A recent Data Breach Investigations Report (DBIR) drawn from more than 31,000 security incidents and 22,000 confirmed breaches across 145 countries has identified four accelerating threat vectors AI-ready enterprises are at risk for. They include shadow AI leaking sensitive data through unauthorized tools, human error driving 62% of breaches, third-party compromise now implicated in nearly half of all incidents, and ransomware hitting 96% of Small & Medium Businesses (SMBs).
Each of these cases grows in proportion to the operational speed at which Singapore enterprises have made their competitive identity. This article examines how these enterprises are exposed, and what Singaporean IT leaders driving AI adoption can do to cushion the impact of these risks.
AI tools your employees are already using are not the ones you approved
The DBIR examined what happens inside organizations when AI adoption outpaces governance, and the finding is uncomfortable for any CISO operating in a high-adoption environment.
Verizon found that 67% of users accessed AI services through non-corporate accounts on company devices. The research also found that 45% of employees use AI tools — sanctioned or not — on corporate systems, up from 15% the previous year. Employees were found uploading source code, technical documents, and other sensitive internal materials into external AI platforms.
For Singaporean enterprises operating in sensitive sectors such as finance, healthcare, and government-linked entities, as well as regional headquarters managing ASEAN data, this is a data governance breach hidden within a productivity story.
Internal compliance documentation submitted to an unauthorized GenAI assistant, or proprietary code processed by a third-party AI coding tool, may sit entirely outside the organization’s data classification and retention framework.
The DBIR treats shadow AI as a security control failure, not a communications one. Organizations that have not inventoried AI tool usage across employee devices do not know where sensitive data is moving, and that is the starting problem, not the ending one.
The weakest entry point into your network may be a vendor you vetted years ago
Verizon found that 48% of breaches involved a third party, a 60% increase from the year before. Several major breach campaigns analyzed in the report involved attackers compromising third-party providers within the same operation, meaning a single vulnerable vendor simultaneously exposed dozens of enterprise clients.
“The DBIR’s finding that third-party involvement reached 48% of breaches this year, following a 60% year-over-year increase, should fundamentally change how organizations think about cyber risk and systemic exposure,” said John Watters, chairman and CEO at iCOUNTER.
Singapore-based enterprises are structurally exposed to this trend. The city-state’s concentration of regional headquarters means many organizations maintain wide vendor ecosystems spanning SaaS platforms, API integrations, managed service providers, and regional technology partners. A third-party compromise in that network will propagate. Vendor risk assessments calibrated to a pre-2025 breach baseline are likely underestimating current exposure.
Six in ten breaches still come down to a person making the wrong call
Despite the technological dimensions of this year’s report, Verizon found that human involvement accounted for 62% of breaches in 2025. Social engineering attacks have shifted toward voice phishing, mobile-centric delivery, and AI-generated, real-time impersonation. The report is explicit: security programs built around unrealistic assumptions about human behavior consistently underperform.
For Singaporean enterprises, the issue is intensifying as AI becomes more deeply embedded in day-to-day business operations. Colleagues may communicate through AI-drafted messages, and vendors may increasingly rely on automated systems to interact with customers.
Employees are being asked to make trust decisions in environments where the signals of legitimacy are easier to fake than ever. Awareness training designed for 2022-era phishing does not prepare staff for AI-generated impersonation that mimics known contacts in real time.
The operational implication is specific: organizations that have expanded AI use without revisiting their human-centered security programs may have increased this risk without even knowing.
Singapore’s SME ecosystem is a ransomware risk your enterprise is already carrying
Unsurprisingly, ransomware appeared in 48% of all breaches analyzed in the 2025 dataset. Small and midsize businesses accounted for approximately 96% of ransomware victims where organization size was confirmed. Verizon noted that most ransomware campaigns are opportunistic, targeting organizations with unpatched systems, stolen credentials, or limited security resources.
For larger enterprises, the SMB figure is not a separate story. Singapore’s SME sector includes thousands of businesses operating inside the supply chains and vendor ecosystems of larger organizations — logistics partners, regional IT providers, specialist SaaS vendors.
A ransomware incident at one of those nodes disrupts the enterprise clients that depend on it. The DBIR’s data is a prompt to evaluate not just internal ransomware readiness but also the security posture of smaller organizations embedded in larger chains.
What Singapore IT leaders should do with this
Verizon’s report lands a consistent underlying point: attackers are not primarily winning on sophistication. They are winning simple gaps between how organizations say they manage risk and how they actually do it.
The DBIR reaffirms patch management, multifactor authentication, asset visibility, third-party risk programs, and incident response readiness as the controls that matter most. For Singapore enterprises aggressively deploying AI, those fundamentals need to be revisited in a different context. One where the tools your employees are using, the vendors you depend on, and the SMBs in your supply chain are all statistically more likely to be the entry point for a breach than they were twelve months ago.
Forrester research describes APAC enterprises as moving faster on AI than anywhere else in the world. Verizon’s 2026 DBIR documents the cost of that speed when the security posture does not keep up.