Global research from Zoho and Tigon Advisory Corp. finds APAC's application sprawl outpacing credential governance, with SMBs carrying the greatest exposure.

SINGAPORE - Media OutReach Newswire - 8 May 2026 - Zoho Corporation released the State of Workforce Password Security 2026, a global research study covering 3,322 verified respondents across nine regions, six industries, and twelve roles. The report, conducted by Tigon Advisory Corp. on behalf of Zoho Vault, finds a growing disconnect between how organizations perceive credential risk and how they have acted on it. In APAC, 64% of surveyed businesses run more than 15 applications, with integrated credential governance emerging as the region's most critical unmet need.

Timed to coincide with World Password Day, the report arrives at what the authors describe as a critical inflection point. Across the global sample, one in three businesses reported a confirmed cyberattack in the past year, and a further 7% were unable to confirm whether they had been attacked at all. The APAC region is on par with the global figure on this metric.

"World Password Day was created to remind people that credentials are still the entry point to the modern business. What this research shows is that the entry points have multiplied: the average APAC employee now logs into more than fifteen business applications, and most organizations cannot fully account for who has access to what across them," says Chandramouli Dorai, Chief Evangelist of Cyber Solutions at Zoho. "The issue is not under-investment, but investment without architectural coherence, leaving businesses with a significant gap between intent for security and actual results." APAC is the region with the second highest application sprawl, with 64% of businesses surveyed using more than 15 applications, 5 points above the global average.

The State of Security in APAC

There is a consistent theme across APAC respondent data: high awareness, high spending intent, and persistent visibility gaps. Among APAC respondents:

• 32% experienced a confirmed cyberattack in the past year.
  
• 73% lack complete identity visibility across their workforce, including orphaned accounts and undocumented access, one point lower than the global average.
  
• 74% plan to increase security spending in 2026 — two points above the global average.
  
• 64% of employees use 15 or more business applications, five points above the global average and the second highest application-sprawl rate of any region globally.
  
• 66% have not deployed a Zero Trust strategy, with most non-adopters expecting to implement within one to three years, this is on par with global average.
  

The AI Belief-to-Deployment Gap

The survey also measured business sentiment on AI's role in security strategy. Confidence is high, with 91% of APAC respondents believing AI can strengthen their security posture, yet only 8% of businesses globally are ready to adopt AI-powered security today. This belief-to-deployment gap is significant. Among desired AI security features, 68% of respondents prioritized anomaly and threat detection, compared to 47% who selected risk-based access controls.

The report identifies legacy infrastructure (cited by 52% of global respondents) and migration complexity (48%) as the primary blockers. Cost ranks third at 41%, reinforcing a recurring theme across the data: the constraint on security maturity is not budget but architecture.

"The organizations that will navigate the next five years most effectively are those investing in architectural simplicity, building governance models that scale with identity growth, and adopting AI-enabled orchestration to reduce friction,", says Helen Yu, Founder and CEO of Tigon Advisory Corp. "Budget is not the primary constraint on security maturity; architecture, talent, and visibility infrastructure are. The data in this report is a call to sequence correctly: fix foundations before chasing advanced capabilities."

The Application Sprawl Problem

The report frames credential risk as a function of attack-surface growth, and nowhere is that surface expanding faster than in APAC. The region's mobile-first, multi-cloud work culture means the average employee now accesses more than 15 business applications daily across on-site, hybrid, and remote settings. Credential management, in this context, is not a remote-work problem. It is a structural one.

Yet fewer than one in four organizations globally have deployed a dedicated password manager. The gap is most acute among SMBs, which dominate APAC's commercial fabric. More than half of respondents in organizations under 250 employees report no dedicated security team, with credential security left to shared spreadsheets, manual hygiene, and informal policies, what the report calls "the SMB credential blind spot." In a region where SMB-led growth is central to several national economies, this represents a systemic and largely unaddressed vulnerability.

What the Data Recommends

The report concludes with six imperatives for 2026, prioritized by deployment urgency: deploy a centralized password manager, close the identity visibility gap, pair password management with multi-factor authentication, build a Zero Trust roadmap, treat integration as a security requirement, and pilot AI-powered credential security within the next twelve months.

"Legacy infrastructure remains the primary blocker between any effective use of AI, including deploying AI for security," says Mani Vembu, CEO of Zoho. "Our future-ready stack is built around the premise that placing identity, access, and applications on the same architectural foundation provides fewer opportunities for vulnerabilities, higher identity visibility, and conveniently, an easier method of adding AI to assist in threat detection. As AI's sophistication in exploiting security weaknesses rapidly improves, migrating to a secure, AI-ready platform is only becoming more urgent."

Methodology

The State of Workforce Password Security 2026 was conducted by Tigon Advisory Corp. and sponsored by Zoho Corporation. The study is based on 3,322 verified responses across nine regions (United States, Canada, United Kingdom, European Union, India, Middle East and Africa, Australia and New Zealand, APAC, Japan, and China), six industries, and twelve workforce roles. Data was collected in early 2026. The full report, including all regional snapshots and methodology notes, is available at https://www.zoho.com/vault/state-of-workforce-password-security-report.html.

Zoho Privacy Pledge

Zoho respects user privacy and does not have an ad-revenue model in any part of its business, including its free products. The company owns and operates its data centers, ensuring complete oversight of customer data, privacy, and security. More than 150 million users around the world, across hundreds of thousands of companies, rely on Zoho every day to run their businesses, including Zoho itself. For more information, click here.

About Zoho Vault

Zoho Vault is Zoho's password management application for individuals, teams, and enterprises, providing centralized credential vaulting, secure sharing, role-based access, multi-factor authentication, and integration with Zoho's broader productivity, HR, and IT-management portfolio. Zoho Vault is included in Zoho One and is also available as a standalone subscription. More information is available at zoho.com/vault.


Hashtag: #Zoho


https://www.zoho.com
https://www.linkedin.com/company/zohoapac

The issuer is solely responsible for the content of this announcement.

Zoho Corporation

With 60+ apps in nearly every major business category, Zoho Corporation is one of the world's most prolific technology companies. Zoho is privately held and profitable with more than 19,000 employees globally with headquarters in Austin, Texas and international headquarters in Chennai, India. Zoho APAC HQ is located in Singapore. For more information, please visit: www.zoho.com.