In the last two years, Brazilian companies have intensified their digital transformation process, adopting solutions such as cloud computing, Artificial Intelligence (AI), and automation to gain efficiency and agility. The issue is that, by incorporating these new technologies, companies also begin to deal with new vulnerabilities. In recent quarters, Brazil has experienced a significant increase in cyber incidents. A report published by Check Point Research showed that in the 3rd quarter of 2024, Brazilian companies suffered an average of 2,766 weekly attacks each – a 95% increase compared to the same period in 2023.
This surge in attacks reveals the disparity between innovation and security. Many companies accelerated cloud digital projects during the pandemic and post-pandemic, but not all strengthened their defenses at the same pace. As a result, 83% of large companies experienced at least one serious cyber attack in 2023, leading to unplanned outages, financial losses, and data leaks.
Beyond strengthening corporate defenses, we are still far from having mature governance processes as well. Data indicates that the number of organizations in Brazil without data governance could reach 80%.
Innovation versus security: are we increasing our vulnerability?
Although investments in cybersecurity and governance structuring remain modest, the race for innovation saw an increase in IT budgets in the past year: from 2023 to 2024, the Brazilian IT market grew by 13.9%, surpassing the global average and reaching US$ 58.6 billion. The investment priorities included cloud infrastructure modernization, business process digitization, and adoption of generative AI.
Traditional sectors, such as banking, lead investments in innovation – banks and fintechs invest heavily in cloud and AI to offer mobile banking and digital payments. In general, Brazilian companies allocated about 9.4% of their revenue in 2023 and 2024 to Information and Communication Technology (ICT). The Getúlio Vargas Foundation (FGV) estimates that this percentage will rise to 11% in the next two or three years, as organizations continue investing in innovation and modernization.
On the other hand, the country became the second most attacked country in the world for cybercrimes, with over 700 million attempts in 12 months (1,379 attacks per minute!). In 2024 alone, there were 356 billion cyberattack attempts in Brazilian territory, an alarming scenario that is repeated worldwide.
Globally, there was a record number of attacks – over a 75% increase in 2024, a phenomenon partly attributed to the use of AI by cybercriminals to automate and make assaults more sophisticated. Mass personalized phishing, adaptive malware, and more powerful DDoS are examples of threats amplified by malicious artificial intelligence.
Vulnerabilities are also increasing in new ways: a study shows that 57% of Brazilian companies already use AI to generate software code, the third highest rate in the world. Paradoxically, 44% of these organizations have AI-generated code as their main security concern, fearing unexpected failures or breaches introduced by autonomous software generation. APIs – essential for integrating systems and applications – are another blind spot: more than half (52%) of companies in Brazil perceive high risks in exposed APIs. In summary, while amplifying innovation, initiatives such as agile DevOps, massive cloud migration, extensive use of connected devices, and AI-driven development increase attack vectors and the complexity of protecting environments.
The problem is that innovation does not necessarily go hand in hand with increased digital security. Even though many companies are more innovative in cybersecurity and are increasing their arsenal of defense solutions, the stage is still in its early days. Last year, the Markets, Innovation & Technology Institute (MiTi) and the Security Design Lab (SDL) released a sectoral cybersecurity survey that assessed the maturity of 181 Brazilian companies. The study indicated that, despite improvements, the average level of cybersecurity maturity was at 53%, still medium – although it is an advance compared to the 49% of the previous year.
This number indicates that a large part of companies are still below the recommended best practices. For example, 53% of companies authenticate critical systems using only login and password, an outdated method, while 24% do not have a dedicated cybersecurity budget and 27% do not conduct regular penetration tests. These numbers show that, although investments are increasing, there are still significant gaps to be filled in terms of policy, culture, and governance.
Governance: alongside innovation, it can increase cyber resilience
There is a clear correlation between governance and compliance maturity and the company's ability to withstand cyber incidents or successfully drive innovations. The data suggests that organizations with good GRC (Governance, Risk, and Compliance) practices experience fewer impacts and achieve better results in their digital transformation projects.
For example, the same research conducted by MiTi and SDL also revealed that 38% of companies do not have an incident response plan and 46% do not have a disaster recovery plan. These numbers are concerning, as the lack of effective contingency plans tends to prolong and worsen damages when an attack occurs.
In contrast, companies that anticipate risks and invest in security reap tangible benefits. A global PwC study highlights that only 5% of companies truly place security at the center of their innovation, integrating the CISO's work from the beginning of projects. And it is precisely these companies that registered fewer data breaches and, even when attacked, suffer less costly incidents.
In other words, incorporating governance and security from the design of new IT initiatives increases the likelihood that new projects will be deployed without expanding the digital attack surface and without making companies even more vulnerable. Without governance, big data initiatives, artificial intelligence, or digital transformation risk failing or causing undesirable consequences (such as misuse of information or fragile systems).
Companies with more mature governance have an easier time meeting client and regulator requirements, enabling participation in new markets and innovation partnerships. On the other hand, lack of compliance can hinder projects – imagine developing an innovative solution that handles personal data without complying with LGPD: the project will face legal and reputational obstacles. Therefore, solid compliance and security structures increase stakeholder confidence and allow innovation to flourish in a responsible and resilient manner.
In short, governance and security are not antagonistic to innovation – on the contrary, they serve as a foundation for sustainable innovation. Companies that establish committees, policies, and response plans experience fewer cybersecurity incidents and are able to focus on growing their business. Those that neglect these strategic elements are more exposed to disruptions, financial losses, and the need for emergency remediation, which invariably delays or redirects investments that could go toward innovation. The numbers confirm: maturity in governance, compliance, and security go hand in hand with greater resilience and success in technological ventures. Companies that manage to align these fronts will not only better protect themselves against incidents but also gain a competitive advantage by innovating with confidence and sustainability in the increasingly digital Brazilian market.
