Strategy

Cyber Hygiene for Employees: Singapore Business Guide (MAS + CSA Aligned)

Infinite Cybersecurity Team·March 2026·9 min read

Cyber hygiene — the everyday security habits that reduce your organisation's attack surface — is not glamorous, but it prevents the majority of successful cyberattacks against Singapore businesses. CSA's Singapore Cyber Landscape reports consistently show that phishing, credential theft, and unpatched vulnerabilities are the primary entry points for attacks. Most of those entry points can be closed by employees practising consistent cyber hygiene. This guide gives Singapore businesses a practical, MAS- and CSA-aligned cyber hygiene programme they can implement without a large security budget.

MAS Notice 655 and CSA Cyber Essentials Alignment

Cyber hygiene requirements for Singapore businesses appear in multiple frameworks:

  • MAS Notice 655 (Cyber Hygiene) — applies to all MAS-regulated financial institutions and sets mandatory baseline controls for authentication, patch management, network protection, data loss prevention, and staff security training
  • CSA Cyber Essentials — a baseline certification for Singapore SMEs covering asset management, secure configuration, software updates, access control, and malware protection
  • MAS TRM Guidelines — broader technology risk management requirements that build on the Notice 655 baseline

For financial institutions, MAS Notice 655 compliance is mandatory. For non-financial Singapore SMEs, CSA Cyber Essentials provides a practical implementation target. Both frameworks converge on the same core controls — the differences are in scope and enforcement.

1. Passwords and Multi-Factor Authentication

The most impactful change any Singapore employee can make is enabling MFA on all accounts. This single control prevents over 99% of automated credential-stuffing attacks and significantly reduces the risk from phishing.

Password Manager Adoption

Employees who use a password manager create unique, strong passwords for every account automatically — eliminating the credential reuse that makes one breach cascade into many. Recommend enterprise password managers (1Password, Bitwarden, LastPass Enterprise) over personal tools for business accounts, as they provide visibility and control for IT administrators.

MFA for All Critical Services

Mandate MFA for: email (Microsoft 365 / Google Workspace), VPN access, remote desktop, cloud platforms, financial systems, and HR/payroll platforms. For high-risk accounts — system administrators, finance approvers, executives — use hardware security keys (FIDO2) rather than SMS-based MFA, which is vulnerable to SIM-swap attacks.

2. Recognising and Reporting Phishing

Singapore employees face phishing attempts that impersonate IRAS, CPF, MAS, SingPass, local banks, and internal IT departments. Key indicators employees should recognise:

  • Sender mismatch — display name shows "CPF Board" but email address is from a random domain
  • Lookalike domains — cpf-board.sg.mailsvc.com is not cpf.gov.sg
  • Urgency pressure — "Your account will be suspended in 24 hours" is a consistent manipulation tactic
  • Unexpected attachments or links — legitimate Singapore government agencies do not send unsolicited password reset links
  • Requests for credentials — no legitimate service asks you to email or type your password to "verify" your account

When an employee suspects a phishing email: do not click, do not reply, do not forward — report it to IT security using your organisation's designated reporting mechanism. Building a culture where reporting is rewarded (not punished) is as important as recognising the threats.

Singapore-Specific Threat

SingPass Phishing Is a Persistent Threat

CSA regularly warns Singapore residents and businesses about SingPass phishing campaigns. Attackers impersonate Singpass to harvest credentials that can be used for identity theft and fraudulent government service applications. Train employees to always access government portals by typing the URL directly or using official mobile apps — never through links in emails or SMS messages.

3. Device Security Practices

Corporate devices are entry points that employees control daily. Core device security habits:

  • Lock your screen when leaving your desk — even briefly. Set automatic screen lock to 5 minutes or less
  • Do not use corporate devices for personal activities that increase exposure — torrents, personal social media, gaming
  • Keep software updated — when prompted to update your operating system or applications, do not dismiss. Unpatched software is the most common vulnerability exploited in Singapore ransomware attacks
  • Do not plug unknown USB devices into corporate computers — USB drives found in public places are a classic social engineering technique
  • Report lost or stolen devices immediately — your IT team can remotely wipe a stolen laptop if you report it quickly; they cannot protect it if they do not know it is gone

4. Remote Work Security for Singapore Employees

Remote work has extended the corporate perimeter into employees' homes. Remote work security practices:

  • Use VPN when accessing corporate systems from outside the office — home routers are not enterprise-grade
  • Separate work and personal devices — using a personal laptop for work introduces personal software vulnerabilities into your corporate environment
  • Secure your home Wi-Fi — WPA2 or WPA3 encryption, unique strong password, firmware updated on your router
  • Avoid public Wi-Fi for corporate work — coffee shop Wi-Fi allows network interception. If unavoidable, always use VPN
  • Physical security matters — do not take calls about sensitive business matters in public where you can be overheard

5. Data Handling and PDPA Obligations

Every Singapore employee who handles customer data has personal obligations under PDPA as a data controller's agent. Practical data hygiene:

  • Do not store personal data in personal cloud services (personal Dropbox, Google Drive) — use approved corporate platforms only
  • Do not email personal data unencrypted to external recipients — use approved secure file transfer methods
  • Delete personal data when it is no longer needed for its original purpose
  • Do not share customer data with colleagues who do not need it for their role
  • Report any suspected data breach or accidental disclosure to your privacy officer or IT security team immediately — the PDPA 3-day notification clock starts from assessment, and every hour counts

Implementing a Cyber Hygiene Programme in Singapore

For Singapore business owners and IT managers, translating these habits into organisational practice requires:

  • Policy — document acceptable use, remote work security, and data handling requirements
  • Technical controls — enforce MFA, enable full-disk encryption, deploy EDR on all devices
  • Training — annual security awareness training aligned with MAS Notice 655 and CSA Cyber Essentials requirements, supplemented by regular phishing simulations from a CSRO-licensed security provider
  • Measurement — track phishing simulation results and training completion as leading indicators

Infinite Cybersecurity delivers cyber hygiene training programmes and phishing simulations for Singapore businesses, aligned with MAS Notice 655 and CSA Cyber Essentials. Our CSRO-licensed team combines technical training delivery with realistic Singapore-specific simulation scenarios. Contact our Singapore team to design your cyber hygiene programme.

Ready to Secure Your Business?

Our CSRO-licensed, CREST-accredited Singapore team delivers cyber hygiene programmes aligned with MAS Notice 655 and CSA Cyber Essentials for businesses of all sizes.

Get a Free Consultation Compliance Services