The vast majority of federal government organizations in Brazil are at high risk of cyber attacks, a new report produced by the Federal Audit Court (TCU).
A group of 29 areas representing high risk in terms of vulnerability, abuse of power, mismanagement or the need for drastic change was analyzed in the report, which is in the first edition. With regard to cybersecurity, the report finds that the federal government’s set-up is “active, but inadequate”.
According to the report, the federal government cannot adequately respond to and handle cybersecurity incidents, and there are several vulnerabilities in both information security and cybersecurity at most central government agencies.
Among the findings of the report, the TCU noted that 74.6% of organizations do not have a formally approved backup policy negotiated between the business units and the organization’s IT. In addition, 71% of organizations that host their systems on their own servers do not have a dedicated backup plan for their main system.
In addition, the TCU found that 66% of federal government agencies performing backups do not use encryption. More than 80% of organizations are in the early stages of building IT business continuity capability.
The report found that 60.2% of federal government organizations do not keep their copies in at least one non-remotely accessible destination. It added that there is a risk that the backup files themselves could be damaged, deleted and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process ineffective in the event of a cyber attack.
The report cited figures on Brazil’s ongoing digitization of public services, which so far covered 73.1% of federal government services. The TCU report noted that the digital transformation in public services has increased reliance on IT services and with it the risks and damage that security failures and unavailability of services can cause.
Among the recent examples of incidents cited in the report, the TCU highlighted: the cyber-attack on the Ministry of Health, which wiped out COVID-19 vaccination dataas well as the attack on the Superior Court of Justice, described as: “the worst cyber-attack ever undertaken against a Brazilian public institution, in terms of scale and complexity”†
Regarding what needs to be done to address the shortcomings in the federal government in Brazil, the TCU noted that basic measures should be taken to ensure continuity of business processes and services in the event of information security incidents. This includes the “implementation of general policies and continuity plans, as well as maintaining effective internal controls, such as those related to the implementation of backup procedures.”
The TCU also noted that it had approved its own information and cybersecurity strategy. In addition, the Court has planned specific actions and initiatives, including agile monitoring of critical cybersecurity controls, to raise awareness among agencies of the importance of these issues and to improve the current state of federal cybersecurity administration.
According to the TCU, the idea behind the strategy is to foster a culture of information security in federal government agencies and help them maintain well-defined processes of governance and management of information and cybersecurity. “The goal is to minimize the risks and potential consequences of attacks and incidents,” the report said.