South African organisations are facing mounting cyber risks, with new research revealing that the country has recorded the highest global rate of cyberattacks while many businesses remain ill-prepared to defend against increasingly sophisticated digital threats.
Global technology company Zoho has released its State of Workforce Password Security 2026 report, highlighting significant weaknesses in password security and identity management across South African workplaces.
The findings, published to mark World Password Day, paint a concerning picture of organisations struggling to keep pace with a rapidly evolving threat landscape.
According to the report, 36% of South African organisations experienced cyberattacks, the highest figure recorded globally, while 79% reported lacking complete visibility into user identities and access permissions, a gap that experts say is leaving businesses dangerously exposed.
“South Africa’s organisations are operating in an increasingly complex threat landscape, yet many still lack visibility into who has access to critical systems and data,” said Andrew Bourne, Regional Head at Zoho South Africa.
“As identity becomes the primary security perimeter, organisations must prioritise stronger access controls and password management to reduce risk and support compliance.”
The report identifies identity visibility as one of the country’s most pressing cybersecurity weaknesses.
Without full oversight of who can access sensitive systems and data, organisations are finding it difficult to enforce password policies, monitor privileged accounts, and manage third-party access effectively.
The study also found that 71% of organisations do not have a Zero Trust security strategy in place, while 58% identified unmanaged third-party access as a major risk, underscoring the growing complexity of securing modern digital environments.
Credential-based attacks, including phishing scams and password theft, continue to drive many security breaches, particularly in the financial services sector, where institutions remain prime targets due to the volume of sensitive customer data they hold.
Despite these vulnerabilities, businesses appear increasingly aware of the need to strengthen their defences.
The report found that 73% of organisations plan to increase cybersecurity budgets, while 87% believe artificial intelligence can help improve security outcomes.
However, experts warn that investment alone will not be enough if foundational security gaps remain unresolved.
“Awareness around cybersecurity is growing, but without proper identity governance and visibility, organisations risk building stronger walls while leaving the front door unlocked,” Bourne said.
The findings also raise concerns about regulatory compliance under South Africa’s Protection of Personal Information Act> (POPIA), which requires organisations to maintain clear oversight of how personal data is accessed and processed. Limited visibility into user identities and permissions could make it difficult for companies to demonstrate accountability and avoid penalties.
Small and medium-sized businesses may be particularly vulnerable. The report found that half of South African SMEs do not have a dedicated security team, leaving many under-resourced and less equipped to detect or respond to cyber threats.
At the same time, rapid cloud adoption, growing dependence on third-party vendors, and increasingly distributed workforces are expanding the number of potential access points, making security oversight even more challenging.
The report suggests South Africa is at a critical turning point in its cybersecurity journey. While investment and awareness are improving, experts say closing the identity visibility gap will be essential to strengthening resilience, reducing cyber risk, and ensuring compliance in an increasingly digital economy.