Accounts Court warns of serious cybersecurity risks in the public sector

cybersecurity brazil public sector
Illustration: Shutterstock

Brazil’s Federal Accounts Court has published a booklet about the high-risk situation that federal public agencies continue to face with regards to cybersecurity. 

In the document, the court offers urgent recommendations for public sector managers to mitigate the risks of cyber incidents that “can significantly harm the government and citizens and negatively impact the process of digital transformation in the country.”

The court recalled cyber incidents that hit some federal organizations, such as the Health Ministry in December last year, which suffered a hacker attack that hampered the issuing of the Covid national vaccination certificate and the updating of pandemic data. 

The booklet was prepared based on an inspection carried out by the court, which found that most public bodies are still at an early level of maturity in terms of information security and cybersecurity controls — a situation which increases the risk of cyber threats and attacks. 

The study showed, for instance, that more than half of the 377 public organizations analyzed do not adequately deal with hardware that is not authorized by the agency’s administration; maintain a process of evaluation and monitoring of hardware and software to mitigate vulnerabilities; or have a process for receiving incident notifications.

With that in mind, the accounts court’s document points to cybersecurity actions that need to be urgently implemented by federal agencies. These include the need for public managers to take inventory and control of corporate IT equipment and software; the provision of ongoing vulnerability and incident response management; and the establishment of programs for security awareness and training.

Back in June, the Accounts Court released another report showing that two years after the General Data Protection Law (LGPD) came into effect in Brazil, government agencies still had a long way to go to fully comply with the new norms regarding data protection and privacy.