Survey finds cybersecurity policy gaps at Pakistani firms

ISLAMABAD: A survey on workplace cybersecurity has found that a sizeable share of professionals in Pakistan view their organisations’ cyber rules as either too restrictive or not fully suited to their needs, while some say their workplaces have no such rules or that they are unaware of them.

The findings come from a recent Kaspersky survey titled Cybersecurity in the Workplace: Employee Knowledge and Behaviour. As per details, 39pc of respondents said their company’s cybersecurity policies were excessive or not entirely appropriate. Another 8pc said their organisations either did not have such policies or that they did not know about them.

The survey pointed to a gap between formal corporate rules and how employees actually behave, highlighting risks associated with shadow IT and the use of unmanaged devices.

Personal device use remains a concern

According to the survey, 38pc of respondents said there were no policies covering the use of non-corporate devices. In addition, 17pc said they were allowed to use personal devices to access business information if those devices had some type of cybersecurity protection, including consumer-grade software.

By contrast, 16pc said personal devices could only be used after passing strict corporate IT security checks, while 29pc reported that only company-issued devices were allowed for work purposes.

The survey suggested that organisations appear to exercise tighter control over software installation on company devices than over the use of personal hardware.

Software controls stronger, but shadow IT persists

As per the findings, 56.5pc of respondents said only IT specialists were permitted to install software on corporate devices. A further 19.5pc said that authority was limited to top management or designated users, while 17pc said employees could install software that had been approved by the IT team.

However, 7pc said all users were able to install any software without IT approval. At the same time, 26pc of professionals said they had installed software on work devices without IT supervision during the past year.

The survey said this continuing shadow IT issue leaves organisations exposed to security weaknesses, compliance problems and possible data breaches. "Shadow IT is now a mainstream operational risk. When one in five employees installs software without IT oversight, it signals a policy gap, said Toufic Derbass, Managing Director for the META region at Kaspersky," the survey stated.

He said organisations needed to move beyond restrictive controls and adopt user-focused cybersecurity approaches that combine technology with employee awareness and responsible usage.

Recommendations in the survey

To improve defences, the survey recommended shadow IT audits to detect unauthorised software, cloud services and personal devices that may be accessing corporate data. It also called for stronger monitoring and cybersecurity tools.

Where organisations allow personal devices for work, the survey recommended setting clear minimum security standards and enforcing them through mobile device management or endpoint management tools. It also advised employee training focused on real-world cyber risks.

The findings underline concerns about how policy design and employee practices can diverge, even where formal controls are in place, particularly in areas involving personal device access and unsupervised software installation.