Cybersecurity Rules vs Reality: Kaspersky Survey Reveals Growing Shadow IT Risk in META Region

A new Kaspersky survey has uncovered a widening gap between corporate cybersecurity policies and employee behaviour across the Middle East, Turkiye and Africa (META) region, raising fresh concerns about the rapid rise of shadow IT and its implications for organisational security.

Titled "Cybersecurity in the workplace: Employee knowledge and behaviour," the study paints a complex picture of workplace cybersecurity—one where policies exist, but adherence and awareness lag behind. According to the findings, 39% of professionals across the META region believe cybersecurity rules in their organisations are either excessive or poorly suited to real-world workflows. While the perception is somewhat less pronounced in individual markets, it remains notable, with 25% of respondents in Kenya and 23% in South Africa sharing similar concerns.

Even more concerning is the lack of visibility around cybersecurity frameworks. The survey revealed that 7% of respondents across the META region, 4% in Kenya, and 10% in South Africa reported that their organisations either lack cybersecurity rules entirely or employees are unaware of them. This disconnect highlights a critical vulnerability—policies that are either ineffective, poorly communicated, or not aligned with modern work practices.

Shadow IT Moves from Convenience to Critical Risk

At the heart of this challenge is the growing phenomenon of shadow IT—the use of unauthorised applications, devices, or cloud services without formal IT oversight. Once seen as a productivity workaround, shadow IT has now evolved into a major operational and security risk.

The shift toward hybrid and remote work models, coupled with the explosion of cloud-based collaboration tools and generative AI applications, has accelerated this trend. Employees increasingly turn to external tools to meet productivity demands, often bypassing official systems perceived as restrictive or inefficient. While this behaviour can improve short-term efficiency, it creates blind spots for IT teams and significantly increases exposure to cyber threats.

Industry analysts note that shadow IT now accounts for a substantial portion of enterprise technology usage, with some estimates suggesting that up to 60% of corporate IT environments may include unsanctioned tools. These unmanaged assets often lack proper security controls, making them prime entry points for ransomware attacks, phishing campaigns, and data exfiltration.

Device Usage Policies: A Mixed Landscape

The survey also sheds light on how organisations manage device usage—a key factor in cybersecurity resilience. Nearly one in five respondents (19%) reported that their companies have no formal policies governing the use of personal devices for work purposes. Meanwhile, 35% said they are allowed to use their own devices to access corporate data, provided basic cybersecurity measures are in place, even if those measures are consumer-grade.

Encouragingly, 21% of organisations enforce stricter controls, requiring personal devices to pass rigorous IT security checks before being approved for work use. Additionally, 25% of respondents indicated that only company-issued devices are permitted, reflecting a more controlled and risk-averse approach.

Despite these measures, the widespread acceptance of Bring Your Own Device (BYOD) practices continues to expand the attack surface. Without enterprise-grade protections, personal devices can become weak links in the security chain.

Software Installation: Stronger Controls, but Gaps Persist

When it comes to software installation, organisations appear to exercise greater control. Half of all respondents (50%) reported that only IT specialists are authorised to install software on corporate devices. In 31% of organisations, this responsibility is limited to top management or designated users, while 11% allow installations only if pre-approved by IT.

However, a concerning 8% of respondents said that all users in their organisation can install any software they choose without IT approval—a scenario that significantly increases the risk of malware infections and data breaches.

More revealing is employee behaviour itself. Despite existing controls, 21% of professionals across the META region admitted to installing software on their work devices without IT supervision within the past year. This figure rises to 29% in Kenya and stands at 17% in South Africa, underscoring the persistence of shadow IT practices even in regulated environments.

Bridging the Gap Between Policy and Practice

Experts say the issue is not merely the absence of policies, but the misalignment between organisational rules and employee needs.

"Shadow IT is now a mainstream operational risk. When one in five employees installs software without IT oversight, it signals a policy gap," said Toufic Derbass, Managing Director for the META region at Kaspersky. "Many organisations already have security policies in place, but employee perception must also be considered. Restrictive controls alone are not enough—companies need intelligent, user-centric cybersecurity strategies that combine advanced technologies with awareness and responsible usage."

This shift toward user-centric security reflects a broader industry trend. Rather than enforcing rigid controls, organisations are increasingly adopting adaptive security frameworks that balance protection with usability. These include zero-trust architectures, behaviour-based threat detection, and integrated endpoint security solutions.

Innovative Strategies to Tackle Shadow IT

To address the growing risks associated with shadow IT, Kaspersky recommends a multi-layered approach that blends technology, policy, and education:

• Shadow IT Audits: Conduct comprehensive assessments to identify unauthorised applications, cloud services, and personal devices accessing corporate networks.

• Advanced Monitoring Solutions: Deploy next-generation cybersecurity platforms, such as Kaspersky Next with EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response), to gain real-time visibility into user activity and detect anomalies.

• Device Management Controls: Implement Mobile Device Management (MDM) and endpoint management tools to enforce security standards on personal devices used for work.

• Employee-Centric Policies: Design cybersecurity guidelines that are practical, accessible, and aligned with employee workflows to encourage compliance.

• Security Awareness Training: Invest in ongoing education programmes, including simulated cyberattack scenarios, to help employees recognise and mitigate risks.

Empowering Employees as the First Line of Defence

Kaspersky also emphasises the critical role employees play in maintaining organisational security. By fostering a culture of cybersecurity awareness, companies can transform employees from potential vulnerabilities into active defenders.

Employees are encouraged to:

• Familiarise themselves with company cybersecurity policies and seek clarification when needed.

• Use only IT-approved applications and request access through official channels.

• Ensure personal devices meet corporate security standards before accessing work data.

• Store and share files exclusively through authorised platforms to prevent data leaks.

A Turning Point for Workplace Cybersecurity

As digital transformation accelerates across the META region, the findings highlight a pivotal moment for organisations. The challenge is no longer just about implementing cybersecurity measures, but ensuring they are understood, accepted, and followed by employees.

With cyber threats becoming more sophisticated and regulatory pressures intensifying, bridging the gap between policy and practice is essential. Organisations that successfully align technology, policy, and human behaviour will be better positioned to navigate the evolving cybersecurity landscape.