Digital Security Practices in Brazil – ICT Companies 2023

ICT Companies 2023 survey was launched on May 14 , which presents extremely important data on accessibility and the role of the internet within national companies. It collected data from 4,057 companies with more than 10 employees in Brazil and had the support of the Ministry of Economy, the Brazilian Institute of Geography and Statistics (IBGE), the Institute for Applied Economic Research (IPEA) and a group of experts from various sectors. Due to the importance of information, this research is essential to understand the growth of organizations' online presence and their concern with digital security .

Information collection took place from March to December 2023, with the aim of measuring the use and possession of information technology and companies' telecommunications processes. In this way, it was possible to obtain a comprehensive overview of how organizations use the internet and how this process has evolved in recent years .

Based on the use of the internet, it was possible to consolidate information on cybersecurity and digital communication. We have prepared this material with everything you need to know about the recent TIC Empresas 2023 survey.

ICT research is based on methodological standards and indicators defined internationally in manuals from institutions such as the International Telecommunication Union (ITU). It is also aligned with the methodological references proposed in the manual of the United Nations Conference on Trade and Development (UNCTAD), prepared in partnership with the Organization for Economic Co-operation and Development (OECD) and the European Commission's Statistical Institute (Eurostat) through the multi-sector Partnership on Measuring ICT for Development initiative.

Digital security practices covered in the ICT Companies 2023 survey

Developed to understand the technological processes and digital behavior of Brazilian companies, the ICT Companies 2023 survey also brought fundamental digital security practices to ensure a stronger cybersecurity strategy. Among the main practices covered, we can mention:

Digital security risk in the employment contract

Considering the immense growth in cyber attacks today, it is essential to establish what the digital security risks are in the employment contract. Digital security is a priority in the context of modern companies , mainly due to the increase in remote work and dependence on digital systems and resources.

In this sense, it is essential that digital security risks are addressed in the employment contract , so that company employees have a broader view of how processes should be carried out and what strategies should be implemented.

Regarding the size of the companies, there is a large discrepancy between the people interviewed on the topic. Larger companies end up mentioning digital security risks in employment contracts more frequently than smaller companies (31%) , reaching 64% of respondents.

Digital security on meeting agendas

This topic discusses the inclusion of digital security in meeting agendas, highlighting the relevance of these strategies in the company in relation to its activities. In this sense, the research also revealed that larger companies end up addressing the topic more frequently, reaching 75% of respondents.

While in small companies, this rate is much lower, 39%. Data like this demonstrates that smaller companies are less concerned about addressing issues related to cybersecurity.

Incentive to mitigate digital security risks

To be able to keep its networks and devices more secure, it is necessary for the company to implement efficient strategies. For this reason, the incentive offered by companies to mitigate digital security risk is fundamental to increasing cyber protection.

These incentives can be provided through a bonus policy, formal recognition for membership, awards, among other resources . Through this strategy, managers will be able to offer rewards to employees who act in favor of cybersecurity, such as creating secure passwords, using digital resources appropriately, alerting the IT team about possible security flaws, among other measures.

Training on digital security risk management

Making your employees understand the importance of implementing more efficient practices to avoid problems related to digital security is one of the most important aspects of your protection strategy. Training on risk management is essential for employees to adopt a preventive stance and build a digital culture focused on protecting information .

A digital security culture is an approach that must be implemented in the daily lives of all companies . This means that the rules established by the company and the appropriate use of digital resources that are part of the business must be part of the routine of all employees.

Through this approach, it is possible to make employees aware of the main cyber threats, their consequences and the damage they can cause to the company's structure and image. This way, employees will be better prepared to identify possible risks and will know the best strategies to overcome these challenges .

Which companies have most adopted digital security practices in Brazil?

Among the many variables that were evaluated by the research, the profile of companies that are most advanced in relation to digital security practices was also analyzed, taking into account the size, location and sector in which that company operates.

Regarding size, it was evident that larger companies are more concerned about digital security. This difference is perceived more explicitly in relation to the discussion of digital security risks in organizational meetings, with companies with more than 250 employees showing a response rate of 75% on the topic, while companies with 10 to 49 employees, just 39%.

In the case of the company's location, there are some variables, but nothing that presents a major distinction. An example of this is in relation to the implementation of training on digital security risk management for employees. While in the southeast region 26% of companies adopted this practice, in the northeast region this rate is 35%, in the center-west 34%, north 38% and south 31%.

In terms of operating markets, the Information and Communication sector leads the list, with the implementation of security-focused training in 63%. The sector also leads in other categories, such as discussing the safety agenda in meetings (80%), mentioning safety requirements in employment contracts (66%) and implementing incentives (43%).

The accommodation and food sector was the one that presented the worst results in the survey, highlighting the cyber vulnerability of companies operating in this market.

Large companies are more concerned about digital security practices

One of the most relevant aspects of the TIC Empresas 2023 survey is related to the size of companies that demonstrate greater or lesser concern with digital security practices. The research showed that the larger the company, the greater its concern with cybersecurity.

Following the same line of results, larger companies also responded positively to the discussion of digital security risks in organizational meetings, as well as presenting better rates in relation to the implementation of training and qualification on digital security risk management.

No major difference was noted regarding the implementation of performance incentives for employees to reduce digital security risk, making it clear that this measure is not a high priority for organizations. 

Information and communication: the market with the most digital security practices

The TIC Companies 2023 survey took into account several operating markets, such as:

• Manufacturing industry;
• Construction;
• Trade, repair of motor vehicles and motorcycles;
• Transport, storage and mail;
• Accommodation and food;
• Information and communication;
• Real estate activities, professional, scientific and technical activities, administrative activities and complementary services;
• Arts, culture, sport and recreation, other service activities.

Due to the need for protection that these sectors present, the information and communication area was the market that presented the highest rate of digital security practice, presenting the highest results taking into account the four axes of the research, which are:

• Mention of digital security risks in employment contracts
• Discussion about digital security risks in meetings of company units
• Offer performance incentives to employees that reduce cybersecurity risk
• Promote training on digital security risk management, such as online courses, workshops, seminars, conferences or training offered through internal meetings

Regarding the rate of discussion of digital security risks in the organization's meetings, 80% of respondents from this sector responded positively to this approach, mentioning the topic frequently in the meetings held.

In addition, the information and communications sector also showed a greater implementation of training and training on cybersecurity, with 63% of companies interviewed.

Following this trend, 66% of information and communication companies report mentioning digital security risks in the employment contract. These numbers demonstrate how advanced the information and communication sectors are in terms of implementing security measures and protection protocols that should be part of organizations' routines.

The sectors that were most concerned about the digital security of their organizations were the information and communication sector, followed by the sectors of real estate activities, professional, scientific and technical activities, administrative activities and complementary services.

Regarding companies with the lowest level of concern about cybersecurity, the accommodation and food sector is the one with the worst results in the four axes of the research, with a 20% positive response in relation to the implementation of training and qualification on security digital.

Implementation of digital security policy in Brazil

The digital security policy or information security policy is a document developed to define rules, practices and responsibilities aimed at protecting information on a company's systems . Within a company, this policy should include strategies for how employees need to handle confidential information, levels of access allowed, use of mobile devices to perform tasks, and measures to be implemented in the event of a security breach.

This means that the digital security policy is developed to protect the organization's information , allowing the company to comply with current regulations and remain competitive by protecting its image in the market. An example of a security policy is the “Internet access control policy ”, which can transform your company’s security strategy.

Considering the data from the TIC Empresas 2023 survey, the implementation of a digital security policy in Brazil is urgent. The survey data shows that many companies still do not understand cybersecurity as a priority, and must adapt to market needs and establish methodologies and guidelines that help protect their information.

The growth of cyber attacks demonstrates that the more prepared the company is about how tasks should be carried out, placing data protection as a priority, the more protected its information will be. According to data from Check Point Research , in the second quarter of 2023 about one in every 44 companies worldwide suffered a ransomware attack per week.

Digital security policy coverage factors

As we saw previously, digital security policy is an essential set of actions within today's companies . The coverage factors of this policy must consider the roles and responsibilities regarding risk management regarding digital security, inclusion of processes for cooperation and training of employees.

Additionally, this policy must also include:

• Processes to enable cooperation in exchanging information within the organization: the security policy establishes processes and procedures to facilitate cooperation and exchange of information between different departments and interested parties within the company.
• Audit review and improvement cycle: This policy defines processes for carrying out regular audits, reviews and vulnerability analysis, ensuring that security measures are up to date and effective.
• Risk assessment: it is also part of the security policy to establish guidelines for the assessment of digital security risks, such as the identification and analysis of potential threats, vulnerabilities and associated impacts.
• Processes to decide how much risk should be assumed, reduced, transferred and avoided: based on the risk assessment carried out, the security policy allows managers to establish processes to decide the acceptable level of risk for the organization.
• Selection of digital security measures: the policy allows the establishment of criteria for the selection and implementation of digital security measures appropriate to the organization's specific needs and risks.
• Business continuity and resilience: definition of plans and procedures to ensure business continuity and operational resilience in the event of security incidents.
• Digital security risk transfer: The security policy establishes rules and guidelines for the transfer of digital security risk through insurance or other forms of risk mitigation.
• Awareness and training: Inclusion of awareness and training programs to make employees aware of safe digital security practices

Although there is no significant difference in the factors that were studied during the research, it is important to clarify the importance of adherence to national security policy . All of these processes contribute so that, together, the organization can adapt more intelligently and efficiently with regard to security measures.

PNCiber, the National Cybersecurity Policy, . Its objective is to provide guidance and support for activities related to cybersecurity in the country, representing a major step forward in today's cybersecurity strategy.

90% of large companies have a digital security policy

A very significant finding from the research carried out is that 90% of large Brazilian companies already have a digital security policy implemented . However, these data are worrying in relation to smaller companies.

In contrast, smaller companies demonstrated poor adherence to digital security policies. This lack of adherence may be a direct reflection of a lack of resources, knowledge or the idea that they are not susceptible to cyber attacks due to their size or visibility. However, it is essential that even small and medium-sized companies adopt a digital security policy to increase information protection and ensure business continuity.

Operating market with greater adherence to digital security policy

Regarding the sector of activity, there are some fluctuations that should be highlighted. Both the information and communication sector and the real estate sector, scientific and technical professional activities presented more positive results regarding the implementation and adherence to a digital security policy, when compared to sectors with the worst results, such as the Accommodation and Food sector. and the Construction sector.

This difference is mainly due to the sensitive nature of the data that is handled and stored by these companies . While the information and communication sector presents a rate of 86% of companies with a digital security policy, the sector of real estate activities, professional, scientific and technical activities presents 72% of companies with an implemented policy.

The accommodation and food sector presented a result of 39%, and the Construction sector 46%, which, although they also deal with sensitive data, do not have a direct impact on the processing of information. These numbers show that the type of information collected has a direct impact on the implementation of a Digital Security Policy.

As was explained in other aspects of the research, the accommodation and food sector had the lowest rate of adherence to the Digital Security Policy, 39%. The other sectors presented superior results, as shown in the values ​​below:

• Transport, storage and mail, 53%
• Arts, culture, sport and recreation, other service activities, 52%
• Manufacturing industry, 52%
  
• Trade, repair of motor vehicles and motorcycles, 50%
• Construction, 46%

Adherence to new technologies by Brazilian companies

In conclusion, the ICT Companies-2023 survey also brought relevant data on the adoption of new technologies by companies. Although technological advances have been considerable in recent years, many companies still have low adoption of certain resources , such as the internet of things and artificial intelligence.

Although there will be a growth from 21% to 29% in the use of new technologies between 2021 and 2023 by medium-sized companies , it is necessary to evaluate this data in more depth . This is because this growth was largely due to the increased use of security devices, such as smoke detectors, alarms and cameras.

The use of AI and IoT is not widespread in Brazilian companies

The use of Artificial Intelligence is led by the Information and Communication sector, with a result of 40%. On the other hand, the Accommodation and Food Sector presented the lowest result, representing only 6% of the companies interviewed.

Regarding the implementation of automation tools through the Internet of Things, the results are similar. Leading the survey is the Information and Communication sector (37%), and also larger companies (36%). The construction sector was the one that presented the lowest results, with 9% of companies questioned.

The research also took into account the way in which Artificial Intelligence is applied, which questioned the following points:

• Marketing or sales;
• Production processes;
• Organization of business administration processes;
• Business management;
• Logistics;
• Digital security;
• Human resources management or recruitment.

Automation aimed at digital security is led by the arts, culture, sport and recreation sector, other service activities , which presented a result of 70%, while the commerce sector, repair of motor vehicles and motorcycles and the activities sector real estate, professional, scientific and technical activities, administrative activities and complementary services, presented a result of 39%.

The research also took into account companies that used smart devices or the internet of things, according to the type, with emphasis on use for facility security, such as alarm systems, smoke detectors, door locks and smart security cameras . In this category, companies of all sizes presented similar results, varying between 84% and 85%.

According to the sector, the category is led by companies engaged in real estate activities, professional, scientific and technical activities, administrative activities and complementary services and transport, storage and mail, with a result of 88%. The other sectors also showed good results, such as the Information and communication sector (80%) and Manufacturing industry (85%).

The use of emerging technologies, such as artificial intelligence and intelligent automation sensors, is still quite restricted, being used more frequently by larger companies. The advancement of technology has been very present among larger companies, mainly due to the use of artificial intelligence solutions in carrying out everyday tasks.

Automation has been widely used in simpler tasks, such as chatbots for customer service. The tendency is that, over the years, there will be an expansion of the process of automating tasks and workflows, allowing the performance of even more complex services.

The expectation is that the growth of commercial offer and the deeper development of these technologies will allow companies from all sports to be able to implement resources of this type in their routine.

Increased use of the cloud for data storage

According to the data collected by the research and the information provided by the companies themselves, the lack of use of these resources is mainly due to the lack of specialized teams to deal with this technology, the acquisition cost and even the lack of knowledge of these functionalities.

Regarding cloud processing technology, currently according to the survey, one in three companies already uses this resource. While in 2019 around 23% of companies used cloud processing, in 2023 this number reached 33%. The practicality and availability that this technology offers has made this resource one of the most used by organizations.

The research showed that in recent years, there has been a slight increase in the percentage of companies that recognize the importance of investing in security software services . Faced with the growing threat of cyber attacks and the constant evolution of technologies, companies are increasingly aware of the need to protect their data.

Given the huge increase in the use of technologies to optimize processes and improve results, it is necessary to adopt advanced tools to protect business networks against external and internal threats. These tools allow companies to control internet access, block unwanted content, protect their confidential data and monitor network usage in real time.

Whether aimed at a small company concerned with controlling employees' internet access or a large corporation seeking protection against more sophisticated and harmful cyber attacks, this type of tool can be a valuable ally in the organization's cyber protection strategy.

Conclusion

The ICT Companies 2023 survey brought valuable insights into the use of information technology in Brazilian companies and highlighted the importance of robust digital security practices. It is clear that large companies are more advanced in implementing security policies, but there is an urgent need for awareness and adoption of these practices in small companies as well.

Implementing a culture of digital security, promoting continuous training and investing in protection technologies are fundamental steps to guarantee data security and business continuity. Regardless of size or sector, all companies must be aware of cyber threats and adopt preventive measures to mitigate risks and protect their operations .