Exclusive: Zoho's Chief Cyber Evangelist on why MFA alone is not enough

Canadian organisations are increasingly optimistic about artificial intelligence strengthening cybersecurity, but many remain unprepared to deploy it effectively, according to new research from Zoho.

The company's 2026 Workforce Password Security Report, based on responses from more than 3,000 businesses globally, highlights a disconnect between perception and implementation. While confidence in AI-driven security is high, foundational gaps in identity management and governance continue to limit adoption, particularly among small and mid-sized businesses.

The report was released on World Password Day, May 7th, highlighting ongoing concerns about password hygiene even as more organisations move towards passwordless authentication models.

Zoho's Canadian research indicates that a significant majority of organisations see AI as a positive force in cybersecurity, reflecting broader enterprise enthusiasm for automation across business functions.

"The major important factor here is, when it comes to large enterprises, they have all the budget, they have the right expertise, and they have their own set of processes to protect their business," said Chandramouli Dorai, Chief Evangelist, Cyber Solutions & Digital Signatures, Zoho. "But when it comes to small businesses, or mid to small, mid to up market, that is exactly where they face a shortage of cyber talent."

In Canada, 89 per cent of respondents said they believed AI would strengthen their organisation's cybersecurity. This optimism is often tied to expectations that AI can compensate for limited internal resources. Smaller organisations, in particular, view AI as a way to bridge expertise gaps that would otherwise require significant investment in specialised talent.

Despite this, the report finds that only a small proportion of organisations have moved beyond intent to implementation, highlighting a persistent readiness gap. More specifically, only 46 per cent of respondents said they are extremely likely to adopt the technology right now.

Dorai said this disparity reflects a combination of organisational and regulatory challenges. Deploying cybersecurity tools, particularly those involving AI, requires extensive internal validation, often involving legal, compliance and privacy teams. These processes can delay adoption, especially in regulated industries.

"There is huge friction when employees are about to procure applications, especially for cybersecurity. It goes through a lot of loops," said Dorai. "If someone is going to get access to one particular login, from there they are going to get access to multiple systems."

The research also highlights weaknesses in basic cybersecurity practices, particularly around identity and access management. While many organisations have implemented measures such as multi-factor authentication, these are often not supported by broader governance frameworks.

73 per cent of Canadian organisations said they cannot fully account for who can access their systems; the heavily integrated "North American supply chain creates identity visibility gaps," said Zoho.

Canadian data indicated that Canada had stronger MFA deployment than most other regions. But 63 per cent said they lack a Zero Trust strategy, in which systems never trust and always verify access, requiring strict identity verification for every person and device.

"Multi factor authentication alone is not sufficient. It is basically like you have a lock for your house, but you are still having your windows open," said Dorai.

Key gaps include inconsistent access controls and inadequate offboarding processes. In some cases, former employees retain access to critical systems, creating potential vulnerabilities that can be exploited.

To address these challenges, organisations are increasingly turning to integrated identity and access management platforms. These systems provide a centralised view of user access across both internal and third-party applications, enabling more consistent enforcement of security policies.

"The first good start for them is to have an identity and access management platform, which gives them a single pane of glass for all the applications," said Dorai.

Such platforms can also support automated threat detection and response, using behavioural analytics to identify unusual activity patterns. For example, login attempts from unexpected locations or outside normal working hours can trigger alerts or session termination.

This approach allows organisations to strengthen security without requiring constant manual oversight, making it particularly relevant for smaller teams with limited resources.

"Have multi factor authentication in place, have periodic audits. So this World Password Day on May 7, take the first step. Start picking up good password hygiene."