A recent Kaspersky survey in the Middle East, Turkiye and Africa (META) region, entitled “Cybersecurity in the workplace: Employee knowledge and behaviour”, showed that 23% of professionals surveyed in South Africa consider cyber security rules in their company to be excessive or not fully appropriate, while 10% noted that their organisations do not have cyber security rules or that they are not aware of them. These results show a disconnect between corporate cyber security policies and employee commitment to these rules, underscoring the risks associated with shadow IT and unmanaged device usage in the workplace.
Shadow IT is defined as the use of unauthorised software, devices or services without IT oversight, and it has evolved into a critical business risk. While often driven by employee productivity needs, it creates blind spots for IT departments. The rise of hybrid work environments, increased reliance on cloud-based tools and the spread of AI tools have accelerated this trend. Without robust cyber security management and oversight, organisations face heightened exposure to ransomware attacks, data leaks and regulatory penalties.
Twenty-four percent of survey respondents in South Africa said there are no policies regarding the use of non-corporate devices in their company. Twenty-five percent of employees admitted that they can use their own devices to access business information, provided they have some type of cyber security protection, even consumer-grade software. On the positive side, 18% said they can use their own device, but these must first pass more stringent corporate IT security checks; while 33% of respondents indicated that only devices provided by the IT function can be used for work purposes.
The situation is significantly better with permissions for employees to install software on corporate devices without IT department’s approval. Sixty-six percent of respondents from South Africa reported that only IT specialists in their company are allowed to install software, while in 18% of organisations only top management or designated users can do so. Nine percent of employees can install software that is approved by the IT team. However, 5% of respondents said that all users can install any software they need without IT agreement in their organisation.
At the same time, 17% of local professionals surveyed acknowledged that within the past year they installed software on their work devices without IT supervision. That highlights a persistent shadow IT challenge that continues to expose organisations to security vulnerabilities, compliance risks and data breaches.
“Shadow IT is now a mainstream operational risk. When one in five employees installs software without IT oversight, it signals a policy gap. Many organisations already have security policies in place, but employee perception must also be considered. Organisations should move beyond restrictive controls and instead implement intelligent, user-centric cyber security strategies that combine strategies that integrate technology with employee awareness and responsible use,” said Toufic Derbass, Managing Director for the META region at Kaspersky.
To help organisations strengthen their defences, Kaspersky recommends the following:
- Conduct a shadow IT audit to identify all unauthorised software, cloud services and personal devices accessing corporate data.
- Implement robust monitoring and cybersecurity solutions, for example from the Kaspersky Next product line with EDR and XDR tiers, to gain visibility into unsanctioned app usage and device behaviour.
- If employees are allowed to use personal devices, define clear minimum security requirements and enforce them through such solutions as mobile device management (MDM) or endpoint management tools.
- Complement user-friendly cyber security policies for employees with training that demonstrates real-life risks and ways to avoid them. Solutions such as Kaspersky Automated Security Awareness Platform can help.
For employees Kaspersky experts advise:
- Understand your company’s cyber security policies. If anything is unclear, ask for clarification.
- Only use applications that have been approved by your IT department and request access to specific IT resources when needed.
- Use only authorised devices for work. If personal devices are allowed, make sure they meet all required security standards and have appropriate cyber security solutions installed.
- Store and share work files only through approved platforms.
* The survey was conducted by Toluna research agency at the request of Kaspersky in 2025. The study sample included 2 800 online interviews with employees and business owners using computers for work in seven countries: Türkiye, South Africa, Kenya, Pakistan, Egypt, Saudi Arabia and the UAE.
Share
