A recent survey by Kaspersky (www.Kaspersky.co.za), conducted across the Middle East, Türkiye and Africa (META) region, titled “Cybersecurity in the workplace: Employee knowledge and behaviour”, reveals a growing disconnect between organisational cybersecurity policies and employee attitudes.
According to the findings, 39% of professionals in the META region consider their company’s cybersecurity rules to be excessive or not fully appropriate. In Kenya, this figure stands at 25%, while in South Africa it is 23%.
The survey also found that 7% of respondents in the META region, 4% in Kenya, and 10% in South Africa either reported that their organisations have no cybersecurity policies or said they are not aware of them. These results highlight a clear gap between policy design and employee awareness, increasing the risks associated with shadow IT and unmanaged device usage.
Shadow IT, defined as the use of unauthorised software, devices, or services without IT oversight, has evolved into a significant business risk. While often driven by the need for convenience and productivity, it creates blind spots for IT teams. The rise of hybrid work, growing reliance on cloud tools, and increased use of AI applications have only accelerated this trend. Without strong oversight, organisations face higher exposure to ransomware attacks, data leaks, and regulatory penalties.
The survey further shows that 19% of respondents said their organisations have no policies governing the use of personal devices. At the same time, 35% admitted they can use their own devices to access company data, provided some level of cybersecurity protection is in place, even if it is basic consumer software.
On the other hand, 21% indicated that personal devices must pass strict corporate IT security checks before use, while 25% said only company-issued devices are allowed for work purposes.
When it comes to software installation, the situation appears more controlled. Half of the respondents reported that only IT specialists are allowed to install software. In 31% of organisations, this responsibility is limited to top management or designated users. Another 11% said employees can install software, but only with IT approval. However, 8% revealed that all users in their organisations can install any software without IT consent.
Despite these controls, risky behaviour persists. The survey found that 21% of professionals in the META region, 29% in Kenya, and 17% in South Africa admitted to installing software on work devices without IT supervision within the past year. This underscores the ongoing challenge of shadow IT and the vulnerabilities it creates.
“Shadow IT is now a mainstream operational risk. When one in five employees installs software without IT oversight, it signals a policy gap,” said Toufic Derbass, Managing Director for the META region at Kaspersky.
He added that many organisations already have policies in place, but employee perception must also be addressed. According to him, companies should move beyond restrictive controls and adopt more intelligent, user-focused cybersecurity strategies that combine technology with awareness and responsible usage.
To strengthen their defences, Kaspersky recommends that organisations conduct regular shadow IT audits to identify unauthorised software, cloud services, and personal devices accessing corporate systems. It also advises implementing advanced monitoring solutions, such as endpoint detection and response (EDR) and extended detection and response (XDR), to improve visibility into system activity.
Where personal devices are allowed, organisations should define clear minimum security standards and enforce them using tools like mobile device management or endpoint management systems. In addition, cybersecurity policies should be supported by practical training that helps employees understand real-world risks and how to avoid them.
For employees, the guidance is straightforward. Understand your organisation’s cybersecurity policies and seek clarification where necessary. Use only approved applications and authorised devices. If personal devices are permitted, ensure they meet required security standards and are properly protected. Work-related files should only be stored and shared through approved platforms.
The survey was conducted by the Toluna research agency on behalf of Kaspersky in 2025. It included 2,800 online interviews with employees and business owners across seven countries: Türkiye, South Africa, Kenya, Pakistan, Egypt, Saudi Arabia, and the UAE.
