In the past two years, Brazilian companies have intensified their digital transformation process, adopting solutions such as cloud computing, Artificial Intelligence (AI), and automation to gain efficiency and agility. The issue is that, by incorporating these new technologies, companies also have to deal with new vulnerabilities. In recent quarters, Brazil has witnessed a significant increase in cyber incidents. A report published by Check Point Research showed that, in the 3rd quarter of 2024, Brazilian companies suffered an average of 2,766 weekly attacks each – a 95% jump compared to the same period in 2023.
This surge of attacks reveals the disparity between innovation and security. Many companies accelerated cloud digital projects during the pandemic and post-pandemic, but not all reinforced their defenses at the same pace. As a result, 83% of large companies experienced at least one serious cyberattack in 2023, causing unplanned downtime, financial losses, and data leaks.
Beyond strengthening corporate defenses, we are still far from also having mature governance processes. Data indicates that the number of organizations in Brazil without data governance may reach 80%.
Innovation versus security: are we increasing our vulnerability?
Even though investments in cybersecurity and governance structure remain modest, the race for innovation saw an increase in IT budgets in the last year: from 2023 to 2024, the Brazilian IT market grew by 13.9%, surpassing the global average and reaching US$ 58.6 billion. Investment priorities included cloud infrastructure modernization, digitalization of business processes, and adoption of generative AI.
Traditional sectors, such as banking, lead investments in innovation – banks and fintechs heavily invest in cloud and AI to offer mobile banking and digital payments. In general, Brazilian companies allocated about 9.4% of their revenue in 2023 and 2024 to Information and Communication Technology (ICT). Fundação Getúlio Vargas (FGV) estimates this percentage to rise to 11% in the next two or three years, as organizations continue to invest in innovation and modernization.
On the other hand, the country has become the second most targeted country in the world for cybercrimes, with over 700 million attacks in 12 months (1,379 attacks per minute!). In 2024 alone, there were 356 billion attempted cyber attacks in Brazilian territory, an alarming scenario that is repeated worldwide.
Globally, there was a record number of attacks – over 75% increase in 2024, a phenomenon partly attributed to the use of AI by cybercriminals to automate and make attacks more sophisticated. Mass personalized phishing, adaptive malwares, and more powerful DDoS are examples of threats empowered by malicious artificial intelligence.
Vulnerabilities are also growing in new forms: a study shows that 57% of Brazilian companies are already using AI to generate software code, the third-highest rate in the world. Paradoxically, 44% of these organizations have AI-generated code as their main security concern, fearing unexpected failures or vulnerabilities introduced by autonomous software generation. APIs – essential for integrating systems and applications – are another blind spot: over half (52%) of companies in Brazil see high risks in exposed APIs. In short, while amplifying innovation, initiatives like agile DevOps, massive migration to the cloud, extensive use of connected devices, and AI-driven development expand the attack vectors and the complexity of protecting environments.
The problem is that innovation does not necessarily go hand in hand with increased digital security. Even though many companies are becoming more innovative in cybersecurity and increasing their arsenal of defense solutions, the stage is still early. Last year, the Markets, Innovation & Technology Institute (MiTi) and the Security Design Lab (SDL) published a sectoral cybersecurity research that assessed the maturity of 181 Brazilian companies. The study found that, despite improvements, the average level of cybersecurity maturity was 53%, still moderate – although it is an improvement compared to the previous year’s 49%.
This number indicates that a good portion of companies are still below the recommended best practices. For example, 53% of companies authenticate critical systems only with login and password, an outdated method, while 24% do not have a dedicated budget for cybersecurity and 27% do not regularly conduct penetration tests. These numbers show that although investments are increasing, there are still significant gaps to be filled in terms of policy, culture, and governance.
Governance: along with innovation, can increase cyber resilience
There is a clear correlation between governance and compliance maturity and the company’s ability to resist cyber incidents or successfully drive innovations. Data suggests that organizations with good GRC (Governance, Risks, and Compliance) practices suffer fewer impacts and achieve better results in their digital transformation projects.
For example, the same survey conducted by MiTi and SDL also brought the data that 38% of companies do not have an incident response plan and 46% do not have a disaster recovery plan. These numbers are concerning because the absence of effective contingency plans tends to prolong and exacerbate damages when an attack occurs.
In contrast, companies that anticipate risks and invest in security reap tangible benefits. A global study by PwC highlights that only 5% of companies truly put security at the center of their innovation, integrating the work of the CISO from the project’s inception. And precisely these companies have recorded fewer data breaches and, even when attacked, experience lower-cost incidents.
That is, embedding governance and security from the conception of new IT initiatives increases the likelihood that new projects will be put into operation without expanding the digital attack surface or making companies even more vulnerable. Without governance, big data, artificial intelligence, or digital transformation initiatives are at risk of failing or leading to undesired consequences (such as misuse of information or fragile systems).
Companies with more mature governance find it easier to meet customer and regulatory requirements, enabling participation in new markets and innovation partnerships. On the other hand, lack of compliance can hinder projects – imagine developing an innovative solution that deals with personal data without complying with LGPD: the project will face legal and reputational obstacles. Therefore, strong compliance and security structures increase stakeholder confidence and allow innovation to flourish responsibly and resiliently.
In short, governance and security are not antagonistic to innovation – on the contrary, they serve as the foundation for sustainable innovation. Companies that structure committees, policies, and response plans suffer less from cybernetic surprises and can focus on growing the business. Meanwhile, those who neglect these strategic elements are more exposed to disruptions, financial losses, and the need for emergency remediation, inevitably delaying or redirecting investments that could be used for innovation. The numbers confirm it: maturity in governance, compliance, and security go hand in hand with greater resilience and success in technological undertakings. Companies that can align these areas should not only protect themselves better against incidents but also gain a competitive advantage by innovating with confidence and sustainability in the increasingly digital Brazilian market.
