A new Kaspersky survey has revealed significant weaknesses in organisational cybersecurity governance across the Middle East, Türkiye and Africa (META) region, highlighting how policy gaps and employee non-compliance are increasing exposure to cyber threats such as ransomware, data leaks and regulatory penalties.
The study, titled “Cybersecurity in the workplace: Employee knowledge and behaviour”, found that 39% of professionals believe their company’s cybersecurity rules are either excessive or not fully appropriate. The perception is even more notable in Kenya (25%) and South Africa (23%), suggesting growing employee frustration with existing security frameworks.
More concerning is the lack of awareness and enforcement of cybersecurity policies. Around 7% of respondents in the META region said their organisations either have no cybersecurity rules or employees are unaware of them. In South Africa, this figure stands at 10%, underscoring critical visibility gaps in corporate security structures.
The survey highlights the growing challenge of shadow IT—the use of unauthorised software, devices, or cloud services without IT approval. This trend is being driven by hybrid work environments, increased reliance on cloud tools, and rapid adoption of artificial intelligence applications. While often aimed at improving productivity, shadow IT creates blind spots that cybercriminals can exploit.
Findings show that 19% of organisations have no clear policy on personal device usage, while 35% allow employees to access business systems using personal devices with basic security protection. Alarmingly, 21% of respondents admitted installing software on work devices without IT supervision in the past year.
According to Toufic Derbass, Managing Director for META at Kaspersky, these behaviours signal a major policy gap. He noted that many organisations already have cybersecurity rules, but employee engagement and awareness remain weak, calling for more user-centric and intelligence-driven security strategies.
Kaspersky recommends regular shadow IT audits, stronger endpoint monitoring, enforcement of device security standards, and continuous employee cybersecurity training to reduce risk exposure and strengthen organisational resilience.
Source: Kaspersky