Cybersecurity gaps expose Pakistani firms to rising risks

Islamabad: (Web Desk) – A new survey by Kaspersky has highlighted growing vulnerabilities in Pakistani organizations due to gaps in cybersecurity policies and the increasing use of “shadow IT.”

The report, titled Cybersecurity in the workplace: Employee knowledge and behavior, reveals that 39% of professionals in Pakistan believe their company’s cybersecurity rules are either excessive or not well-suited to their needs. Meanwhile, 8% said their organizations either lack such policies entirely or that they are unaware of them.

Experts warn that this disconnect between corporate policies and employee behavior is exposing businesses to serious risks. Shadow IT—defined as the use of unauthorized software, devices, or services without IT oversight—has become a major concern, particularly with the rise of hybrid work, cloud tools, and AI-driven applications.

The survey found that 38% of respondents reported no clear policies regarding the use of personal devices at work. Additionally, 17% admitted they can access corporate data using their own devices if basic security measures are in place, even if they are consumer-grade. Only 29% said their organizations restrict work strictly to company-issued devices.

While some controls exist, inconsistencies remain. Around 56.5% of respondents said only IT departments can install software on company devices, but 7% revealed that users in their organizations can install any software without approval. Alarmingly, 26% admitted to installing software on work devices without IT supervision within the past year.

According to Toufic Derbass, shadow IT has evolved into a mainstream operational risk. He noted that when employees bypass IT controls, it reflects gaps in policy enforcement and awareness, increasing the likelihood of data breaches and compliance issues.

OpenAI Limits Release of New Cybersecurity AI Model

Kaspersky recommends that organizations in Pakistan conduct comprehensive audits to identify unauthorized tools and devices accessing corporate systems. It also suggests implementing advanced monitoring solutions, including endpoint detection and response (EDR) and extended detection and response (XDR) systems, to improve visibility and control.

The company further advises enforcing strict security requirements for personal devices through mobile device management (MDM) tools, along with regular employee training programs to raise awareness about cybersecurity risks.

For employees, experts emphasize the importance of adhering to company policies, using only approved applications, and sharing data through secure, authorized platforms.