Human error remains Singapore’s greatest cybersecurity vulnerability. Organisations invest in firewalls and endpoint protection, yet breaches still happen — most commonly because an employee clicks a suspicious link, reuses a password, or leaves a screen unlocked. Technical controls are essential, but they cannot compensate for untrained people. These are the ten mistakes your workforce is most likely making right now, and the practical steps to address each one.
1. Reusing passwords across multiple accounts
When a service your employee uses is breached — a common occurrence — attackers run those credentials against banking portals, email, CRM, and HR systems. If the password matches anywhere, they are in.
Fix: Deploy an enterprise password manager so every account gets a unique, complex credential. Incorporate password hygiene into onboarding and annual refreshers. Set minimum-complexity policies at the system level so weak passwords cannot be created in the first place.
2. Falling for phishing and social engineering
Phishing is the most common entry point for cyberattacks globally. Business Email Compromise (BEC) — where an attacker impersonates a CEO or supplier to authorise a payment — causes significant financial harm, including to Singapore firms.
Fix: Layer AI-based email filtering with simulated phishing exercises run at least quarterly. Teach the SLAM method: check the Sender address carefully, inspect Links before clicking, treat Attachments with suspicion, and assess the Message for unusual urgency or authority. A clear, blame-free reporting channel is equally important — employees who spot something need to know exactly who to tell.
3. Ignoring software updates and patches
Every unpatched vulnerability is an open window. Attackers actively scan for systems running known unpatched versions and exploit them within days of a public disclosure.
Fix: Automate patching wherever possible using a mobile device management or endpoint management platform. Set a maximum patch window (72 hours for critical vulnerabilities is a common benchmark) and track compliance. Make patch management a reported metric, not an afterthought.
4. Using weak or default credentials on devices and systems
Network-attached storage devices, routers, cameras, and printers often ship with default credentials that are publicly documented online. Ransomware operators routinely scan for them.
Fix: Disable or rename default admin accounts immediately upon deployment. Conduct a quarterly credential audit across all networked devices, including shadow IT that departments have set up independently. Enforce multi-factor authentication (MFA) on all internet-facing systems.
5. Mishandling sensitive data
Saving customer records to a personal USB drive, emailing an unencrypted spreadsheet of client data, or sharing files via a personal cloud account — each is a potential Personal Data Protection Act (PDPA) breach in Singapore, with reputational and regulatory consequences.
Fix: Implement Data Loss Prevention (DLP) controls that flag or block unauthorised data transfers. Introduce a clear data classification scheme (public, internal, confidential, restricted) and train staff on how it applies to their daily tasks. Audit cloud storage authorisations regularly.
6. Connecting to unsecured public Wi-Fi
Public Wi-Fi at airports, cafés, and hotels is routinely targeted by attackers who intercept unencrypted traffic. Credentials, session cookies, and sensitive communications are all at risk — a concern for Singapore’s highly mobile workforce.
Fix: Mandate VPN use on all company devices whenever staff connect outside the office network. Enforce this through device management policy rather than relying on individual discipline. Consider a zero-trust architecture that verifies every connection regardless of network origin.
7. Using personal devices without security controls
Bring-your-own-device (BYOD) arrangements can introduce unmanaged, potentially compromised endpoints into your environment. A personal laptop with outdated software and no endpoint protection is a risk the organisation cannot fully see or control.
Fix: Require all devices accessing company systems to enrol in mobile device management. Define minimum security standards (OS version, antivirus, screen lock, encryption) and enforce them as a condition of access. Have employees sign a clear BYOD policy so expectations are documented.
8. Sharing login credentials
Shared accounts make accountability impossible. When a file is deleted, a transaction is made, or a system is accessed, no audit trail can attribute it to an individual — complicating incident response and regulatory reporting.
Fix: Eliminate shared accounts. Implement role-based access control (RBAC) so each person has the minimum access required for their role. Use Single Sign-On (SSO) to reduce the burden of managing multiple credentials while maintaining individual accountability.
9. Neglecting physical security
A laptop left unlocked for a few minutes in an open-plan office, a printed document left on a desk, a tailgating visitor who was never challenged — physical security gaps are among the easiest for an insider threat or opportunist to exploit.
Fix: Enforce a clean-desk policy. Set automatic screen locks to engage after two minutes of inactivity. Enable full-disk encryption on all devices so a lost or stolen laptop does not become a data breach. Run physical security walkthroughs as part of your periodic security reviews.
10. Treating cybersecurity as an IT problem
When leaders view cybersecurity as something the IT department handles, staff follow their cue — and attackers exploit the resulting gap in vigilance. The most expensive breaches tend to involve executives who were not engaged with security culture.
Fix: Leadership must model good behaviour: completing training, discussing incidents openly, and funding a security programme rather than treating it as a cost to minimise. A Security Champion programme — where non-technical staff in each team become the local point of contact for security questions — distributes responsibility effectively.
Why awareness training makes the difference
Each of the mistakes above has a technical mitigation, but technical controls are most effective when the people using them understand why the control exists. Organisations that run regular, scenario-based cybersecurity training see a measurable reduction in incidents — not because the technology changed, but because behaviour did.
Good training is practical, brief, and role-relevant. Finance teams need to understand BEC scenarios. Customer service staff need to understand PDPA obligations. Developers need to understand secure code practices. A single generic slide deck shared annually rarely moves the needle; contextualised, interactive sessions do.
CFCI’s corporate workshop, Cyber Safety: Empowering Employees in Digital Defence, is designed around exactly this principle. It covers the ten risk areas above through interactive exercises and realistic scenarios tailored to your industry, without requiring any technical background from participants.
For a broader look at how Singapore organisations can build a security-aware workforce, see our guide to corporate cybersecurity awareness training in Singapore.
What to do next
If you are thinking about where to start, an honest assessment of your current security culture is the right first step — before purchasing tools or writing policies. CFCI offers a free information session where you can explore the options, ask questions specific to your sector, and understand what a structured approach looks like in practice.
Visit cfci.com.sg/courses/info-session to book a place — no commitment required.
Frequently Asked Questions
What is the most common cybersecurity mistake employees make?
Password reuse is one of the most widespread and dangerous habits. When credentials from one breached service are tested against others — a technique called credential stuffing — a single weak link can open many doors. Enforcing unique, complex passwords through a password manager is the fastest fix.
How do you protect employees from phishing attacks in Singapore?
Layer technical controls (AI-based email filtering, DMARC/DKIM) with regular simulated phishing exercises and a simple reporting process. Employees who know what to look for and feel safe reporting suspicious emails become your first line of defence.
Is cybersecurity training relevant for non-technical staff?
Absolutely. Most breaches involve a human action — a click, a shared password, an unlocked screen — not a technical failure. Cybersecurity awareness is relevant from interns to executives, regardless of technical background.
How often should Singapore organisations run cybersecurity awareness training?
At minimum, run a full session at onboarding and refresh the entire organisation annually. Supplement with quarterly phishing simulations and short reinforcement campaigns so good habits stay current.