Canada ahead of global average on password security

Zoho has published research on workforce password security in Canada, with findings that place the country slightly ahead of the global average on several measures.

The study surveyed 3,322 verified respondents across nine regions, including 174 in Canada, and identified a gap between how organisations view credential risks and the steps they have taken to address them. In Canada, 30% of respondents said their organisation had experienced a confirmed cyberattack in the past year, compared with 32% globally.

The Canadian results also pointed to broader weaknesses in identity oversight. Some 73% of respondents said they lacked complete visibility over identities across their workforce, including orphaned accounts and undocumented access, slightly below the global average.

That lack of visibility comes as application use continues to grow. The research found 60% of Canadian employees use 15 or more business applications, increasing the number of logins and access points organisations must monitor.

Third-party access emerged as a particular risk in Canada. Most organisations cannot fully account for who can access their systems, which Zoho linked to cross-border supply chains and integrated business operations across North America.

Canadian and US respondents reported similar patterns in several areas. Phishing and weak passwords were the top two threats in both markets, while Zero Trust adoption and identity visibility gaps were also closely aligned.

Among Canadian respondents, 67% identified phishing as a leading threat and 61% cited weak passwords, compared with 71% and 63% respectively in the United States.

Zero Trust strategies also remain incomplete for most organisations. In Canada, 63% said they had not deployed a Zero Trust approach, although many expected to implement one within one to three years.

AI gap

The research also pointed to a divide between confidence in artificial intelligence and readiness to use it. In Canada, 89% of respondents said they believed AI would strengthen their security position, but only 46% said they were ready to deploy AI-based security tools.

Across the global sample, the main barriers were legacy infrastructure and migration complexity, with cost ranking behind both. Zoho and Tigon Advisory said this suggests architecture, rather than budget alone, is limiting security progress.

"World Password Day was created to remind people that credentials are still the entry point to the modern business. What this research shows is that the entry points have multiplied, with the average Canadian employee now logging into more than fifteen business applications, and most organizations cannot fully account for who has access to what across them," said Chandrashekar LSP, Managing Director, Zoho Canada.

"Numerous entry points combined with unmanaged third-party access is leaving Canadian organizations vulnerable," LSP said.

Spending plans did not suggest indifference to the problem. The survey found 71% of Canadian respondents planned to increase security spending in 2026, a figure close to the global average.

That intention, however, has not yet translated into broad deployment of some widely discussed security models. The report described Canada as showing cautious maturity, with relatively solid awareness and spending plans, but still exposed to basic weaknesses in access controls and infrastructure readiness.

Helen Yu, Founder and Chief Executive Officer of Tigon Advisory Corp., said the findings pointed to a sequencing issue for security teams.

"The organizations that will navigate the next five years most effectively are those investing in architectural simplicity, building governance models that scale with identity growth, and adopting AI-enabled orchestration to reduce friction," Yu said.

"Budget is not the primary constraint on security maturity; architecture, talent, and visibility infrastructure are. The data in this report is a call to sequence correctly: fix foundations before chasing advanced capabilities," she said.

Priority steps

The report set out six priority actions for organisations: deploying a centralised password manager, closing identity visibility gaps, pairing password management with multi-factor authentication, building a Zero Trust roadmap, treating integration as a security requirement, and piloting AI-based credential security within the next 12 months.

Mani Vembu, Chief Executive Officer of Zoho, linked AI deployment challenges directly to older systems.

"Legacy infrastructure remains the primary blocker to any effective use of AI, including deploying AI for security," Vembu said.

"Our future-ready stack is built around the premise that placing identity, access, and applications on the same architectural foundation provides fewer opportunities for vulnerabilities, higher identity visibility, and, conveniently, an easier method of adding AI to assist in threat detection. As AI's sophistication in exploiting security weaknesses rapidly improves, migrating to a secure, AI-ready platform is only becoming more urgent," he said.