Cyber threats: Employee behaviour leaves organisations exposed

Gaps in cybersecurity policies and inconsistent employee adherence are leaving organisations increasingly vulnerable to ransomware attacks, data leaks and regulatory penalties, according to a new industry survey.

A recent Kaspersky study conducted across the Middle East, Türkiye and Africa (META) region, titled Cybersecurity in the workplace: Employee knowledge and behaviour, found that a significant proportion of employees view workplace cybersecurity rules as excessive or inappropriate.

The survey showed that 39% of professionals across the META region held this view, compared with 25% in Kenya and 23% in South Africa. In addition, 7% of respondents in the wider region, 4% in Kenya and 10% in South Africa said their organisations either lacked cybersecurity rules or they were unaware of them.

The findings point to a disconnect between corporate cybersecurity policies and employee behaviour, raising concerns over the growing use of shadow IT and unmanaged devices in the workplace.

Shadow IT refers to the use of unauthorised software, devices or services without IT department approval. While often driven by productivity needs, it creates blind spots for IT teams. The expansion of hybrid working, increased reliance on cloud-based tools, and the growing use of artificial intelligence applications have accelerated the trend.

Without robust cybersecurity management and oversight, organisations face increased exposure to ransomware attacks, data breaches and regulatory sanctions.

Lack of policies

The survey found that 19% of respondents said their organisations have no policies governing the use of non-corporate devices. A further 35% said employees are allowed to use personal devices to access business information if they have some form of cybersecurity protection, including consumer-grade software.

On the other hand, 21% said personal devices must pass stricter IT security checks, while 25% reported that only company-issued devices can be used for work purposes.

The findings were more positive regarding software installation on corporate devices. Half of respondents said only IT specialists are allowed to install software, while in 31% of organisations, only top management or designated users have that authority. A further 11% said employees can install IT-approved software, while 8% reported that all users can install any software without IT approval.

However, 21% of professionals across the META region, 29% in Kenya and 17% in South Africa admitted installing software on work devices without IT supervision in the past year, underscoring the ongoing challenge of shadow IT and associated security risks.

“Shadow IT is now a mainstream operational risk. When one in five employees installs software without IT oversight, it signals a policy gap,” said Toufic Derbass, Managing Director for the META region at Kaspersky.

“Many organisations already have security policies in place, but employee perception must also be considered. Organisations should move beyond restrictive controls and instead implement intelligent, user-centric cybersecurity strategies that combine technology with employee awareness and responsible use.”

Recommendations

Kaspersky recommends that organisations take a more structured approach to addressing the issue, including conducting shadow IT audits to identify unauthorised software, cloud services and personal devices accessing corporate data.

It also recommends implementing monitoring and cybersecurity tools, such as those in the Kaspersky Next product line with EDR and XDR capabilities, to improve visibility of unauthorised application use and device behaviour.

Where personal devices are permitted, the company advises setting clear minimum security requirements and enforcing them through mobile device management or endpoint management systems. It also recommends strengthening employee training through awareness programmes such as the Kaspersky Automated Security Awareness Platform.

For employees, Kaspersky advises understanding company cybersecurity policies, using only approved applications, ensuring personal devices meet security standards if permitted, and storing and sharing work files only through authorised platforms.

The survey was conducted by research agency Toluna at the request of Kaspersky in 2025, based on 2,800 online interviews with employees and business owners using computers for work across Türkiye, South Africa, Kenya, Pakistan, Egypt, Saudi Arabia and the UAE.