More Brazilian companies are aware of the risks of cyber attacks, as well as space in their budgets for strategies to mitigate these threats has grown, but the proportion that suffered a recent incident has barely changed, according to research commissioned by Mastercard from the Datafolha Institute.
The ‘Digital Security Barometer 2025’, presented this Wednesday, shows that almost eight in ten Brazilian companies (78%) realize that their sectors are exposed to fraud and digital attacks. In the previous study, referring to 2022, this percentage was 64%.
The most recent survey also reveals that 53% of companies give cybersecurity top priority in their budgets — more than double the figure recorded in 2022 (23%) — and that 18% invest more than 20% of their budget in digital security — compared to 6% in the previous study.
This movement can be seen in advances in the internal structure of companies, with three out of every four companies (75%) claiming that they now have their own area or department dedicated to digital security, a percentage that has more than doubled compared to the previous survey (35%).
The percentage of companies with annual planning for digital security also grew: 56% in 2025, compared to 26 in 2022.
Despite the greater degree of preparedness, in 2025, 12% of the companies consulted said they had suffered a cyber attack in recent months, up from 10% in the previous study. Among those who suffered attacks, the average was two episodes in the period.
Continues after advertising
‘We have indeed evolved…but perhaps we haven’t reached the level of maturity…to shield or protect…to be able to minimize attacks’, Daniel Vilela, Vice President of Products and Solutions at Mastercard Brasil, told Reuters.
‘We are in the first phase, which is to become aware and have a sense of the problem and then prepare, develop defenses, implement the actions that are necessary to actually mitigate it’, he added, highlighting that there is also the ‘other side’, with the criminal always looking for opportunities to evolve.
Vilela highlighted that cyber crime today generates trillions of dollars and continues to advance, already using, for example, artificial intelligence to exploit new vulnerabilities. ‘It’s a constant game of cat and mouse,’ he added.
Continues after advertising
Answers and challenges
But the research points to advances in companies’ ability to respond. In the most recent survey, 86% of companies say they have a plan ready to deal with possible attacks, including data recovery, damage reduction and internal and external communication. In 2022, this percentage was 79%.
Furthermore, 75% carried out simulations of attacks or leaks in the last three months to check for flaws in the digital security system, more than double the number recorded three years ago, while 96% say they usually carry out tests to assess points of vulnerability and improvement.
The Barometer shows that the adoption of new technologies, including digital biometrics, artificial intelligence and encryption, has gained traction.
Continues after advertising
More than half already use biometrics extensively to reduce the use of passwords in internal and customer processes, while 47% use encryption to mitigate leaks of critical company data and 43% use artificial intelligence to prevent data leaks and other fraudulent actions.
There are, however, still challenges involving the area of cybersecurity. The research shows that, before 2022, the percentage that considers it very difficult to find qualified professionals to manage the company’s digital security system has significantly decreased, but it still represents 25%.
The portion that considers it very difficult to make all company professionals aware of the importance of cybersecurity is also smaller, but still reaches 18% – while 42% consider this movement to be somewhat difficult. In 2022, these percentages were 48% and 32%, respectively.
Continues after advertising
According to Vilela, employees are still among the main points of vulnerability. ‘It continues to be the weakest link’, he said, citing the misuse of unauthorized emails, downloads and software and highlighting that this explains the increase in recurring training and permanent campaigns.
‘It’s not training that you give punctually. It’s a campaign that is almost evergreen now.’
He pointed out, however, that another relevant bottleneck is in the supply chain. According to the executive, a significant portion of incidents occur not due to direct failures by companies, but due to breaches in third parties that have access to their systems.
‘Although sometimes the contracting company’s system is well protected, it has robust security, this third party does not, and then what happens is that fraudsters end up entering, finding a way to enter the main company’s system’, he stated.
