A new survey by Kaspersky, titled Cybersecurity in the Workplace: Employee Knowledge and Behavior, has revealed serious weaknesses in how organizations in Pakistan manage cybersecurity policies and employee compliance.
According to the findings, 39% of professionals believe their company’s cybersecurity rules are too strict or not suitable, while 8% said their organizations either have no such policies or employees are unaware of them.
The report points to a growing gap between company security rules and employee engagement, increasing the risk of shadow IT and unmanaged devices in workplaces.
Kaspersky described shadow IT as the use of unauthorized software, devices, or services without IT department approval. While employees often use such tools to improve productivity, it creates major security blind spots for organizations. The company said hybrid work models, cloud tools, and rapid AI adoption have accelerated this issue.
The survey also highlighted poor controls over personal device use. Around 38% of respondents said their companies have no clear policy for using personal devices for work. Another 17% said they can access business data on personal devices if basic security software is installed.
Meanwhile, 16% said personal devices are only allowed after strict IT checks, while 29% reported that only company-issued devices can be used for work.
Software installation controls were stronger but still risky. About 56.5% said only IT teams can install software on company devices, while 19.5% said only senior management or selected staff have that authority. Another 17% said employees can install IT-approved software.
However, 7% said any user can install software freely, and 26% admitted installing software on work devices without IT approval in the past year.
Toufic Derbass, Managing Director for the META region at Kaspersky, said shadow IT has become a major operational risk and organizations must address both policy weaknesses and employee behavior.
Kaspersky recommended that companies in Pakistan conduct shadow IT audits, improve monitoring systems, set clear rules for personal devices, and provide practical cybersecurity training for employees.
