More than half of Australian SMEs lack a dedicated security team, Zoho report finds

More than half of Australian and New Zealand small and medium businesses run without a dedicated security team, and one in three Australian firms confirmed a cyberattack in the past year, a Zoho-commissioned report released for World Password Day has found.

The State of Workforce Password Security Report, run by Tigon Advisory Corp for Zoho, surveyed 3,322 IT and security professionals across nine global regions. It was published on 7 May 2026.

Australian SMEs least prepared

In the Australian and New Zealand cut of the survey, 74 per cent of organisations said they lacked full visibility over which staff had access to which systems. Sixty-four per cent had no Zero Trust strategy in place. Both numbers ran higher at firms with fewer than 250 employees.

Passwords remain the primary defence for most respondents, particularly at the smaller end. Passwordless authentication is gaining ground but is not yet widespread.

The one-in-three cyberattack figure was tied specifically to Australian respondents. The corresponding global figure put Indian firms top of the league at 47 per cent. Phishing was the dominant threat vector at 68 per cent of organisations.

The 82-point AI gap

A separate Zoho-commissioned cut, the 2026 Workforce Identity Security Report, found 90 per cent of leaders globally believe AI will strengthen their defences. Only 8 per cent said they were ready to deploy AI security tooling now. The 82-percentage-point gap between belief and operational readiness is the headline finding for boards weighing AI security spend against more basic controls.

Eighty-eight per cent of organisations globally said they had no visibility into orphaned user accounts. Fifty-nine per cent of employees use 15 or more business applications a day.

What the AU exec said

"Every security investment an organisation makes, from endpoint protection to zero trust architecture, is built on top of credentials," Rakesh Prabhakar, head of Australia and New Zealand at Zoho, said in a statement.

Seventy per cent of respondents plan to lift security spending over the next 12 months, the report found.

Why it matters

The numbers land as APRA, the ACSC and the Office of the Australian Information Commissioner all push for tighter access-control and identity management at small and mid-sized firms. Zoho's pitch is, predictably, that its identity and access-management products fill the gap. The underlying findings echo separate work by the ACSC, which has flagged credential weakness as the most common entry point in confirmed Australian breaches.