ISLAMABAD — Gaps in cybersecurity policies and the growing use of shadow IT are leaving organizations in Pakistan vulnerable to security risks, according to a new survey by Kaspersky.
The report, based on workplace behavior and employee awareness, found a disconnect between corporate cybersecurity rules and how employees follow them, increasing exposure to data breaches, compliance risks, and unauthorized access to systems.
Policy gaps and employee perception
According to the survey, 39% of professionals in Pakistan believe cybersecurity rules in their organizations are excessive or not fully appropriate, while 8% said their companies either lack such policies or employees are unaware of them.
The findings point to weak alignment between policy frameworks and employee behavior, which can undermine overall cybersecurity effectiveness.
Rise of shadow IT
The study highlights the growing role of shadow IT — the use of unauthorized software, devices, or services without IT oversight — as a major operational risk. This trend has been accelerated by hybrid work models, cloud-based tools, and the increasing use of AI-driven applications.
Around 26% of respondents admitted installing software on work devices without IT approval in the past year, indicating persistent gaps in enforcement and awareness.
Device usage and access controls
The survey also found that 38% of respondents reported no clear policies on using personal devices for work. Meanwhile, 17% said they could access corporate data using their own devices with basic security measures, while 16% reported stricter corporate checks before allowing such access.
Only 29% of organizations restrict work strictly to company-provided devices, suggesting varying levels of control across workplaces.
In terms of software installation, 56.5% said only IT teams are authorized to install applications, while 19.5% reported restrictions limited to senior or designated staff. However, 7% indicated that employees can install any software without approval.
Industry response and recommendations
Toufic Derbass said shadow IT has become a mainstream risk, particularly when employees bypass IT controls. He noted that organizations need to balance security policies with user-friendly approaches that encourage compliance.
Kaspersky recommends that organizations conduct regular audits to identify unauthorized software and devices, implement monitoring systems such as endpoint detection and response (EDR) and extended detection and response (XDR), and enforce clear security standards for personal device usage.
The company also advises strengthening employee awareness through training programmes and ensuring that staff use only approved platforms and applications for work-related activities.
Broader implications
The findings highlight the need for stronger coordination between policy design and employee behavior in Pakistan’s evolving digital workplace. As organizations adopt more flexible work models and digital tools, effective cybersecurity strategies are increasingly seen as essential to protecting data and systems.
Also read: Kaspersky says 84% of users store sensitive data digitally on World Backup Day
Today's E-Paper