Over the past two years, Brazilian companies have intensified their digital transformation process, adopting solutions such as cloud computing, Artificial Intelligence (AI), and automation to gain efficiency and agility. The issue is that by incorporating these new technologies, companies also begin to deal with new vulnerabilities. In recent quarters, Brazil has seen a significant increase in cyber incidents. A report published by Check Point Research showed that in the 3rd quarter of 2024, Brazilian companies suffered an average of 2,766 weekly attacks each—a 95% jump compared to the same period in 2023.
This surge in attacks reveals the disparity between innovation and security. Many companies accelerated cloud digital projects during and after the pandemic, but not all strengthened their defenses at the same pace. As a result, 83% of large companies suffered at least one serious cyberattack in 2023, leading to unplanned downtime, financial losses, and data breaches.
Beyond strengthening corporate defenses, we are still far from having mature governance processes. Data indicates that up to 80% of organizations in Brazil may lack data governance.
Innovation versus security: Are we increasing our vulnerability?
Although investments in cybersecurity and governance structuring remain timid, the race for innovation saw an increase in IT budgets last year: from 2023 to 2024, the Brazilian IT market grew by 13.9%, surpassing the global average and reaching $58.6 billion. Investment priorities included cloud infrastructure modernization, business process digitization, and adoption of generative AI.
Traditional sectors, such as banking, lead innovation investments—banks and fintechs heavily invest in cloud and AI to offer mobile banking and digital payments. In general, Brazilian companies allocated about 9.4% of their revenue in 2023 and 2024 to Information and Communication Technology (ICT). The Getúlio Vargas Foundation (FGV) estimates this percentage will rise to 11% in the next two or three years as organizations continue investing in innovation and modernization.
On the other hand, the country has become the second most attacked in the world in cybercrime, with over 700 million attempts in 12 months (1,379 attacks per minute!). In 2024 alone, there were 356 billion attempted cyberattacks on Brazilian territory—an alarming scenario that repeats worldwide.
Globally, there was a record number of attacks—a more than 75% increase in 2024, a phenomenon partly attributed to cybercriminals using AI to automate and make attacks more sophisticated. Mass-customized phishing, adaptive malware, and more potent DDoS are examples of threats amplified by malicious artificial intelligence.
Vulnerabilities also grow in new forms: a study shows that 57% of Brazilian companies already use AI to generate software code—the third-highest rate in the world. Paradoxically, 44% of these organizations see AI-generated code as their main security concern, fearing unexpected flaws or gaps introduced by autonomous software generation. APIs—essential for integrating systems and applications—are another blind spot: more than half (52%) of Brazilian companies see high risks in exposed APIs. In short, while amplifying innovation, initiatives like agile DevOps, massive cloud migration, extensive use of connected devices, and AI-driven development expand attack vectors and the complexity of protecting environments.
The problem is that innovation does not necessarily go hand in hand with increased digital security. Even though many companies are becoming more innovative in cybersecurity and expanding their defense solutions arsenal, the stage is still early. Last year, the Markets, Innovation & Technology Institute (MiTi) and Security Design Lab (SDL) published a sector-wide cybersecurity study assessing the maturity of 181 Brazilian companies. The study showed that, despite improvements, the average cybersecurity maturity level was 53%—still moderate, though an improvement from 49% the previous year.
This figure indicates that a significant portion of companies still falls below recommended best practices. For example, 53% of companies authenticate critical systems only with login and password—an outdated method—while 24% lack a dedicated cybersecurity budget, and 27% do not conduct regular penetration tests. These numbers show that although investments are growing, there are still important gaps to fill in terms of policy, culture, and governance.
Governance: Alongside Innovation, It Can Increase Cyber Resilience
There is a clear correlation between governance and compliance maturity and a company’s ability to withstand cyber incidents or successfully drive innovations. Data suggests that organizations with good GRC (Governance, Risk, and Compliance) practices suffer fewer impacts and achieve better results in their digital transformation projects.
For example, the same study by MiTi and SDL also found that 38% of companies lack an incident response plan, and 46% do not have a disaster recovery plan. These numbers are concerning, as the absence of effective contingency plans tends to prolong and worsen damages when an attack occurs.
In contrast, companies that anticipate risks and invest in security reap tangible benefits. A global PwC study highlights that only 5% of companies truly place security at the center of their innovation, integrating the CISO’s work from the start of projects. And precisely these companies recorded fewer data breaches and, even when attacked, suffered lower-cost incidents.
In other words, embedding governance and security from the conception of new IT initiatives increases the likelihood that new projects will go into operation without expanding the digital attack surface or leaving companies more vulnerable. Without governance, big data, artificial intelligence, or digital transformation initiatives risk failing or generating unintended consequences (such as misuse of information or fragile systems).
Companies with more mature governance find it easier to meet customer and regulatory requirements, enabling participation in new markets and innovation partnerships. On the other hand, lack of compliance can stall projects—imagine developing an innovative solution that handles personal data without complying with the LGPD: the project will face legal and reputational obstacles. Therefore, solid compliance and security structures increase stakeholder trust and allow innovation to flourish responsibly and resiliently.
In short, governance and security are not antagonistic to innovation—on the contrary, they serve as the foundation for sustainable innovation. Companies that structure committees, policies, and response plans suffer fewer cyber surprises and can focus on business growth. Those that neglect these strategic elements end up more exposed to disruptions, financial losses, and emergency remediation, which invariably delays or redirects investments that could go to innovation. The numbers confirm: maturity in governance, compliance, and security goes hand in hand with greater resilience and success in technological endeavors. Companies that manage to align these fronts will not only protect themselves better against incidents but also gain a competitive edge by innovating with confidence and sustainability in Brazil’s increasingly digital market.
