IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Australian small firms lack security teams, Zoho says
Endpoint Protection Biometrics MFA

Australian small firms lack security teams, Zoho says

Thu, 7th May 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

Zoho has published research showing that more than half of small and medium-sized businesses in Australia and New Zealand operate without a dedicated security team. The study also found that one in three Australian businesses suffered a confirmed cyberattack in the past year.

The findings come from Zoho's State of Workforce Password Security Report, independently researched by Tigon Advisory Corp. across 3,322 verified professionals in nine regions.

The data points to broad weaknesses in basic security controls across the region. The report found that 74% of businesses in Australia and New Zealand lack complete visibility over who has access to what within their systems, while 64% have no Zero Trust strategy.

Those gaps are particularly acute among smaller organisations. Businesses with fewer than 250 employees were the least prepared, with more than half reporting no dedicated security team despite facing the same threats as larger companies.

Small business gap

The report frames the issue as one of resources as much as technology. Smaller firms often lack the budget to hire specialist staff and may rely on general IT employees to oversee security, even as cyber threats become more complex and fast-moving.

AI-driven attacks are adding pressure on businesses that already struggle to manage access controls and credential security. The report highlights phishing campaigns that can now be generated and personalised at scale, along with deepfake audio and video used to impersonate executives and bypass identity checks.

That shift means the threat is no longer limited to compromised passwords. Businesses are also confronting attempts to misuse stolen or fabricated identities, widening the challenge for teams with limited oversight of internal access.

At the same time, the study suggests many organisations are trying to respond. Seven in 10 businesses in Australia and New Zealand said they plan to increase their security budgets, while 90% said they believe AI will ultimately improve their security posture.

Even so, the report argues that spending alone will not solve the problem if basic security practices remain weak. Architecture, visibility and routine credential management still underpin the effectiveness of more advanced security tools.

Credentials remain central

The research arrives as passwordless authentication gains wider adoption across consumer and business technology. Passkeys, biometric methods and hardware-based verification are becoming more common, but passwords remain the main line of defence for most businesses, especially smaller ones.

That makes password management and access control a central issue rather than a legacy concern. For businesses that have not yet moved to newer forms of authentication, weak credential practices can undermine the broader security systems built on top of them.

Rakesh Prabhakar, Head of Australia and New Zealand at Zoho, said the findings matched what the company sees among its customers in the region.

"Every security investment an organisation makes, from endpoint protection to zero trust architecture, is built on top of credentials. If the foundation is weak, everything above it is compromised. Across our 40,000-plus ANZ customers, the challenge we see most often is not that businesses don't understand the risk, but that smaller organisations in particular lack the dedicated resources to act on it. This research confirms what we hear every day: the basics remain the biggest gap, and closing that gap is the single most effective thing any business can do right now," Prabhakar said.

The report also links the current strain on businesses to a shortage of cybersecurity professionals in Australia. Leaner staffing and competition for specialist workers have made it harder for smaller companies to recruit people with dedicated security expertise.

For many of those firms, the issue is not simply whether they recognise the threat, but whether they have enough staff and internal visibility to act quickly when risks emerge. The figures suggest many do not, even as attacks continue at a rate in line with the global average of one in three businesses.

Related stories
World Password Day faces calls to move beyond passwords
AI deepfakes force firms to rethink trust & security
Genetec urges tighter identity controls for security systems
Why "strong passwords" can't save you from AI
Identity stays top attack surface as threats broaden
Top stories
KnowBe4 adds AI secure coding training with partner
Bitdefender names Frank Koelmel Chief Revenue Officer
Lumify Learn launches tech training packs for jobs
Experts warn passwords no longer sufficient in AI era
Tanium & ServiceNow launch autonomous IT product