The majority of federal government institutions in Brazil are at high risk of cyberattacks, a new report produced by the Court of Federal Audits (TCU) was found.
A cluster of 29 areas at high risk of vulnerability, abuse of power, mismanagement or drastic change was analyzed in the report, its first edition. On cybersecurity, the report found that setting up the federal government was “positive, but not enough.”
According to the report, the federal government was unable to respond and handle cybersecurity incidents satisfactorily, and there were several gaps in both information security and cybersecurity across most government agencies. center.
Among the report’s findings, TCU notes that 74.6% of organizations do not have a formally approved fallback policy negotiated between the organization’s IT and business areas. Furthermore, 71% of organizations that host their systems on their own servers do not have a specific backup plan for their primary system.
In addition, TCU found that 66% of federal government agencies that perform backups do not use encryption. More than 80% of organizations are in the early stages of building IT business continuity capabilities.
The report found that 60.2% of organizations in the federal government do not keep copies of themselves in at least one destination that is not remotely accessible. It adds that this carries the risk that the backup files themselves could be corrupted, deleted, and/or encrypted by attackers or malware, making the organization’s backup/restore process difficult. ineffective in the event of a cyber attack.
The report cited numbers around the ongoing digitization of public services in Brazil, which has so far covered 73.1% of services provided by the federal government. The TCU report notes that the digital transformation in public service delivery has increased reliance on IT services and, therefore, the risks and damages that security failures and unavailability of the service may cause.
Among the recent examples of incidents cited in the report, TCU highlighted cyberattack against the Ministry of Health, whereby COVID-19 vaccination data disappearedas well as the attack against the High Court of Justice, described as “worst cyberattack ever carried out against a Brazilian public institution, in terms of scale and complexity”.
Regarding what needs to be done to address the shortcomings of federal management in Brazil, TCU notes that basic measures must be taken to ensure the continuity of business processes and service delivery in the country. in the event of an information security incident. This includes “implementing general policies and continuity plans, as well as maintaining effective internal controls, such as those related to the implementation of contingency procedures.”
TCU also noted that it has approved its own cybersecurity strategy and information. In addition, the Court of Audit has planned specific actions and initiatives, including rapid monitoring of key cybersecurity controls, to raise agencies’ awareness of the importance of cyber security. importance of these issues and improve the federal government’s current state of cyber security.
According to TCU, the idea behind this strategy is to foster a culture of information security within federal public administrations and help them maintain well-defined processes for information governance and management, and network security. “The goal is to reduce the risk and possible impact of attacks and incidents,” the report notes.
