Professionals in the field point out that the country needs stronger investments in the sector and integration between public and private sectors
It is no news that Brazil is extremely susceptible to cyberattacks, but data from the International Telecommunications Union (ITU), an agency linked to the United Nations (UN), show that there is already a movement towards change in this scenario. According to the institution, the country made a great leap in the world ranking of cybersecurity, going from the 71st position to the 18th position among 194 nations analyzed. Taking into account only the Americas, Brazil reached the third place.
Many experts celebrated the news, among them Bruno Telles, COO of BugHunt, the first Brazilian Bug Bounty platform. “The survey proves that we are on the right track,” he says. Another who considered the advance welcome is Denis Riviello, Head of cybersecurity at Compugraf, a provider of solutions in Cyber Security, data privacy and compliance. “This increase is very important and was expected not only because of the maturity reached by some private companies, but also because of the various government agencies that have been working on the subject,” he says.
Despite the celebration, the professionals in the area reinforce that there are still many points about the issue to be improved in the country. “Brazilian corporations need to increasingly invest in order to reduce the gap between cybercrime and controls, because these attacks evolve as quickly as technology itself,” emphasizes Telles. According to Julio Cesar Fort, partner at Blaze Information Security, a global company specialized in offensive security with a focus on pentest (intrusion testing), most organizations see the topic only as a cost. “There is still a lack of vision that it is a way to ensure the well-being of the business,” he explains.
A consensus among experts about the cause of the uneven investment in cybersecurity in the national territory is the lack of communication between the public and private sectors. Fort exemplifies this situation in a comparison with the largest power in the world and the presence of the theme in its tactics in the Defense area. “Unlike countries like the United States, where the internet and cyberspace are considered one of the war domains in their military doctrine, in Brazil there is little apparent integration between military forces, intelligence and government agencies, and companies,” he points out.
For Riviello, the country lacks a synergy and, at the same time, a greater legislative adequacy. “Recently, some moves have occurred in this direction, with the LGPD (General Law of Personal Data Protection), but it is a unique situation. In a broader context, both in the private and public sphere, there is a lack of partnerships in terms of development, collaboration, and rules handled by a large committee. Today, this mission is centralized only in specific bodies, which are independent and lack information sharing,” he adds.
Awareness of the importance of cybersecurity
A survey released by cybersecurity company Sophos revealed that 55% of the 200 Brazilian corporations interviewed suffered ransomware offensives in 2021, compared to the 38% rate recorded the previous year. In addition, the Center for Studies, Response and Handling of Security Incidents in Brazil (CERT.br), linked to the Brazilian Internet Steering Committee (CGI), points to a large number of attempted cyber attacks in the country since 2012. In other words, it is a scenario that will not change completely if there is no collective awareness of the seriousness of the matter.
“The ITU data are relevant, but we will only become a reference in terms of protection if managers include the theme in their strategic planning. Those who do not do this well, unfortunately, run a great risk of experiencing incidents that will end up forcing them to pay attention to the subject in the worst way,” Telles warns. “Basic and forceful policies need to be implemented prior to damage remediation. An example is the UK government’s Cyber Essentials ‘scheme’, which enforces the execution of basic cyber ‘hygiene’ to small and medium-sized businesses that don’t have large budgets to invest in cybersecurity, and is a contractual requirement for state suppliers,” cites Fort.
For Riviello, those involved (government agencies and private initiative) must understand that sharing information and initiatives on cybersecurity generate benefits for everyone. “If we consider the size of our nation and the threats it is exposed to, we are still investing too little. Therefore, the union of the public and private segments and the population is the first step to promote more actions to ensure strong cyber defenses,” he concludes.
*** Translated by the DEFCONPress Team ***