Kenyan organisations may be doing better than some regional peers when it comes to having cybersecurity policies in place, but a new Kaspersky survey suggests the bigger problem is what employees actually do once they sit behind a work computer.
According to Kaspersky’s latest META region survey, 29% of professionals in Kenya admitted they installed software on their work devices without IT supervision in the past year. That is notably higher than the 21% average recorded across the Middle East, Türkiye, and Africa (META) region, and also above South Africa’s 17%.
That makes Kenya the standout market in one of the report’s most important findings. It points to a familiar workplace problem: people often bypass IT controls not because they are trying to cause harm, but because they want to get work done quickly. Sadly, cybersecurity does not care about good intentions. Unapproved apps, cloud tools, browser extensions, and personal devices can all create gaps that attackers are more than happy to use.
Kaspersky describes this as shadow IT, which is the use of unauthorised software, devices, or services without IT oversight. The company says the trend has become a serious business risk, especially as hybrid work, cloud-based tools, and AI apps become normal parts of daily office life, with the likes of Safaricom now boasting a 100% AI-trained workforce.
Interestingly, Kenya does not appear to have the worst policy awareness problem. Only 25% of Kenyan respondents said cybersecurity rules in their company are excessive or not fully appropriate, compared to 39% across the META region and 23% in South Africa. Meanwhile, just 4% of Kenyan respondents said their organisation either has no cybersecurity rules or they are not aware of them. The META average was 7%, while South Africa stood at 10%.
So, the Kenyan issue is not simply that companies have no rules. It is that rules and actual employee behaviour are not always aligned.
Across the full survey, 19% of respondents said their companies have no policies around the use of non-corporate devices. Another 35% said they can use personal devices to access business information as long as some cybersecurity protection is installed, even if it is consumer-grade software. On the stricter end, 25% said only IT-issued devices are allowed for work.
Kaspersky says organisations need to audit shadow IT, monitor device and app usage, set clear rules for personal devices, and train employees using real-world examples rather than just restrictive policies nobody reads until something catches fire.
The survey was conducted by Toluna in 2025 for Kaspersky and covered 2,800 employees and business owners across Türkiye, South Africa, Kenya, Pakistan, Egypt, Saudi Arabia, and the UAE.
