World Password Day arrives this year at a turning point in Australia. The world’s largest technology platforms are pushing consumers and enterprises toward passwordless authentication. Passkeys, biometrics, and hardware tokens are replacing the credential model that has underpinned digital security for decades. But new independent research released today by Zoho suggests most Australian businesses are still struggling with the model they already have.

One in three Australian businesses suffered a confirmed cyberattack in the past year, according to data from Zoho’s State of Workforce Password Security Report, independently researched by Tigon Advisory Corp. across 3,322 verified professionals in nine regions. 

The emergence of advanced AI models capable of identifying and exploiting critical system vulnerabilities faster than any human attacker has sharpened the focus on enterprise security. But while large organisations mobilise to respond, the same threats reach small and mid-sized businesses — which, as this research shows, are structurally less prepared to withstand them. 

The data tells a sobering story at the organisational level:

• Seventy-four percent of ANZ businesses lack complete visibility over who has access to what within their own systems. 
• Sixty-four percent have no Zero Trust strategy. 

The gap is widening as AI-powered tools compress attack timelines from weeks to hours. Phishing campaigns that once required manual effort can now be generated, personalised, and deployed at scale. Deepfake audio and video are being used to impersonate executives and bypass identity verification. The threat is no longer limited to stolen passwords; but extends to stolen identities.

The report’s sharpest finding concerns Australia’s small business community, which accounts for the overwhelming majority of the national economy. More than half of ANZ organisations under 250 employees have no dedicated security team, yet they face identical threats to large enterprises, often without the infrastructure, talent, or visibility to manage them. As the cybersecurity industry’s attention and investment concentrate on enterprise-grade solutions, the organisations most exposed are the ones least equipped to respond.

"Every security investment an organisation makes, from endpoint protection to zero trust architecture is built on top of credentials," said Rakesh Prabhakar, Head of Australia and New Zealand, Zoho. "If the foundation is weak, everything above it is compromised. Across our 40,000-plus ANZ customers, the challenge we see most often is not that businesses don't understand the risk smaller organisations in particular face due to lack of dedicated resources to act on it. This research confirms what we hear every day: the basics remain the biggest gap, and closing that gap is the single most effective thing any business can do right now."

AI Agents and the expanding attack surface

The pressure on Australian organisations is compounded by a national shortage of cybersecurity professionals. Additionally, widespread layoffs linked to AI adoption are leaving leaner teams to manage growing security risks. The burden falls disproportionately on small and mid-sized businesses, which lack the budgets and employer brand to compete for scarce talent, and are often left relying on IT generalists without specialist security expertise.

The research points to a disconnect that funding alone will not close. Seventy percent of ANZ organisations plan to increase their security budgets, yet the data suggests the constraint is architecture, visibility, and the foundational security behaviours that advanced tools are built on. Ninety percent of ANZ businesses believe AI will ultimately strengthen their security posture. But that future depends on getting the basics right first.

The password itself is evolving. Passkeys, biometric authentication, and hardware-based verification are gaining traction across consumer platforms and enterprise environments alike. But the transition will take years, and for the vast majority of Australian businesses, particularly those under 250 employees, passwords remain the primary line of defence. Even as passwordless adoption accelerates, credential management will remain the foundation on which every future security model depends.

World Password Day is a reminder that the most accessible security measure available to any organisation, of any size, remains one of the most effective: managing credentials properly

The Zoho Vault State of Workforce Password Security 2026 report is available here.