the Singapore data, he said, is that the appetite is there. Singapore leads the study on procurement rigour, with 67 percent prioritising certifications (against 61 percent globally) and 57 percent prioritising national directives (against 48 percent), and it shows the lowest reliance on vendor marketing claims at 33 percent. \u201cThe institutional appetite for purpose-built, sovereign communications is stronger in Singapore than almost anywhere else we surveyed,\u201d Jackson said. In his view, readiness and the live threat environment create the conditions for change if a usable alternative is actually deployed.<\/p>\n
Strong procurement, pointed at the wrong target<\/h2>\n\nSoverign control can be a pradox<\/p>\n
Photo: Pexels<\/p>\n<\/figcaption><\/figure>\n
That procurement discipline comes with a catch, and it is where Jackson is most pointed. Certifications, he said, only matter if they validate the right design, and the rigour breaks down at the specification stage. \u201cIf procurement criteria specify E2EE certification and metadata protection isn\u2019t in scope, the certification is silent on metadata. If identity verification isn\u2019t specified, the certification doesn\u2019t address it. You get exactly what you ask for.\u201d His reference point is the recent wave of European intelligence guidance<\/u>, which did not say Signal\u2019s encryption was broken, but that, despite it, the app should not carry classified or sensitive information. The certification was accurate. What it certified was too narrow for the job.<\/p>\n
The result is what the report calls a sovereignty paradox. While 55 percent of organisations globally say sovereign control is a priority, 47 percent of Singapore respondents prioritise full sovereign control over their communications infrastructure, the lowest of any country, and 39 percent prioritise ease of global connectivity, the highest. At the same time, 97 percent report using foreign-hosted consumer platforms. When choosing tools, Singapore organisations rank integration (59 percent, the highest globally) and cost (49 percent) above domestic or sovereign ownership (34 percent, the lowest). Jackson adds a governance dimension that should resonate locally: Europe\u2019s shift is being driven as much by record-keeping as by security, because governments need to capture, audit and retrieve communications, and consumer apps sit outside that control, often under foreign jurisdiction. Singapore\u2019s own data governance and freedom-of-information frameworks, he argues, create the same pull.<\/p>\n
A correction happening in real time<\/h2>\n\nWould you develop your own app?<\/p>\n
Photo: Pexels<\/p>\n<\/figcaption><\/figure>\n
Much of Jackson\u2019s argument leans on what he describes as a fast, coordinated international correction through the first half of 2026. By his account, Germany\u2019s BfV and BSI raised the alarm in February, Google\u2019s Threat Intelligence Group documented Russia-aligned actors abusing Signal\u2019s \u201clinked devices\u201d feature to gain persistent access, Portugal\u2019s SIS and the Dutch MIVD followed, a joint CISA and FBI advisory landed on 20 March, and the UK\u2019s NCSC issued its own on 31 March. The independent record backs the broad shape of this.\u00a0<\/p>\n
In early April 2026, Politico reported that the European Commission<\/u> ordered senior officials to shut down a Signal group chat over hacking fears, and that France, Germany, Poland, the Netherlands, Luxembourg and Belgium had begun rolling out their own government-controlled messengers<\/u>, with the Commission aiming to complete its own transition by year\u2019s end and NATO already running its own system. Belgium\u2019s replacement is an app called BEAM; Germany is using technology from Wire.<\/p>\n
For Jackson, the lesson for Singapore is a choice. \u201cThe question is whether they wait for a domestic incident of sufficient severity to drive the same response, or whether they treat the allied intelligence community\u2019s coordinated warning as sufficient justification to act now,\u201d he said. He is careful, when asked whether BlackBerry includes itself in the industry\u2019s marketing critique, to point at the external bodies rather than the vendor: when independent agencies say these platforms should not carry sensitive work regardless of their encryption credentials, that is a correction no marketing can paper over. BlackBerry\u2019s pitch, he said, is that its claims rest on the highest level of certifications from external government and standards bodies rather than self-attestation, and that it works with NATO and most of the G20 and ASEAN member nations. The report notes 38 percent of organisations still rely on vendor self-attestations rather than independent verification.<\/p>\n\n\u00a090 percent of respondents said they are confident in their crisis response<\/p>\n
Photo: Pexels<\/p>\n<\/figcaption><\/figure>\n
The exposure gets more acute in an emergency. Some 90 percent of respondents said they are confident in their crisis response, yet 51 percent lack a unified Critical Events Management platform<\/u> and would coordinate a major incident over group chats and email threads. Group chats are the most common crisis tool at 56 percent, email threads next at 53 percent, and phone trees at 19 percent, each of them, Jackson notes, dependent on exactly the layers the advisories say are being targeted. He points to the European Commission\u2019s Signal shutdown<\/u> as a live example of the confidence gap in a real crisis. At the moment, senior officials most needed a channel, the channel had to be abandoned because there was no secure alternative ready.<\/p>\n
Layered on top is the longer game. The report describes a \u201charvest now, decrypt later\u201d threat that is already operational, with state actors collecting encrypted traffic today to read once quantum decryption becomes viable. Some 61 percent of respondents expect quantum computing threats within five years, yet 78 percent have not implemented post-quantum cryptography. The relevant question, Jackson argues, is not when quantum arrives but how long today\u2019s data needs to stay secret, and when it first became a target for collection, which, for diplomatic, financial and infrastructure data in Singapore, could be years or decades.<\/p>\n
What to do before the next compromise<\/h2>\n For organisations that cannot swap platforms overnight, Jackson\u2019s single most useful step is to act on the public advisory guidance now, without waiting for a procurement decision. Audit the linked and registered devices on every messaging platform in use and remove any you do not recognise, since the Signal \u201clinked devices\u201d feature is active by default on every installation. Do not share verification codes or scan unknown QR links, verify suspicious messages through a separate channel, and watch for unfamiliar devices or unexpected group participants. Then map your metadata exposure, identify your highest-risk conversations and what a compromise of each would cost, and move those onto a more controlled channel even before any full migration.<\/p>\n
There is one more Singapore data point that frames the whole report. Asked whether they would be surprised if their sensitive communications were compromised tomorrow, only 78 percent of Singapore respondents said yes, the lowest rate globally against an 86 percent average. Many already expect their current tools to fall short. The pattern the study lands on is consistent: heavy use of consumer apps for sensitive work, a misunderstanding of what encryption protects, and continued exposure to the high risks leaders say worry them most. Closing it, BlackBerry argues, takes more than encryption. The open question is whether organisations move first or wait until a compromise makes the decision for them.<\/p>\n<\/div>\n
Read Full Article At Source <\/a>Every security leader BlackBerry surveyed in Singapore knew the same thing: consumer messaging apps are being used inside their organisation for sensitive work. All of…<\/p>\n","protected":false},"author":1,"featured_media":1864,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[32],"tags":[],"class_list":["post-62072","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-gadgets-reviews","wpcat-32-id"],"_links":{"self":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/posts\/62072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62072"}],"version-history":[{"count":0,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=\/wp\/v2\/posts\/62072\/revisions"}],"wp:attachment":[{"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgbuzz.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}