A study carried out by BugHunt with more than 50 companies in Brazil shows that phishing (28%), viruses (24%), ransomware (21%) and vishing (10%) were the most reported attacks.
The restrictive measures imposed by the COVID-19 pandemic and the resulting digitalization of work routines – a process that was, for the most part, not well planned – were some of the main factors that led to the increase in cyberattacks in Brazil.
According to the 1st National BugHunt Information Security Survey, conducted by BugHunt – the first Brazilian Bug Bounty platform – 26% of Brazilian companies have suffered cyberattacks in the last 12 months. Phishing (28%), viruses (24%), ransomware (21%) and vishing (10%) were the most reported occurrences in the period.
The study included 58 Brazilian companies – most of them in the technology sector – with more than 10 years of experience in the market.
Information security and the impacts of the pandemic
The restrictive social measures imposed by the COVID-19 pandemic have caused several organizations, such as private companies and government agencies, to quickly migrate to online systems. Remote work allowed millions of people to work from home and have daily access to corporate environments from home networks.
Caio Telles, CEO, BugHunt, said: “With a lot of things done in a hurry and without the necessary planning, especially among small and medium-sized companies, which are the majority in Brazil, the digital security of corporations was compromised.”
According to the research, more than 36% of companies were not prepared for this reality. On the other hand, the increase in the incidence of threats and digital attacks has improved the approach of many companies in relation to information security.
Investments in cybersecurity
According to BugHunt study, investments in the area have more than tripled in the last three years with the fight against cyberattacks and compliance with the Brazilian General Data Protection Law (LGPD, in Portuguese) being the main reasons for adopting new strategies. In addition, most of them focus their efforts on developing their own IT team.
In most companies (58.6%), the annual budget limit for the information security sector is R$ 50,000. For 15.5% of corporations, the investment is between R$ 100,000 and R$ 300,000, while 15.5% spend more than R$ 300,000 and 10.4% invest between R$ 50,000 and R$ 100,000.
Furthermore, 67.2% of the companies that answered the research started investing in information security in the last three years, 19% in the last three to five years and only 13.8% for more than five years. Respondents say that the investments seek to prevent cyberattacks, ensure adaptation to the LGPD or because they have suffered previous incidents.
The study also reveals that 64% of the companies interviewed are in compliance with the LGPD. Of those that are not yet, 47% are already carrying out adaptation projects, 24% are adapting with the internal team, 12% do not have the support of senior management and 5% have not been able to identify a supplier.
Challenges for implementing information security in companies
The much-lauded Digital Transformation is a reality in several companies. However, according to Telles, during this process many companies end up leaving gaps for cybercriminals.
“This is the reason why investments in information security are increasingly urgent. This should be a priority for companies but there are few that really integrate cybersecurity into the corporate culture,” said Telles.
The main challenges for implementing information security measures, according to the survey, are employee compliance (40%), high investment (31%) and convincing decision-makers (24%).
“In most cases, it is common for employees, due to lack of knowledge and preparation, to be phishing targets,” said Telles.
“Therefore, it is important to offer regular training on risks and best practices for network use and data sharing. Managers and leaders need to be involved in the process to ensure that cybersecurity knowledge is part of daily life.”
The study indicates that 79% of companies invest in internal awareness programs about information security, offering corporate campaigns (40%), lectures on information security for employees (36%) and targeted and controlled phishing (12%).
The information security scenario in Brazil
With the massive adoption of remote work, cyberattacks have occurred more frequently in companies and institutions of all sizes.
“The scenario shows that the topic of cybersecurity is now addressed as a business strategy in most companies,” said the CEO.
However, according to Telles, there is still room for enhancement just as transposing internal awareness and development programs and investing in the implementation of new tools focused on information security, such as the Bug Bounty.
“The study clearly shows that there is still room for Brazilian companies to enhance security against cyberattacks,” concluded Telles.