A new survey on workplace cyber risks has highlighted significant gaps in employee awareness and corporate cybersecurity enforcement in Pakistan, pointing to rising concerns over “shadow IT” and unmanaged device usage.
The report, titled “Cybersecurity in the Workplace: Employee Knowledge and Behaviour” and conducted by cybersecurity firm Kaspersky, found that 39 percent of professionals in Pakistan view their organisation’s cybersecurity policies as excessive or not fully appropriate. Meanwhile, 8 percent said their workplaces either lack formal cybersecurity rules or employees are unaware of them.
The survey underscores a growing disconnect between corporate cybersecurity frameworks and employee behaviour. It notes that 38 percent of respondents reported no clear policy governing the use of non-corporate devices for work purposes, raising concerns over data security and compliance risks.
In addition, 17 percent of professionals said they are allowed to use personal devices for work if basic cybersecurity protection is in place, including consumer-grade software. By contrast, 16 percent reported stricter controls requiring personal devices to pass formal IT security checks, while 29 percent said only company-issued devices are permitted.
The findings also point to inconsistencies in software installation policies on corporate systems. According to the survey, 56.5 percent of respondents said only IT departments are authorised to install software, while 19.5 percent indicated that only senior management or designated personnel have such rights. Another 17 percent said employees may install IT-approved software, but 7 percent reported unrestricted installation access.
Despite existing controls, 26 percent of professionals admitted installing software on workplace devices without IT supervision in the past year, highlighting what the report describes as a persistent “shadow IT” challenge that can increase exposure to cyberattacks, data breaches and regulatory risks.
Commenting on the findings, Toufic Derbass, Managing Director for the META region at Kaspersky, said shadow IT has become a “mainstream operational risk,” adding that employee behaviour signals gaps in policy enforcement. He emphasised the need for organisations to move beyond restrictive frameworks and adopt user-focused cybersecurity strategies combining awareness, monitoring tools and responsible usage practices.
The report recommends that organisations conduct regular shadow IT audits to identify unauthorised applications, cloud services and devices accessing corporate data. It also calls for stronger monitoring systems, the implementation of mobile and endpoint management solutions, and clearer minimum-security standards where personal devices are permitted. Employee training on cybersecurity risks was also highlighted as a key requirement to reduce vulnerabilities.