The impact of work from home and hybrid mode on cybersecurity practices in South Africa

Abstract

As the trend of work-from-home and remote work grows in South Africa, adopting adequate cybersecurity measures and evaluating the human aspect of security perceptions is critical in protecting organisational information and maintaining corporate integrity. Over the past two decades, cybersecurity has been viewed from technological perspective of protecting networks and information assets, this study invokes the behavioural and social concerns, and how this affects an organisation’s cybersecurity strategy in South Africa. Covid-19 and the lockdown rules triggered a national emergency, compelling a considerable proportion of South Africa's workforce to embrace a work-from-home culture. While this study began during the lockdown, leaders at large enterprises in South Africa are adopting a more hybrid way of working permanently, due to the subsequent benefits. This study aimed to evaluate employee behaviour when working environments are suddenly affected by work-from-home policies and how an employee’s behaviour transposes to a different location. The overarching question was: How has cybersecurity behaviour in South Africa manifested during work-from-home policies and what are the determinants that force correct cybersecurity compliant behaviour?. Four key factors (“Subjective Norms & Response Efficacy”, “Attitude & Perceived Vulnerability”, “Self- Efficacy” and “Perceived Severity”) were identified and combined into a new framework based of two theoretical frameworks (The Theory of Planned Behaviour and Protection Motivation theory). This study utilised a quantitative cross-sectional design using a structured closed questionnaire that was distributed electronically. The data collected from 186 participants were analysed using Exploratory factor analysis, correlation analysis and multiple regression. Overall, “Subjective Norms & Response Efficacy” emerged as a significant and most influential predicator of “Cybersecurity Compliant behaviour”. “Attitude & Perceived Vulnerability”, “Self-Efficacy” and “Perceived Severity” were insignificant. It is apparent that there is a positive perception of correct Cyber security practices amongst South African organisations however there is a recommendation for future research, due to the diversity of organisational leadership in both the private and state-owned entities, to provide a better understanding of security compliant behaviour