Small Business
25 min.Read

Interview with Mouli Dorai – Chief Evangelist of Cyber Solutions at Zoho

Leland McFarland
By Leland McFarland

This post was originally published on this site.

[embedded content]

Cybersecurity can feel overwhelming for small business owners, especially when the risks involve passwords, phishing, employee access, artificial intelligence, and zero trust all at once.

But according to Chandramouli “Mouli” Dorai, Chief Evangelist of Cyber Solutions at Zoho, the first steps do not have to be complicated. Businesses can start by understanding which apps they use, who has access to those apps, how passwords are shared, and whether former employees still have access to company accounts.

That was the focus of a recent interview between Leland McFarland of Small Business Trends and Dorai. The conversation was based on Zoho’s State of Workforce Password Security in 2026 report, which examines password security, identity visibility, cyber readiness, AI security, and workforce access risks. The full report is available here: Zoho State of Workforce Password Security Report.

In the interview, Dorai discussed why password reuse remains such a persistent issue, why multi-factor authentication alone may not be enough, how poor off-boarding can leave businesses exposed, and how small companies can begin building a zero trust security mindset without needing a large IT department.

He also explained how Zoho Vault and related Zoho security tools can help businesses centralize password management, improve visibility, and reduce risks tied to weak or shared credentials.

The full interview transcript follows.

Leland McFarland
All right, we are here with Mouli Dorai, who is the chief evangelist of cyber solutions at Zoho. Recently, Zoho released a survey going over a bunch of cybersecurity statistics through the US and through the world. And we’ve got a few questions for Mouli. And let’s start off with just a little bit about the information. within this new recently released survey, data tied… terribly sorry about that.

Zoho recently released new survey data tied to World Password Day. So looking at the state of workforce password security and cyber readiness, the US findings are especially striking.

According to the survey, 34% of US organizations experienced a cyber attack last year. 76% lack complete identity visibility and 63 % site weak or reused passwords as a top threat. At the same time, 91% of organizations believe AI can strengthen security, but only 9% say they are ready to deploy AI powered security. So with all of that in mind, what is

What was the biggest takeaway for you when you looked at the US data?

Mouli Dorai
Hey, Leland. Thank you for having me here today. Thank you for the opportunity. World password day is the time. It is good to talk about password hygiene. And this year is very special for us. We are just back from a survey. As you rightly said, we have surveyed with more than 3,000 plus respondents in over nine regions. And the most interesting facts from small businesses, to large enterprise are part of the survey.

So the first thing to start with is more than 70% of the businesses feel they have been hacked, at least faced one single breach in the last year. And one in three businesses means they are part of a breach. And more than 90% of the respondents believe AI is going to help them with security. And only 9% of them are really invested and getting started with leveraging AI for their security posture. So we have a lot of interesting facts from this particular survey and happy to share and also hear your thoughts and how we can help small businesses take better security posture and improve their password hygiene in the business.

Leland McFarland
So the report describes a confidence without capability problem within the US market. Can you explain what that means in practical terms for business owners?

Mouli Dorai
So what we hear is, like I said in the last one, more businesses, more than 70 % to 90 % of the businesses believe AI is going to help them with their security posture. But only 9 % of them has really invested into AI to improve the security posture. And more than 50 % of the organization, they are willing to extend their security expenditure.

Which means they are ready to buy more tools, but they have not just started that process. So they have the confidence to explore new tools, but have they ever taken the first step is the question. Most of the organization has not taken the first step to prevent their organization access control, data governance, protect their identity layer. So that is where we see the major gap, Leland. People are interested to improve their security posture.

But are they really taking practical steps to improve? That is where we see the major gap.

Leland McFarland
Moving on to passwords, phishing, and human risks. Weak and reused passwords were cited at 63 % of US organizations. Why does password reuse remain such a persistent problem inside businesses?

Mouli Dorai
So like it or hate it, passwords are here to stay. I still remember Bill Gates declaring the death of passwords in 2000 in one of the Microsoft Ignite event, right? So we are in 2026, passwords are still here. 25 plus years pass, passwords are still here. Even though we hate password, it is one of the most easiest and reliable method of authentication. It is also one of the most affordable method of authentication.

So even though the world is moving away from passwords to passwordless, single sign-on and pass keys, Zoho is also today a FIDO member. We offer pass keys management. We offer single sign-on methodologies, but passwords are still in existence. We cannot deny that fact of it. So the major factor is today an average American is having more than 30 plus application. It can be for his ride sharing application. It can be for booking food. It can be for his Amazon.

It can be for anything. And average American, the data says has more than 30 different applications. And most of these applications are logged with a password. So not every single application is offering you a passwordless login mechanism. So if I’m going to have 30 plus application, and for more than 90% of these applications are locked with a password. As a human, I cannot come up with a strong and unique password for every single application.

That is the major, major big barrier for us. Even I am into technology. I do know about good password hygiene, but practically is it really doable for me to come up with 30 strong password for every single account of mine? No. I need some help.

I need to remember, I need to come up with strong password. Some password for some website, it should be between eight characters to 12 characters. Some website demand a special character. So what people usually do is they will use their name or date of birth or their pet’s name, combine it with a combination of their anniversaries or whatever. So these are easy to predict password. If someone knows Mouli, they can easily predict my password with a combination of my name, my partner name, my pet’s name, and they can do some permutation and combination and they can easily crack one of my account. If they crack one of my account, it is easy for them because I, any human, including me, we are going to reuse that password, right? So it is easy for them to enter into another set of accounts. If I am someone who is going to reuse the same password for business and personal account, then I am gone.

People will get access to my company data from there, my customer data. So this is the major, major human factor. It is very, very hard for a human to come up with strong and unique password for more than 30 plus accounts, which is the average. There are some nerds, they have more than a hundred plus seconds. Today people use chat GPT, they use cloud. I can easily name more than five to 10 different LLM accounts that I own for my everyday activity.

So I assume the situation is same for everyone. We have a lot of apps to make our life easier, but all of these apps are locked with a password. And as a human, it is very hard for us. So we end up using a weak password. And that is the major problem that is reflecting in our report Leland.

Leland McFarland
All right. So many businesses have adopted multi-factor authentication, but the report suggests that MFA alone is not enough. Where does MFA fall short if password management and access visibility are weak?

Mouli Dorai
So we don’t deny the fact that MFA is not good. MFA is a good starting point. You need an additional level of security to protect your account. But what the report reveals is most of the respondents say they have a weak password. That is the problem. If you are going to lock your house and keep the window open, that is the same situation that most businesses are doing today. They are locking the door with MFA, but they have their windows open.

So people can still access anytime your home and they can get away with whatever they want. In this digital age, they can get away with your personal data, they can get away with your organization data, and they can do whatever they want to do with your data. That is the major problem with MFA. So MFA primarily, especially if you are going to use SMS based multi-factor authentication, today there are technologies with sim swap attacks.

So they can easily swap, if they know your phone number, they can easily do sim swap attack. They can get away with the OTP. They can get inside your account. So I mean to say MFA is a good point, but you need to also have a strong identity posture. You need to have a strong password. On top of it, you need to have a control on your access. So who accessed which account from where, when should be easily available from a single pane of glass.

That is what most businesses, especially small businesses lack, Leland.

Leland McFarland
All right, just to go off on a little bit of a side note, you talked about a SIM swap. Is there a vulnerability? Can someone, if they know my phone number, basically be able to hijack my phone number at any point? Is that why multi-factor authentication through SMS is ineffective or is starting to become ineffective?

Mouli Dorai
So forget the sim swap attack, there are more than that. We have today’s social engineering attack. So people can make use of our voices. So I am talking in a lot of YouTube videos. So it is easy for someone to use my voice and take the help of an AI and they can come up with my own voice. They can ring a phone call to my mother and pretend like it is really me. And they want to get some confidential information which my mother would receive.

So there are, apart from sim swap, there are a lot of other ways to get inside our data. So today with social engineering and sophisticated AI, just MFA alone is not going to help anyone. We need to have multiple levels of access control is what we are trying to say with this report, Leland. So people need to have a strong password. On top of it, they need to have an MFA. On top of it for businesses, they need to know complete audit trial of who is using which account from where, when.

So if you are going to move from SMS based MFA to biometric based MFA, still today with AI, so many people will be having my personal photograph. They can take it from my Instagram, they can take it from my Facebook. They can easily still pass this step of MFA with my biometric if I have used Face ID.

With today’s sophisticated AI, they can still pass through this MFA step. That is what I’m trying to say.

Leland McFarland
Okay. Good to know. All right. Moving on to identity, visibility, and access control. One of the most striking findings is that 76% of US organizations lack complete identity visibility, meaning that they do not fully know who has access to what. Why is this such a dangerous gap?

Mouli Dorai
So I’ll give you an example. Last week, we had a customer conversation. This is a small business. They have nearly 50 employees. Out of the 50 employees, 12 of them left the company in the last three years. And when I asked the business owner about, do you really know how many of those employees who left the company has still access to your company accounts? He said, no, I don’t know.

But when we did an internal audit, we were easily able to know three people were still accessing the company’s account. People who left the organization three years ago, they are still able to access the company data even after three years they left the company. So this is exactly the major problem that most organizations are not even aware of. They have systems in place, have a siloed HR department, they have siloed IT teams.

Some of the small businesses don’t even have dedicated teams. So they need to do all of this by themselves. So role-based access control, time-limited access, verifying the user every single time without giving them permanent access is the need of, Leland. That is what we see the major gap in small businesses because most of the small businesses, don’t even have the right security expert. They don’t have the right tools in place to protect their business.

And that is exactly where we want to play our role, bring this awareness and offer them some affordable solutions to begin the journey with workforce security.

Leland McFarland
All right. What should happen when an employee leaves a company? What are the access mistakes small businesses often make during off-boarding?

Mouli Dorai
So I will come back to the same old example. So when someone is leaving the organization, most of the organization are involved with a lot of paperwork, the off-boarding documents, getting the employees off-boarded and getting a lot of paperwork signed from them and settling the financial portion with the company and also doing the knowledge transfer of that particular person to the new one or to the business owner.

This is what most of the organizations kind of doing all these years. But the major gap is what I said before. So the moment someone is leaving the company, you need to terminate the access immediately, starting with the access to the laptop, stopping the access to all the applications. And you also need to do a complete audit of the list of accounts accessed by that particular employee, and also rotate those passwords on top of it.

You need to do an internal audit and share this password with a new person or you need to rotate this password and start the things rolling up. This is where most organizations fail and they assume things are going to be good. So once they figure this out, in one month or three years in the last example, I said, so the amount of damage depends on the total time they took to understand if they have terminated the access to the employee account the moment they left the company. So that is the major need.

Leland McFarland
Okay. All right. Moving on to zero trust and SMB readiness. The survey mentioned zero trust and it could sound like a enterprise buzzword. Something that a big corporate wig, big wig is spouting out. How would you explain this to a small business owner in simple plain English?

Mouli Dorai
Zero trust is something that I always used to tell. So be like a mother, okay? So you know you trust your children, but you verify them every single time after they come back from the school. So you don’t blindly trust whatever the children is going to tell. You check with the school teachers, you check with the headmistress. So that is what the basic essence of zero sense is.

Even know if someone is a verified person. Even though they are part of your company’s environment, you verify them every single time. So never trust, always verify, is the keyword. So even though you trust someone, verify them every single time. To give you an example, I am part of the Zoho Corporation. I log in, I do my day-to-day work from the Chennai Development Center. So we have a system in place which is called the Behavior Threat Analytics.

So there is a persona for my profile. Mouli is someone who used to log in only from Chennai between 9 a.m. to 5 p.m. in this particular IP. If I am going to do a login activity from Japan or China from a remote location, which is not the ideal pattern, So the system is automatically going to send a trigger to the administrator. Hey, something unusual is happening. So have an additional method of MFA. Verify only Mouli is signing this particular device. So that is the type of zero trust policy that we are trying to build real world situations. So, to add it to top of it, I’m part of the marketing team. I can be part of the finance team. I don’t need access to what is the list of apps and password that are part of the travel team. So giving the users, the application based on the roles and responsibilities and auditing them over the period of time and reviewing it every single time is the primary foundation for Zero Trust Access Leland. You don’t need enterprise grade systems to do it. You just need the right set of foundation to get started.

To get started, you can begin with a basic password manager. Do the audit posture of your company on top of it like you mentioned, we can also have MFA. This is a good starting point for your zero trust journey. So zero trust, you cannot do it maybe within one month or three months. It’s a long journey. To begin with, you can start with a password manager, MFA, role-based access, and you can get started from there and then evolve.

Leland McFarland
All right. Is zero trust an all or nothing strategy or can some small businesses adapt it gradually?

Mouli Dorai
So we always believe in the long run at Zoho. So same case applies to Zero Trust as well. So we don’t expect a significant change overnight or in a quarter. So we need to build this culture of Zero Trust over a period. So it should begin with the security culture awareness, training the employees about the need of Zero Trust and starting it with the foundation of having maybe a password vaulting solution and having access control mechanism in place and see a periodic audit is going to be the stepping path to the zero trust journey.

Leland McFarland
Okay. All right. Moving on to AI security gaps. The study found that 91% of US organizations believe that AI will strengthen security, but only 9% are ready to deploy. Not even have deployed are just ready to deploy AI powered security today. Why is that gap so large?

Mouli Dorai
So this again come back to our last example. So people are aware about something, but they are not ready to take any action. So awareness to the action, the inertia is there. That is exactly where security of most of the businesses start to fail. And many business also think AI is not for me or I will take AI only when it is required. So they are not ready to start, but they are understanding the fact that AI is something I need to embrace, but who is going to start it? That is the major, major important point for most of the businesses.

They need to begin the journey slowly and steadily. And even though they have all the, what to say, capital allocation for AI and better cybersecurity expenditure, but the inertia within the organization, I would say is stopping them to get started. So I want, I would urge most of the businesses to begin the journey, not significantly take baby step and from there start evolving is what we tell most of our customers in our interactions.

Leland McFarland
Don’t dive into the deep end. Kind of wade right through the pool, right?

Mouli Dorai
One step at a time.

Leland McFarland
Alright, there’s a lot of hype around AI security solutions. What should a small business fix before they start thinking about AI powered cybersecurity?

Mouli Dorai
So I would again come back to the same, get your foundations stronger before jumping into the AI thing, right? So AI is good. Yeah, you need AI, but first begin with some basic question in your organization. Do you have the right set of identity controls in your place for your organization? So are you still sharing the passwords via spreadsheets, browsers, chat, text, email?

So are you revoking the access to the employees who are off-boarded from your company? So are you doing internal audit for your existing infrastructure periodically? So get your basic foundation right and then jump into the advanced AI thing. So without having the foundations in place and without having a basic zero trust mechanism in place, jumping into AI is not going to help any business. AI is not going to be like a magic bandwidth. So you need to have your foundation strong to get started. That is what most businesses should be aware of. They need to make their foundation strong and then get into this AI thing.

Leland McFarland
So we’ve put a lot of statistics out there and anyone, you know, listening to this, who’s a small business owner might be sweating a little bit, but Zoho, they’re really security conscious. I want you to tell me a little bit, where does Zoho Vault fit into the security challenges highlighted in this report?

Mouli Dorai
Zoho Vault is a reliable password manager for everyone. It works for individuals, it works for teams, small businesses, it also works for larger enterprises. So to get started with your security journey, the first step is to fix your identity security layer. Today, if you take any large breach, most of the 80% of the breaches are based due to weak password or any other identity exposure.

So you need to first fix your identity security thing before getting started with the larger cybersecurity posture of your company. This is exactly where Zoho Vault can help. It is an encrypted wall that can bring in all your passwords from spreadsheets, browsers, other walls, put in into one single place. And it gives complete visibility to the organizations on who is having access to which accounts and who is accessing which account from where, when.

If someone is going to move away from your company, you can immediately terminate the access. And if you want to transfer the control, you can do it. So this is exactly where Zoho Vault can help coupling it with Zoho One Auth, the multi-factor authentication, both of which are tightly integrated. It gives them more security, additional layer of security. Today, we also have a browser, which is called as the ULA browser.

So when you access the internet and when you are going to access an application, the password vaulting solution, the multi-factor authentication and the browser are going to talk to each other and it is going to offer you a secure internet access without compromising the convenience as well. This is where Zoho is playing today to offer a secure workforce security for businesses of all sizes.

Leland McFarland
So many small businesses worry that security tools may be too complicated or disruptive. I know that after I’ve hit like the third authentication step, I get a little frustrated myself. But how does Zoho approach usability for teams that do not have this big dedicated IT department?

Mouli Dorai
So we have a strong team behind Zoho Vault. We offer businesses, small businesses especially, with the free migration and onboarding assistance for them. Even though they don’t have the security expertise, even though they don’t have in-house security experts, we have experts in-house that can help these businesses. They’ll be glad to access, audit the infrastructure of any small business, and they can ensure what type of controls can be put in place. So this means they can get started with the help of Zoho’s assistant. From there, they will be able to have role-based access, time-limited access, the basics of zero-trust mechanism, multi-factor authentication. Once this is done, we also offer them free training sessions. We also have user group meetups, which is very free. Any small business can come and join any of our user meetups.

That is happening across the United States. We don’t charge anything for small businesses or any participants or organization of any size to be part of these meetups. And we also run security workshops, which is part of Zoholics, which is the user conference that Zoho hosts every single year, not just in the United States, but across the globe. So this is how we are trying to help and educate small businesses to get started with the security journey once they know.

They have started their security journey. Zoho is here for the long run. We will partner with them and help them in every single step they Leland.

Leland McFarland
If a small business owner hears these numbers and just feels completely overwhelmed, what are the first three actions that they should take this week?

Mouli Dorai
So I would say start accessing your existing infrastructure. First list down the list of apps that are used in your company and the list of employees having access to these apps. Once you complete this internal audit, start using an organization password manager. Bring all these apps and users into one single system and map them to the list of apps and based on the roles and responsibilities.

Add MFA to top of all this business application and you give them access based only on roles and responsibilities, but only for a limited period of time. Don’t give them unlimited access. So you also can add the layer of zero trust. This is where exactly most organization can get started. Starting with an internal audit of the list of users and the applications in their organization, implementing a password vaulting solution.

Finally, they should also do an audit with the HR team of the list of users who were part of the organization, who are off-boarded from the company, and they need to know who still has access to those accounts. There will be still a lot of orphaned accounts. So there will be more than 10 to 20 of orphaned accounts in every organization. In large organizations, this number is going to be huge.

So you also need to change these passwords of orphaned accounts and also used accounts. And you need to tighten the security posture in the first week. This is exactly where most organizations can get started and they can get better over the period Leland.

Leland McFarland
All right. If you were to change one common habit around passwords inside small businesses, what would it be?

Mouli Dorai
I would say don’t share the password by WhatsApp or email or your click or Slack or whatever it be. Just share it by any password vaulting tool. It is simple and it is also convenient. You just need to begin your journey. So when the next time your friend or a family member is going to ask you a Netflix password, start sharing it via your password manager. That is the first step that you can do. So, that is what I would recommend.

Leland McFarland
Okay. Well, thank you for coming on with me. I appreciate it. Let me let the audience know where they can learn a little bit more about the survey data. I’ll have a link in the description for anyone who’s interested, but a little bit about the survey data and where they can learn more about like Zoho Vault and some of the other security features that they that Zoho has.

Mouli Dorai
So they can land to zoho.com/vault. In this particular website, we have embedded the entire security report and we have also offered them free trial. So anyone who is interested to get started with the security journey, they can begin from there. So we also offer them, like I said, we have migration and onboarding assistance, even for our free users, we offer free technical consultation. So yeah, go ahead, get started. If you have any questions.

Write to us. We’ll be happy to support you in every single step of your security journey.

Leland McFarland
All right, well, thank you for coming on. I appreciate it. And yeah.

Mouli Dorai
Thank you, Leland. Thank you for the opportunity. And yeah, talk to you soon in another episode.

Leland McFarland
Yeah, I’m glad to have you on any time.

Mouli Dorai
Thank you.

Dorai’s advice gives small business owners a practical place to start. Rather than treating cybersecurity as a massive overhaul, he recommends beginning with the basics: list the applications used inside the company, identify who has access to each one, review whether former employees still have access, and move passwords into a secure vault instead of sharing them through email, chat, spreadsheets, or text messages.

The interview also reinforces an important point for business owners: new technology does not replace basic security discipline. AI may strengthen cybersecurity in the future, and zero trust may sound like an enterprise concept, but both depend on foundational practices such as strong password management, multi-factor authentication, role-based access, and regular audits.

For small businesses without dedicated IT teams, the goal is not to solve every security problem overnight. The goal is to reduce the most obvious risks first, then build a stronger security posture over time.

As Dorai emphasized, passwords are still part of everyday business, and they are likely to remain that way for some time. That makes password hygiene, identity visibility, and access control essential issues for companies of every size.

More in:

Hot this week

Topics

spot_img

Related Articles

Popular Categories

News & Current AffairsFinanceBusinessHeadlinesTravelLifestyleCelebrity
spot_imgspot_img
Previous article
Nottingham killer was discharged as NHS staff ‘could not find him’
Nottingham killer was discharged as NHS staff ‘could not find him’
Next article
Russian attacks kill at least 20 ahead of rival ceasefires proposed by Kyiv and Moscow
Russian attacks kill at least 20 ahead of rival ceasefires proposed by Kyiv and Moscow