South African companies have significant gaps in workforce password security, underscoring growing risks as they contend with rising cyber threats, increasing regulatory pressure, and limited visibility into user identities and access.
This is according to a new study from Zoho, the State of Workforce Password Security 2026 report, which reveals a significant cybersecurity gap. Thirty-six percent of organisations report cyberattacks, the highest globally, while 79% lack complete visibility into user identities and access.
These figures highlight a growing disconnect between rising threat levels and foundational security readiness.
As per the study, 71% of organisations lack a Zero Trust strategy, while 58% report unmanaged third-party access as a key risk, underscoring the complexity of securing modern IT environments.
“South Africa’s organisations are operating in an increasingly complex threat landscape, yet many still lack visibility into who has access to critical systems and data,” says Andrew Bourne, regional head of Zoho South Africa.
“As identity becomes the primary security perimeter, organisations must prioritise stronger access controls and password management to reduce risk and support compliance.”
The study identifies identity visibility as a central weakness in South Africa’s cybersecurity posture. With 79% of organisations unable to fully track user access, businesses face ongoing challenges in enforcing password policies, monitoring privileged accounts, and managing third-party access.
Credential-based threats such as phishing and compromised passwords continue to drive security incidents, particularly in the financial services sector, which remains a primary target due to the sensitivity of data and scale of digital operations.
While 73% of organisations plan to increase cybersecurity budgets and 87% believe AI can strengthen security outcomes, foundational gaps remain. A significant share of organisations have yet to implement Zero Trust frameworks, and identity governance practices remain inconsistent.
Simultaneously, increasing reliance on cloud platforms, third-party vendors, and distributed work environments is expanding the number of access points, making visibility more difficult to maintain and increasing overall exposure.
Growing compliance and operational risk
The study findings further highlight the regulatory implications of weak identity governance. Under the Protection of Personal Information Act (POPIA), organisations are required to maintain clear oversight of how personal data is accessed and processed.
Limited visibility into user identities and permissions makes it difficult to demonstrate accountability, increasing the risk of non-compliance.
Small and medium-sized businesses face additional challenges due to limited resources, lack of dedicated security teams, and reduced visibility into access environments. This makes them more vulnerable to cyber threats and less prepared to respond effectively.
As per the study, 50% of the SMEs in South Africa do not have a dedicated security team.
Rapid cloud adoption, driven in part by infrastructure challenges, is further expanding the attack surface and increasing reliance on third-party integrations, adding to the complexity of managing access securely.
The findings position South Africa at a critical point in its cybersecurity journey. While awareness and investment are increasing, closing the identity visibility gap will be essential to strengthening resilience, reducing cyber risk, and meeting regulatory requirements.