Cybersecurity remains outside the priority list for a significant portion of Brazilian companies, especially during their first months of operation. Data from the Ransomware Survey Report, by Sophos indicates that 63% of organizations worldwide have already suffered some type of cyber attack. Meanwhile, the Cost of a Data Breach Report, by IBM points out that the global average cost of a data breach exceeds US$ 4 million, considering operational, legal, and reputational impacts.
In Brazil, small and medium-sized enterprises account for a significant share of these incidents, as they often start operations without minimum digital protection controls, even while handling sensitive data from customers, suppliers, and payment methods early on. The combination of low security maturity and accelerated digitalization expands the attack surface right from the start of operations.
Wagner Loch, CTO of Under Protection , states that the problem lies in the mistaken perception that security is a cost that can be postponed. “The risk is born with the first revenue. The moment a company issues an invoice, uses a management system, or stores customer data, it is already exposed,” he says.
In practice, the priority given to sales, business expansion, and cost reduction pushes security investments into the background.
Access controls, backup policies, system updates, and continuous monitoring end up being postponed, creating gaps exploited by automated attacks and social engineering techniques. “There are no more manual attacks today. Threats are scalable, exploit known vulnerabilities, and seek out unprepared environments,” he warns.
Another recurring factor is the false sense of anonymity. Many companies believe only large corporations are on digital criminals' radar. However, the Data Breach Investigations Report, by Verizon shows that over 40% of global breaches involve small and medium-sized enterprises, precisely because they exhibit lower maturity in security controls. “The attacker is not looking for the size of the company, but rather the fragility of the environment,” he explains.
As the business grows, the potential impact of an incident also increases. Outdated systems, lack of segregation of duties, and absence of risk visibility raise the likelihood of operational disruptions, direct financial losses, and loss of trust with customers and partners. “When the company realizes the problem, it has already ceased to be technical and started affecting contracts, cash flow, and reputation,” he states.
According to the executive, changing this mindset involves treating cybersecurity as part of management from the outset, not as a response to incidents. This involves understanding the digital environment, mapping risks, and prioritizing investments based on business impact. “Security does not start with buying tools. It starts with understanding. Those who know their risks make better decisions on where to invest,” he says.
With the advancement of tax automation, intensive data usage, and process digitalization, the trend is for this topic to gain even more weight on the corporate agenda. According to Loch, companies that incorporate cybersecurity from the start operate with more predictability and fewer surprises. “It is not a matter of if an attack will happen, but when. The difference lies in being prepared or not when it occurs,” he concludes.
