The Brazilian Government was recently the target of another cyberattack, which took down systems that monitor the pandemic. In Brazil, the online threats have also increasingly affected people and companies. This is part of a global phenomenon that was accelerated by the pandemic. More people are online for more time, thus they become exposed to the risks of the cyberspace. Just like any other environment, this requires risk management awareness measures to reduce incidents and the impact.
BRAZIL’S WEAK CYBERSECURITY
On December 10th, several data bases and webpages from the Federal Government were targeted by a cyberattack. The structures affected include the National Health Data Network (RNDS), the ConecteSUS, the National Immunization Program Information System (SI-PNI), the e-SUS Notifica and the DataSUS. The incident jeopardized Health Ministry systems responsible for monitoring the evolution of the pandemic and the vaccination in the country and, surprisingly, it took more than a month to restore them. During that period, the systems were unable to publish any figure on the health crisis. In addition, the Ministry confirmed that the attackers were able to delete COVID-19 data.
According to media sources, the attacks are much more a sign of weakness in the Government’s system than a great feat by the hackers. Data provided by Federal Court of Accounts (TCU) revealed that 66% of the federal administration bodies do not encrypt stored files and that 74% do not have a standard backup policy. It is also confirmed that the attackers used legitimate access credentials to invade the national healthcare data network, showing vulnerabilities in the granting and authentication of credentials and in access controls.
The values spent by the Government with cybersecurity in the last 3 years reinforces the understanding that not enough attention has been given to the protection of public information system. In 2019, R$15 million were used for the implementation of the national cyber defense system; in 2020, the value fell to R$12 million; and in 2021, the total reached R$7 million by December.
Public systems are a great target for hackers. Due to the bureaucratic nature of the country, they store a lot of official data not only about public institutions, but also about private companies and virtually every individual. It is not a secret that personal data and confidential information is highly valued – not only because of criminal activity – and that their protection needs to be enhanced. Ironically, despite the few resources used with practical security measures, the country is currently enforcing a new regulation to protect personal data, the Brazilian General Data Protection Law (LGPD).
THE RISK FOR COMPANIES AND THE POPULATION
Due to the pandemic, the migration of activities to the online environment increased exponentially. More people started doing daily tasks online. Meanwhile, companies must deal with the challenges of employees working from home. This created new opportunities for cybercrimes in Brazil, fact that may explain the record of 481 million malware infection attempts registered in the first 8 months of 2021, according to a survey by Kaspersky. The total represents a 23% increase if compared to the same period of 2020.
For individuals, one of the biggest risks is the leakage of personal information. Public and private data bases (like that of the Health Ministry) can be hacked for such data, which can later be used by criminals to open bank accounts, take out loans, and acquire credit cards.
Brazil has been proven risky even for proprietary information of large companies. The country is the 5th in the world in number of hacker attacks against companies, according to Roland Berger consulting. Attacks can leak business secrets or lead to the interruption of services. Specialists state that breaches often appear because of lack of training of employees regarding information security and inadvertent disclosure.
MANAGING RISKS
According to INTERLIRA’s team of Data Protection Officers, many companies incur in risks because they think that the IT sector is responsible for security. In fact, this should be a separate field, and the protection of information whether in its physical format or digitally stored, should rely on the granting of access privileges according to needs, and on controls.
In addition, companies also fail when they try to solve the problems “as they appear”, and do not anticipate. They also fail to verify the need to change the behaviors after an attack. Another problem is the fact that it is hard to measure the return of investing in protection, therefore, many businesses prefer to implement the basic. Finally, there is a lack of education and of specialized professionals, who are regularly attracted by higher salaries from companies abroad.
Risks are inherent to any activity, the best manner to deal with them is to reduce their chance of occurrence. Normally, a few simple measures, like procedures and trainings, are enough to increase significantly the protection of assets.
