ISLAMABAD: A new survey by global cybersecurity firm Kaspersky has revealed significant weaknesses in workplace cybersecurity practices across Pakistan, warning that policy gaps and the growing use of “shadow IT” are leaving organizations increasingly vulnerable to cyber threats.
Karachi Women Entrepreneurs Celebrate Bint-e-Pakistan Awards 2026 Honouring Women’s Excellence
The survey, titled “Cybersecurity in the workplace: Employee knowledge and behavior”, found that 39% of professionals in Pakistan believe their company’s cybersecurity rules are either excessive or not fully appropriate. Meanwhile, 8% of respondents said their organizations either lack formal cybersecurity policies altogether or employees are unaware of them, highlighting a major disconnect between policy frameworks and workplace awareness.
Kaspersky described “shadow IT” — the use of unauthorized software, devices, or cloud services without IT department approval — as a rising operational risk in Pakistan’s corporate sector. Although often adopted by employees to improve productivity, such practices create blind spots for IT teams and increase exposure to data breaches, compliance failures, and cyberattacks.
According to the survey, 38% of respondents said their companies do not have clear rules regarding the use of personal or non-corporate devices for work. Additionally, 17% of employees admitted they are allowed to use personal devices to access company data if basic cybersecurity protections are in place, including even consumer-grade software. On the other hand, 29% reported that only IT-issued devices are permitted for official work.
The findings also showed inconsistencies in software installation controls. While 56.5% of respondents said only IT departments are authorized to install software on corporate systems, 19.5% reported that only senior management or designated staff have this authority. However, 7% said all employees are free to install any software without IT approval — a practice that significantly increases security risks.
Alarmingly, 26% of surveyed professionals admitted that they had installed unauthorized software on work devices within the past year, reinforcing concerns about weak enforcement of IT governance and the growing shadow IT ecosystem.
Commenting on the findings, Toufic Derbass, Managing Director for the META region at Kaspersky, said shadow IT has become a mainstream cybersecurity challenge. He stressed that while many organizations do have policies in place, employee perception and behavior remain critical gaps.
“Organizations should move beyond restrictive controls and adopt intelligent, user-centric cybersecurity strategies that combine technology with employee awareness and responsible usage,” he said.
To address these risks, Kaspersky recommended that organizations conduct shadow IT audits, deploy advanced monitoring tools, and strengthen endpoint protection using solutions such as EDR and XDR systems. It also advised implementing mobile device management (MDM) systems for personal devices used in the workplace, along with regular cybersecurity awareness training for employees.
The company further emphasized that employees should strictly follow IT-approved applications, store data only on authorized platforms, and seek official access permissions for corporate systems to minimize security risks.
The report concludes that Pakistan’s growing reliance on hybrid work environments, cloud services, and AI-based tools is accelerating shadow IT risks, making cybersecurity modernization an urgent priority for businesses.
