Singapore’s digital defences have reached a perilous inflection point — the numbers do not lie. Malware-infected systems more than doubled to 284,300 in 2025, up from 117,300 in 2024. That stark escalation is not abstract; it is a chain of small, avoidable failures that combine into large, painful outages for businesses and citizens alike.
The Cyber Security Agency of Singapore (CSA) pinned the rise to persistent malicious activity and better detection of botnet devices. Botnet devices — hijacked computers, servers and IoT gadgets — are the fuel for orchestrated attacks. They are cheap to assemble and devastating when deployed at scale. The market answer? Malware-as-a-service continues to be ruthlessly profitable. Low-cost tooling, sold on underground forums, means sophistication is no longer the gatekeeper it used to be.
Why the surge matters to SMEs
Small and medium enterprises shoulder disproportionate harm. Limited security budgets, legacy systems, and a shortage of time create a perfect storm. A baker in Tampines discovered encrypted files on a holiday morning; orders went unfulfilled, panic spread through WhatsApp groups, and revenue evaporated for three days. The emotional toll was visible: frustration, disbelief, and anger. Recovery required paying for forensics and paying staff overtime — a burn many small shops cannot afford.
Ransomware cases edged up to 165 in 2025 from 159 in 2024. Not a dramatic leap, but every incident represents operational paralysis for a business. The Cyber Resilience Centre exists to help with health checks and recovery, but uptake and awareness must accelerate.
IoT and routers: the weakest links
Consumer internet-of-things devices remain a glaring vulnerability. Many are shipped with imprecise defaults, outdated firmware and poor communication security. The good news: new rules are coming. By end-2027, all residential routers sold here must meet more stringent Level 2 requirements under CSA’s Cybersecurity Labelling Scheme. That means stronger communications security, safer storage of sensitive data and solid verification methods for users. Currently, Level 1 requirements — unique default passwords and updated software — are the baseline. Level 2 will force manufacturers to raise their game.
This is not optional; it is mandatory if the ecosystem is to make meaningful progress. Consumers cannot be expected to mitigate systemic risks single-handedly. Regulations of this kind reduce the attack surface and, frankly, save lives — and livelihoods.
AI: a force multiplier for attackers
The report hits home with a chilling reality: AI agents and frontier models are being weaponised. Vulnerabilities that used to be exploited in days are now weaponised in minutes or hours. Threat actors exploit speed and scale, employing agentic models to automate reconnaissance, exploit development, and even evasive malware behaviour. The emergence of tools like Anthropic’s Mythos and the misuse of open-source agents such as OpenClaw have shortened the learning curve for attackers. Less-skilled criminals can now mount sophisticated campaigns.
And it gets worse. AI is fuelling more convincing scams: voice clones, deepfake videos and automated phishing campaigns that bypass multi-factor authentication. Results: trust erosion and a rise in targeted social engineering. The assault is not only technical; it is psychological. The sense of violation after being impersonated or duped is visceral.
Phishing and impersonation trends
Reported phishing cases fell to about 4,800 in 2025 from 6,100 in 2024. That decrease is double-edged. On the surface, it looks encouraging. Yet underreporting remains a major blind spot — many incidents never reach authorities or banks. When phishing does get reported, the banking and financial services sectors are the prime targets, followed by government and logistics. Intriguingly, many attacks impersonated foreign financial institutions unfamiliar to most local consumers, increasing the risk of successful deception.
“We thought it was just slow internet,” recalled one logistics manager after a breach disrupted shipment tracking. “Until the invoices started arriving from fake vendors.”
That anecdote is telling: the first sign is rarely an obvious red alert. It starts small and then escalates. Time is the attacker’s ally.
Practical, urgent steps for businesses
- Upgrade router and IoT device hygiene now. Replace or patch devices that cannot meet Level 2 expectations.
- Adopt network segmentation so a single infected device cannot compromise critical systems.
- Deploy continuous monitoring and hunt for botnet activity rather than waiting for an incident.
- Use multi-layered authentication that goes beyond SMS-based MFA; biometrics and hardware tokens help.
- Train staff with realistic phishing simulations — repetition breeds recognition.
- Engage the Cyber Resilience Centre for recovery planning and tabletop exercises.
These are not optional boxes to tick. They are shields. Businesses that treat security as a compliance item rather than an operational imperative will pay more — in brand damage, lost revenue and legal exposure.
Leadership and the road ahead
Change is already underway at the top: the outgoing commissioner David Koh flagged the accelerating threat landscape, and the baton will pass to Gwenda Fong. Leadership matters. Policy changes must align with practical enforcement and consumer protection. The call to action is straightforward: tighten defaults, enforce stronger device standards, and scale detection capabilities that can keep pace with AI-powered attackers.
Singapore’s response cannot be merely reactive. It must be pre-emptive, relentless and practical. This is a national resilience issue as much as it is a business continuity problem. Expect more regulation, clearer labelling, and a push to professionalise security across every level of the economy. For SMEs, the message is blunt: prepare now or pay later.
For those who run businesses, manage IT, or simply rely on the internet to keep daily life moving — treat these numbers as a summons to action. Strengthen the perimeter, harden endpoints, and demand better from device manufacturers. The next crisis will not wait for convenience.