Commissioned by UC platform Zoho, the report is based on 3,322 verified responses from IT and security leaders across nine regions, six industries, and twelve roles.
βFix foundations before chasing advanced capabilities.ββ
Read More
- Microsoft Teams Users Being Targeted in State-Linked Phishing Campaign
- How To Prove the ROI of UC Security & Compliance
- 2026 Is Here: The Security and Compliance Shifts You Cannot Afford to Miss
Why Are Attacks Rising While Password Security Still Looks Undeployed?
The report says one in three businesses suffered a confirmed cyberattack last year. Another 7% were not sure if they had been attacked at all. That uncertainty is a governance risk.
What stands out is how many organizations still lack basic password security controls. Only 26% have deployed a dedicated password manager, even though the threat picture is painfully familiar.
In the reportβs Threat Landscape ranking, based on the top threats identified by survey respondents,Β phishing and social engineering ranked first. This was followed by weak or reused passwords, and then by credential stuffing attacks. In other words, the biggest risks are not exotic hacks. They are repeatable credential weaknesses that password security tooling is designed to reduce.
Application sprawl is also pouring fuel on this. 59% of employees now use 15+ apps for work. That means more credentials, more resets, more reuse, and more chances for mistakes. You can call that an identity problem, but it also becomes an identity management workload problem very quickly. And without better password security, MFA can feel like a speed bump rather than real protection.
Why Is Identity Management Visibility The Quiet Failure Point?
Most organizations cannot fully answer a basic question: who has access to what?
The report calls this the identity visibility gap. It finds that 74% lack complete identity visibility. Only 11.6% report full visibility and control. When orphaned accounts and undocumented access are included, 88% still lack complete visibility.
This is where identity management stops being a tool conversation and becomes an architecture conversation. The report is blunt that the issue is integration. It says full credential governance requires four systems working together in real time: HR and directory services, SSO and identity provider for MFA, a password vault, and access governance for certification and orphaned account detection.
When those systems do not share data, gaps multiply. Employees leave and accounts remain. Role changes do not trigger reviews. Orphaned access builds quietly. That is how identity management becomes fragile even in well-funded teams.
Regional snapshots do not soften the picture. The report says U.S. organizations have a 34% confirmed attack rate and 76% lack complete identity visibility. Meanwhile, the UK and EU face accelerating governance pressure, yet 75% still lack full identity visibility, making it a compliance liability.
Want more weekly security and compliance updates for IT leaders? Follow UC Today on LinkedIn.
Why Do Zero Trust Security And AI Plans Stall Without The Foundations?
Security budgets are not the headline problem here. The report says 72% plan to increase security spending over five years. Yet 80% say their stack is not future-ready. That mismatch is a warning sign.
It also explains the Zero Trust security gap. The report finds 65% still have no Zero Trust security strategy. Among non-adopters, 48% cite lack of processes and tools as the main barrier. It also notes vendor sprawl, with 30% managing six or more security vendors. Fragmentation slows execution and breaks visibility.
Then there is the AI optimism trap. The report says 90% believe AI will strengthen security, but only 8% are ready to deploy AI-powered security now. That is an 82-point gap. The main blockers are legacy infrastructure (52%), cost and migration complexity (48%), and lack of internal expertise (38%).
The most desired AI features are telling. Teams want anomaly detection (68%), automated policy enforcement (61%), and behavioral analytics (54%). Those all depend on clean identity signals, stable credential governance, and reliable controls. In other words, they depend on stronger password security, stronger identity management, and a working Zero Trust security model.
Final Takeaway
This report is basically saying, βthe attack is already here, so stop pretending the basics can wait.β
If password security is still underdeployed, credential attacks stay cheap and repeatable. If Identity management visibility is incomplete, you cannot prove control. If Zero Trust security is still βnext year,β the window of vulnerability stays open.
The smartest move is not more hype. It is better sequencing. Centralize password security first. Treat identity management as an integration requirement. Build Zero Trust security on top of visibility and governance. Then add AI where it can actually help.
Ready for the wider framework on security, compliance, and risk in modern communications? Explore The Ultimate Guide to UC Security, Compliance, and Risk.
FAQs
What is password security in workforce environments?
Password security is how you control credential creation, storage, sharing, and reuse. The report highlights password managers as a key baseline control.
Why is identity management tied to compliance risk?
Identity management becomes a compliance risk when you cannot prove who has access. The report shows most organizations lack complete identity visibility.
What is Zero Trust security, in plain English?
Zero Trust security means no user or device is trusted by default. Access is verified continuously based on identity and context.
Does MFA replace password security?
No. MFA helps, but weak credentials still create exposure. Strong password security makes MFA more effective and less fragile.
Why do Zero Trust security programs stall even with bigger budgets?
The report points to architecture and integration gaps. Fragmented Identity management and tool sprawl slow Zero Trust security execution.
