‘Migrating to a secure, AI-ready platform is only becoming more urgent’
HR professionals overseeing onboarding, offboarding and access control are being told Canadian organisations remain exposed to credential risk, despite slightly outperforming global peers.
That's according to a report that finds a global disconnect between how organisations assess credential risk and how they invest to address it.
Thirty per cent of Canadian respondents reported a confirmed cyberattack in the past year, and 71 per cent plan to increase security spending in 2026, finds Zoho’s State of Workforce Password Security 2026 report, based on a survey of 3,322 professionals across nine regions, including 174 respondents in Canada.
Top security risks
When asked to name the top threats to business-critical identities, respondents painted a consistent picture: the most dangerous threats are not exotic technical exploits; they are everyday human vulnerabilities exploited at scale through phishing, weak passwords, and unmanaged access:
- 68: phishing and social engineering
- 61% weak or re-used passwords
- 54%: insider threats
- 47%: credential stuffing attacks
- 41%: unmanaged third-party access
Identity, third‑party and zero trust gaps
The Zoho report says 73 per cent of Canadian organisations lack complete identity visibility across their workforce, including orphaned accounts and undocumented access. The authors warn that “the vast majority of organizations cannot fully account for who has access to what within their own systems,” calling this identity visibility gap “the central vulnerability enabling unauthorised access, insider threats, and compliance failures.”
Zoho highlights unmanaged third‑party access as a “distinctly Canadian risk,” linking it to the country’s role in integrated North American supply chains. “Numerous entry points combined with unmanaged third-party access is leaving Canadian organizations vulnerable,” said Chandrashekar LSP, managing director at Zoho Canada.
Sixty per cent of Canadian employees use 15 or more business applications, one point above the global average, increasing the number of credentials that HR and IT must govern.
Meanwhile, 63 per cent of Canadian organisations have not deployed a Zero Trust strategy, close to the 65 per cent global figure, with most planning adoption within one to three years.
Cyber insecurity has overtaken all other workforce threats as the world’s leading people risk, just as training, culture and work design now sit at the heart of organisational resilience, according to a recent report.
AI readiness and recommended actions
Artificial intelligence emerges as a key gap. In Canada, 89 per cent of respondents believe AI will strengthen security, but only 46 per cent say they are ready to deploy AI‑powered security. HR leaders are expected to help manage change as AI‑driven monitoring and access controls are introduced.
Globally, the report cites legacy infrastructure (52 per cent) and migration complexity (48 per cent) as the main AI barriers, with cost third at 41 per cent. The report states that “believe AI can strengthen their security posture, but only 8 per cent are ready to deploy AI-powered security right now,” describing this 82‑point gap between belief and readiness as the most critical inflection point in workforce security.
Zoho and Tigon Advisory Corp. recommend six priorities for 2026: deploy a centralised password manager, close the identity visibility gap, pair password management with multi‑factor authentication, build a Zero Trust roadmap, treat integration as a security requirement, and pilot AI‑powered credential security within twelve months.
While business leaders continue investing millions in digital transformation and AI enterprise products, employees are growing increasingly disillusioned, burned out and frustrated with short-sighted plans and tools that aren’t delivering the efficiencies promised, according to a previous report.
