Brazil is Standing Still in Cybersecurity – And That Should Worry Us All

Despite the rise in attacks and the growing number of headlines regarding data breaches, Brazil continues to stumble when it comes to cybersecurity. This goes beyond technology or a lack of threats — which are more sophisticated and constant than ever. The problem is structural, strategic, and, above all, cultural.

We are protecting the future with rules from the past. The country still relies on generic and outdated legislation that does not keep pace with the speed of digital threats. The General Data Protection Law (LGPD) was a milestone and an undeniable advancement, but its effectiveness depends on something greater: firm enforcement, robust information security techniques, and a protection culture that goes beyond the legal department. This is where many organizations fail. LGPD cannot stand alone. It requires a mature cybersecurity ecosystem with coherent internal policies, technical controls such as DLP, identity management, encryption of sensitive data, incident response, and continuous awareness programs. Without this, legal compliance becomes a mere formality, and data remains exposed. On the other hand, the lack of consistent oversight and clear technical standards makes its practical application fragile. Ultimately, this is predictable: many companies end up doing the bare minimum — the cheapest option, not necessarily the most effective — often thinking only about “checking a box.”

Cases that reinforce the alert: There is no shortage of examples regarding the real impact of this fragility. In 2021, the data leak of 223 million Brazilians, including tax IDs (CPFs) and registration data, exposed how vulnerable public and private databases were. In 2024, the attack on the Campinas City Hall, which paralyzed essential services, demonstrated the direct impact on citizens’ lives. The public sector, in particular, has been an easy target due to low security maturity and insufficient investment.

But the problem is not just state-owned. Large private companies have also suffered. Americanas, for example, faced a cyberattack that affected its operations and exposed customer data, generating significant financial losses (R$ 923 million), as well as reputational and operational damage. According to a PwC survey, 74% of Brazilian companies have suffered at least one security incident in the last 12 months. This is not just a technical data point; it is a threat to the business.

Security is still treated as a technical expense. In many organizations, digital security is still seen as an IT cost. An antivirus here, a firewall there, and suddenly, “we are protected.” However, this is far from reality. Cybersecurity today is not just a technical shield; it is part of the strategy. It is what ensures business continuity, protects reputation, and inspires trust in customers and partners. As long as this perception does not change, we will always be one step behind the attackers. The reality is simple: either digital security is part of the strategy, or you are exposed.

And the cost of an attack is high. According to IBM, the average cost of a data breach in Brazil in 2024 was R$ 6.75 million. Furthermore, companies that invest proactively in security can reduce this cost by up to 50%. The math is clear for any CFO: investing in security means avoiding losses, fines, and future revenue drops. In other words, the ROI of security is real and measurable.

And yes, security sells. Cybersecurity is a competitive advantage. Companies that take cybersecurity seriously not only protect themselves better; they stand out in the market. They show maturity, convey credibility, and gain a competitive edge. In many sectors, having a solid digital security posture is already a decisive factor in winning (or losing) a contract. Those who haven’t understood this yet are falling behind. A good example is the financial sector. Banco Itaú, for instance, invests heavily in advanced SOCs, multi-factor authentication, integrated risk management, and awareness programs involving everyone from analysts to the board. This investment translates into market and customer trust. Another positive case comes from the healthcare sector. Dasa implemented robust data governance combined with information security practices, integrating data protection into the patient’s journey. This allowed them not only to meet LGPD effectively but also to improve internal processes and strengthen the brand’s reputation.

Another critical point is a massive technical knowledge gap within IT teams. There is no point in investing in cutting-edge technology if your team is not prepared. The lack of security training within IT teams remains a critical bottleneck. Investment in training, simulations, and security culture needs to move from speech to routine. Without this, the reaction to threats will remain slow, expensive, and inefficient. Investing in training, practical drills, and security culture must be at the top of the agenda. It is common to see sophisticated tools poorly configured, without monitoring or integration with company processes. Fortinet estimates a deficit of over 530,000 cybersecurity professionals in Latin America, and Brazil leads this shortage. The investment in training and awareness must apply to everyone, from the analyst to the C-level. We can no longer pretend that training is something for “later.”

The transformation of digital security in Brazil does not depend only on new laws; it depends on leaders who view security as a strategic asset, professionals committed to continuous evolution, and an organizational culture that treats the subject with the seriousness it demands.

And good practices already exist — they just need to be amplified. Companies like Natura, Magazine Luiza, and digital banks like Nubank have been betting on security by design, multidisciplinary privacy squads, proactive risk management, and continuous incident response simulations. This shows that it is indeed possible to do things differently and better.

If we want to break out of this stagnation, we must stop treating security as an “IT team problem” and start treating it as what it truly is: a competitive differentiator, a strategic priority, a commitment to the future, and a business responsibility.

Fontes:

• “The largest personal data leak in Brazilian history and what lessons we must learn” (Date: 02/08/2021) – Fundação Getulio Vargas (FGV)
• “Americanas lost nearly R$ 1 billion in sales due to hackers” (Date: 05/13/2022) – O Globo
• “PwC: One-third of Brazilian companies recorded losses of at least US$ 1 million in cyberattacks” (Date: 02/07/2025) – PwC
• “Cost of a Data Breach Report 2024” (Date: 09/25/2024) – IBM
• “Itaú Unibanco invests R$ 3.1 billion in security and financial well-being” (Date: 05/20/2024) – Consumidor Moderno
• “Patient Identification and Safety Protocols 2024” (Date: 02/05/2024) – Dasa
• “Brazil faces a deficit of 750,000 cybersecurity professionals, research shows” (Date: 08/18/2024) – Instituto Brasileiro de Cibersegurança (IBSEC)