Survey Highlights the Dangerous Rise of Shadow IT as Employees Bypass Governance to Maintain Productivity
A comprehensive survey by Kaspersky across the Middle East, Turkiye, and Africa (META) has exposed a critical disconnect in corporate defense: the gap between rigid security mandates and employee commitment. The report, “Cybersecurity in the workplace: Employee knowledge and behaviour,” reveals that nearly one in five employees currently operates without any formal guidance on non-corporate device usage, creating massive blind spots for IT oversight.
As hybrid work and AI tools become baseline requirements, the Shadow IT trend, unauthorized software and device usage, is evolving from a nuisance into a primary operational risk for regional enterprises.
The perception of cybersecurity rules varies significantly across the continent, with Kenyan and South African professionals showing a unique relationship with corporate governance.
| Region / Country | Rules Viewed as Excessive/Inappropriate | Unaware of Rules or No Policy Exists |
| META (Overall) | 39% | 7% |
| Kenya | 25% | 4% |
| South Africa | 23% | 10% |
The survey highlights a persistent installation challenge that bypasses technical gatekeeping. Despite the high-stakes environment of 2026, 21% of professionals in the META region admitted to installing unauthorized software on work devices within the past year. In Kenya, this figure jumped to 29%, suggesting a high drive for productivity that often outpaces IT approval cycles.
“Shadow IT is now a mainstream operational risk. When one in five employees installs software without IT oversight, it signals a policy gap,” says Toufic Derbass, Managing Director for the META region at Kaspersky.
The management of personal devices (BYOD) remains a fragmented frontier:
- 19% of respondents report zero policy regarding non-corporate devices.
- 35% use personal devices for business as long as they have some protection.
- Only 25% of organizations strictly mandate that only IT-provided devices can be used for work.
To close these gaps, Kaspersky recommends moving beyond restrictive controls toward an intelligent, user-centric strategy. This includes conducting comprehensive Shadow IT audits, deploying EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) tiers, and enforcing strict Mobile Device Management (MDM) protocols for those permitted to use personal devices.
