SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Supply chain cyber breach interconnected office buildings singapore warning icons
#
Malware
#
Ransomware
#
Endpoint Protection

All top 100 Singapore firms hit by third-party cyber breaches

Yesterday
Author image
By Jed Nykolle Harme, Editor

All of Singapore's largest 100 companies experienced at least one third-party cybersecurity breach in the past year, according to a new report from SecurityScorecard.

The study, entitled The State of Cyber Resilience in Singapore, provides an analysis of cyber risk across sectors such as Finance, Technology, Healthcare, Energy, and Agriculture, benchmarking Singapore's performance against that of the UK, Germany, and Australia.

Widespread exposure

The report found that every organisation in Singapore's top 100 by market capitalisation faced at least one security incident stemming from their third-party vendors in the last 12 months. Additionally, 100% were exposed to breaches in their fourth-party ecosystem, meaning incidents affecting the suppliers of their suppliers. Only 5% suffered direct breaches, mostly caused by malware.

The findings reflect what SecurityScorecard describes as systemic challenges to managing digital supply chain risk, even among companies with robust internal cybersecurity policies. The report also notes that companies with an "A" cybersecurity rating were substantially more resilient, with 93% avoiding any known direct breach. Despite this, external dependencies from technology partners, cloud services, and IT providers leave organisations vulnerable.

"Every major company in Singapore is being impacted by risks they don't directly control. As threat actors grow more sophisticated and supply chains more complex, cybersecurity resilience requires constant vigilance across all digital relationships - whether direct, third-party, or fourth-party. The cost of delay is simply too high," said Ryan Sherstobitoff, Chief Intelligence Officer of SecurityScorecard's STRIKE Threat Research and Intelligence Unit. 

Internal strength, external risk

The report establishes a paradox within Singapore's cyber landscape. While 91% of companies received an "A" rating for internal cybersecurity hygiene, nearly all of these firms still suffered breaches through third- and fourth-party providers. This illustrates the challenge of managing external risks that go beyond an organisation's direct control.

One recent case cited in the report occurred in early 2025, when a ransomware attack on a local IT services company disrupted operations at several public agencies and exposed personal data from over 100,000 individuals. The incident underscored how attacks against service providers can generate broader impacts across critical sectors.

Sector analysis

SecurityScorecard's research found that the Agriculture, Energy, and Healthcare sectors in Singapore had particularly strong internal defences, with all assessed firms achieving an "A" grade and zero direct breaches. Nonetheless, these sectors remained entirely exposed to third-party incidents.

The Financial sector achieved a 90% A-rating, well above the European average of 39%. Despite these strong scores, it was not immune to third-party compromise. The Technology sector, which also rated highly in terms of internal posture, experienced the highest rate of direct breaches at 40%. This indicates that internal measures do not negate risks stemming from external digital relationships.

Types of breaches

The report offered a breakdown of the nature of the breaches experienced. Data leaks accounted for 72% of third-party incidents, reflecting possible deficiencies in vendor data handling protocols or access controls. Phishing represented 13% of breaches, remote access attacks accounted for 8%, malware infections 3%, and ransomware for 2%.

International context

Comparatively, Singapore had a higher third-party breach rate for top companies than Australia (97%) and far exceeded averages seen within Europe. Only 4% of Singapore's largest firms fell into the lowest cybersecurity ratings ("C" or below), compared to 24% in the UK, 34% in Germany, and 41% in Italy.

This global picture demonstrates that, despite outperforming peers in internal cybersecurity management, Singapore faces similar challenges in the domain of external digital risk.

Industry recommendations

"As threats become embedded deep within digital supply chains, cybersecurity is no longer just about what's within the firewall," Sherstobitoff added. "Organisations must take ownership of their entire digital ecosystem. Resilience is not a competitive advantage anymore - it's a baseline expectation."

The report urges Singaporean organisations to strengthen third- and fourth-party risk monitoring, improve DNS configuration and endpoint protection, and ensure regular patching. Procurement and vendor management should be better aligned with cybersecurity performance standards, and organisations are encouraged to use cyber ratings to benchmark and enhance their supplier resilience.

SecurityScorecard also stressed that organisations should treat cyber risk as a strategic business issue rather than a purely technical challenge.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Digital attack surfaces expand as key exposures & risks double
ManageEngine AD360 adds identity risk & MFA to combat breaches
Siren & Flashpoint partner to boost intelligence investigations
60% of enterprise firewalls fail initial compliance - study
Tenable boosts vulnerability priority rating with advanced AI

Top stories

Global ransomware attacks drop 43% but threats evolve quickly
PT KAI partners with Zimbra for secure & sovereign email upgrade
Motorola unveils 'AI nutrition labels' for safety technologies
System administrators drive Asia’s AI success amidst rapid change
CREST launches staged programme to guide firms to full cyber accreditation