A growing disconnect between corporate cybersecurity policies and employee behavior is exposing organizations in Pakistan to heightened digital risks, according to a recent survey by Kaspersky.
The report, titled “Cybersecurity in the workplace: Employee knowledge and behavior,” reveals that 39% of professionals in Pakistan consider their company’s cybersecurity rules excessive or poorly suited to real-world workflows, while 8% say their organizations either lack such policies entirely or fail to communicate them effectively.
This gap is fueling the rise of “shadow IT,” the use of unauthorized software, devices, or services without IT oversight, which has evolved into a significant operational threat.
Often driven by productivity needs, shadow IT creates blind spots for IT teams, especially as hybrid work, cloud platforms, and AI tools become more widespread.
The survey highlights inconsistencies in how organizations manage device usage. Around 38% of respondents said their companies have no formal policies governing the use of personal devices for work.
Meanwhile, 17% admitted they can access corporate data on personal devices with only basic cybersecurity protections, such as consumer-grade antivirus software.
Read More: A Shift in Cybercrime Strategies as Stolen Financial Data Floods Dark Web
By contrast, 16% reported stricter controls requiring IT approval before using personal devices, and 29% said only company-issued hardware is permitted.
Controls around software installation appear somewhat stronger but still uneven. 56.5% said only IT departments can install software on corporate systems, while 19.5% noted that authority is limited to top management or designated personnel.
However, 7% of respondents said all employees in their organization can freely install any software they choose, raising concerns about unchecked vulnerabilities.
Alarmingly, 26% of surveyed professionals acknowledged installing software on work devices without IT supervision within the past year, underscoring the persistence of shadow IT practices.
“Shadow IT is now a mainstream operational risk,” said Toufic Derbass, Managing Director for the META region at Kaspersky.
“When one in five employees installs software without IT oversight, it signals a policy gap. Organizations must move beyond restrictive controls and adopt user-centric cybersecurity strategies that combine technology with awareness and responsible usage.”
Read More: Pakistan Faced 5.3M On-device Cyber Attacks in Three Quarters of 2025
To address these challenges, Kaspersky recommends organizations conduct comprehensive shadow IT audits to identify unauthorized tools and devices accessing corporate systems.
The company also advises deploying advanced monitoring solutions, such as endpoint detection and response (EDR) and extended detection and response (XDR), to improve visibility into unsanctioned activities.
Additionally, businesses are urged to define clear security requirements for personal device usage and enforce them through mobile device management (MDM) tools.
Equally important is employee education; ensuring staff understand cybersecurity policies, use only approved applications, and handle company data through secure, authorized platforms.
As digital transformation accelerates, experts warn that bridging the gap between policy and practice will be critical to safeguarding Pakistan’s corporate landscape from emerging cyber threats.
