Cybersecurity at the Crossroads - Brazil and Mexico

Executive Summary

Over the past 12 months, cybersecurity challenges have intensified across the globe. The world witnessed one of its most significant technology disruptions when a misconfigured CrowdStrike update took millions of Windows-based systems offline, impacting businesses and governments worldwide. Closer to home, Brazil and Mexico faced their own cybersecurity pressures. Highprofile ransomware attacks targeted public agencies(1), DDoS campaigns disrupted banking and transportation services(2), and fraudulent bot activity surged across e-commerce and financial platforms(3). As digital infrastructure becomes more tightly woven into national economies and daily life, the need for resilient, proactive cybersecurity defenses has never been more urgent

For Brazil and Mexico, the stakes are particularly high. Both countries have accelerated their adoption of digital technologies across sectors such as finance, healthcare, and government services—creating new efficiencies but also new vulnerabilities. Meanwhile, the tools available to ill-intended actors have become more sophisticated, scalable, and automated, making it easier than ever for small groups to launch large-scale attacks..

Against this backdrop, the need for more cybersecurity and digital resilience is greater than ever - yet a closer look at the last 12 months finds security programs in a precarious position. The headwinds facing cybersecurity initiatives are more significant now than they were previously. Many of these are non-technical, covering issues such as budget scrutiny and confusion over who is responsible for cybersecurity in organizations

Fastly’s AVP, Gonzalo de le Vega, points out: “Content scraping is a major issue in these two countries, driving strong demand for bot solutions that can detect and block bad actors without slowing down customer experiences or work processes."

As mentioned in our Global Security Report, online security is at a crossroads. To gain more insight into how corporations are dealing with key cybersecurity issues and where the industry is headed, in late 2024, Fastly worked with business and consumer market research agency Sapio to survey 1800 worldwide IT decision makers, all with an influence in cybersecurity. This report, focused on the Nordics, offers deep insights into their cybersecurity challenges and how they plan to overcome them. Here are some of the key findings

• Security initiatives are on a knife-edge. While more IT decision makers (87%) expect cybersecurity investment to increase over the next year, the results from this spending will be under intense scrutiny. Security teams face an uphill struggle as they try to convince senior executives to continue budgeting in ways that make effective defense strategies possible. The C-suite has plenty of other priorities to address, especially in areas such as digital transformation and IT modernization, and they feel that cybersecurity initiatives slow them down

• Organizations face challenges scaling their cybersecurity operations. As they struggle to justify their function to the board, there are also worrying signs of inefficiencies in cybersecurity. Over a third of respondents felt that they had no clear idea of where they should allocate cybersecurity resources, which correlates with a feeling of over-investment.

• The market is not providing the talent that companies need. There are also signs of an inability to scale cybersecurity efforts as capacity and complexity demands increase. Traditionally, companies have invested in more talent to try to keep up with burgeoning cybersecurity needs, but this year sees a deep dissatisfaction with the available talent pool. That calls for a rethinking of skills management practices to cope with evolving cybersecurity needs

• Technology complexity is holding back cybersecurity efforts. The technology organizations use to fight cyber threats are also an issue as companies look to scale their cybersecurity initiatives. Businesses are also still laboring under complex, overlapping toolsets that make cybersecurity operations such as incident response more difficult. 2024’s CrowdStrike outage has thrown security products and services into the spotlight, as security leaders begin to question the risks and benefits of their cybersecurity tooling.

Recovery time

There’s no denying that 2025 is off to a turbulent start as far as the political climate goes, and the tone in the raging debates is often uncompromising, and lines get drawn fast. That alone might be enough to keep CISOs up at night, proving that they work for a company that can find itself in the crosshairs of public opinion. It’s a short distance from “all is well” to “we’re under attack”.

There is nothing that points towards the amount of online attacks getting smaller. It doesn’t really matter whether you look at it in terms of the number of attacks, the damage they create, and the amount of time it takes to mitigate them, clean up, and try to prevent them from happening again. Online attacks remain an often-used strategy to hurt businesses where they feel it the most: reputation and revenue.

We asked participants from Brazil and Mexico how long ot typically takes to fully recover from online attacks. On average, they estimated 7.56 months. This is approximately one week longer than the global estimate of 7.34 months. But we should also point out that 30% of the global respondents said they’ll have cleaned up within an impressive 1-3 months. 25% saw attacks that took more than a year to recover from.

So why the large delta? One answer is undoubtedly that recovery times rise as cybersecurity investment falls. We saw a direct correlation between those companies that expect to spend less in the next 12 months and those expecting recovery time exceeding eight months. The gap between perception and reality continues to grow - companies planning to reduce cybersecurity investments take nearly 11 months to recover from incidents, about a third longer than they anticipate. In contrast, organizations that maintain or increase their cybersecurity spending recover significantly faster

Preventive measures top the list of recovery tactics

For Brazil and Mexico, the two most common responses around preventive measures are implementing stronger security (50%) and providing additional employee training (48%) - reflecting a focus on “lessons learned” and prevention of future attacks. Both are quite a bit higher than the worldwide results - 43% and 41% respectively. While there is nothing unusual in the response with the highest priority, some may find that it’s surprising to see additional training rank this high. We believe there are two reasons for this: companies are still adjusting their security procedures to accommodate a flexible culture when it comes to where you work. Secondly, social engineering is increasingly being used as the hunting ground for inroads, and with work being conducted all over the place, training on how to be more vigilant is needed.

More companies in Brazil and Mexico are prioritizing specific actions that aid incident recovery, such as restoring from backups (44% - up from 38% worldwide) or communicating with stakeholders (36% - up from 34% worldwide). Forensic analysis - critical for pursuing legal action against malicious insiders or external attackers and for regulatory reporting - is the least commonly cited, at just 25%, which is similar to the worldwide response. On a positive note, 44% of respondents from Brazil and Mexico are allocating additional budget toward incident response playbooks and supporting tools, sharply up from 32% worldwide

When surveyed, most regional businesses rely on internal resources for recovery, with 75% turning to their IT teams. 41% engage external cybersecurity firms for support. Fewer than one in three respondents opted to use cyber insurance to offset costs, a number we expect to continue to decline, as the average cost of a data breach in 2024 reached an all-time high of $4.88 million.

Finally, Brazil and Mexico show less loyalty than the rest of the world when it comes to their EDR vendors. 34% of respondents said that in light of recent security events, they are considering changing vendors. Still, many keep using their existing tools and instead look for ways to better utilize or optimize them. At 51%, more than half of the respondents in these two countries answered that this was their preferred approach.

Confidence vs. Reality: Are Organizations Overestimating Their Infrastructure Security?

Security incidents have long been a part of everyday life for IT professionals, and almost every company has experienced them. For both Brazil and Mexico, as well as worldwide, only 9% of those polled did not have an (known) security incident. In the past year, on average, the organizations we polled had 40 known incidents. American businesses were the ones most affected; they experienced one incident per week, and with 64 incidents over a 12-month period, larger organizations were even more exposed owing to their greater attack surface and possibly the reach of their brand.

It bears repeating that an incident isn’t necessarily the same as an online attack. In fact, of those asked, 31% of Nordic businesses answered that they had incidents due to misconfigurations, with software bugs coming in at an astounding 43%! Yet, patches and IT changes often arrive too slowly, creating security gaps for 20% of the companies polled. Embracing Secure DevOps (SecDevOps) can help prevent bugs upfront and accelerate fixes for vulnerabilities that slip through

An additional key issue is the tension between manual and automated processes. Manual steps contributed to 27% of incidents, with 17% of respondents reporting problems due to reliance on employees manually enforcing security policies, rather than embedding security into their technology solutions

Cyber incidents wreak financial havoc

No matter who or what is the cause of a cyber incident, everyone polled end up with significant revenue losses. 22% of those asked in Brazil and Mexico could see the effect on the bottom line. Worldwide, companies lost an average of 3% of revenue when there were financial losses. Although it’s less measurable in terms of cost, downtime is another big consequence, closely followed by data loss.

It’s important to remember that online security incidents pose significant legal and regulatory risks. 25% of the combined respondents in Brazil and Mexico reported compliance violations, while 16% indicated that customer accounts had been compromised, which could lead to breaches of privacy laws.

Reputational damage is also a major concern, affecting 20% of the combined organizations in Brazil and Mexico. Additionally, 17% experienced a decline in customer trust, and similarly, 22% noted a decrease in customer satisfaction. These issues have a direct impact on customer retention, with 13% of organizations reporting an increase in customer churn following an incident.

Confronting the Next Wave of Threats

Concern over cyber threats remains high. The rise of automated attackers is particularly troubling, with 37% of respondents saying it keeps them up at night. Many question whether their current security tech stack can keep pace: 21% cite a lack of automation in their defenses, while 21% are held back by sluggish change management processes. In fact, automating cybersecurity is the second-highest security priority over the next 12 months, identified by 23% of the respondents. The anxiety is casting a shadow over innovation. While digital transformation promises growth, 44% worry that expanding their software footprint and digital infrastructure will increase their exposure to attacks, especially since 37% are concerned they don’t have the experience to secure modern and complex architectures. More broadly, 59% believe they are unprepared to face sophisticated threats, and 35% say their internal cybersecurity technologies aren’t strong enough to protect them.

Is Cybersecurity Spend Keeping Pace with Rising Risk?

Effective cybersecurity doesn’t happen without appropriate investment. As threats multiply and adversaries grow more sophisticated, organizations must continue to commit meaningful resources to the defense of their online storefronts and infrastructure. Yet despite strong intentions, the data we see reveals critical shortfalls.

In 2023, 75% of respondents indicated plans to increase cybersecurity spending. One year later, half reported underinvesting in key areas. In their own words, this is raising concerns about exposure to threats. This sentiment is particularly acute in the U.S., where 50% of organizations acknowledge gaps, correlating with the region’s high incident volume. The combined number for Brazil and Mexico was lower at 46%.

Interestingly, worldwide, 71% say their current investments align with strategic objectives (an impressive 84% for this region). So why do so many still feel underinvested in online security?

Investments Are Hard to Justify

Tight budgets aren’t the only reason respondents have trouble securing funds earmarked for protecting against online threats. The answers revealed that cybersecurity is often seen as an obstacle to working on other priorities. An astonishing 47% of respondents’ senior executives worry that this very issue could slow down innovation. IT modernization is a significant component in digital transformation efforts, and 47% feel that investments in cybersecurity hinder that initiative.

Cybersecurity professionals must justify their costs to the C-suite, but 42% fail to do so. While 85% of the respondents feel their investments have supported revenue and growth goals, confidence that they have quantified the ROI from cybersecurity spending is better than most, at 81%. Part of the problem is understanding where to spend those dollars; worldwide, 36% said they had invested far too much, with no clear plans on where to allocate resources

Trimming Security Budgets Is a Shortcut to Exposure

On a positive note, an astonishing 96% of respondents plan to increase their cybersecurity investment this year. However, given that half of the companies this time around say they’re still under-invested, intentions alone may not translate into reality.

It’s also good to see that only 4% of organizations expect to reduce cybersecurity spending. While that number might seem high, this doesn’t mean that those respondents will scale back their level of protection. Those companies may be shifting to lower-cost solutions, consolidating vendor contracts, or exploring open source alternatives.

Optimizing spend is sensible. But the data shows that this cost-cutting cohort may be paying the price: Those expecting to scale back budgets experienced an average of 68 security incidents in the past year - 70% more than the overall average of 40. That raises important questions about the hidden costs of cutting corners

Risk Analysis: The Foundation of Smart Cyber Investment

Maximizing the impact of cybersecurity spending starts with a mature approach to risk analysis. By identifying the most significant threats to their specific environment, organizations can target investment toward preventative and response efforts that deliver meaningful protection.

Risk is a language the C-suite understands. Cybersecurity leaders can bridge the gap by highlighting high-level risk mitigation metrics that clearly demonstrate how security enables safe innovation and business transformation.

Collaboration with engineering and production teams is Cybersecurity at the Crossroads 8 also key. Embedding security earlier in the development lifecycle - particularly through automation - can make protections more effective, less disruptive, and easier to scale.

The Cybersecurity Skills Gap: A Growing Threat in itself

Professional skill shortages continue to be a major obstacle in cybersecurity, and the Nordic region is no exception. More than one-third (39%) of organizations cite a lack of the necessary expertise to address modern security threats. Compounding the issue, 37% of those in region acknowledge underinvestment in cybersecurity talent, both in terms of hiring and compensation. As a result, training and talent acquisition have become the top priority for 30% of organizations when looking at the coming twelve months.

The consequences of a cybersecurity talent shortage can be severe. Organizations not only become more vulnerable to cyberattacks but also face longer response times and higher costs when incidents occur. These challenges place additional strain on existing teams and can hinder ongoing preventive efforts.

A significant contributor to the gap may be a misalignment between where companies are searching for talent and where qualified professionals actually reside. Over half (55%) of the organizations polled report that the talent pool lacks the specific skills they require, but at the same time, 19% say they are not facing major issues in hiring for cybersecurity roles.

As many in the industry can attest, the development of security talent is not immediate. Turning recent graduates or entry-level hires into effective team members requires considerable time and effort. These individuals must not only acquire technical expertise with the organization’s tools and systems but also develop a nuanced understanding of internal workflows and company culture.

These challenges are expected to become more pronounced as organizations grow. Operating in larger, more complex environments adds pressure, particularly for less experienced hires. 20% of respondents identified “inexperience with large-scale technology infrastructures” as a significant barrier to success within security teams.

According to AVP Gonzalo De la Vega, the cybersecurity professionals he meets bring a high level of expertise: “The conversations we’ve had in this region have been highly advanced, showcasing the deep knowledge and strong technical backgrounds of the experts we work with.”

Addressing these issues requires a deliberate and sustained focus on nurturing talent pipelines, investing in upskilling programs, and aligning recruitment strategies with actual organizational needs

Alternatives to External Recruitment

Companies should direct their skill development efforts toward internal improvement, given the existing challenges. There are several options:

Upskilling. The existing workforce can learn new responsibilities because they already understand your company culture and have a basic understanding of your operational systems and processes.

Mentoring. Junior employees learn valuable skills through on-the-job training provided by experienced staff members, which helps them develop into successful professionals.

Cross-functional collaboration. Security teams that communicate better with IT, compliance, support, and product development teams will develop employees who understand security’s role within different organizational functions. The organization should consider implementing secondments within this framework. The ultimate goal should be to expand both skillset and responsibilities into non-security teams. The integration of security Cybersecurity at the Crossroads 9 knowledge between product development teams enables them to implement secure-by-design principles during their development process.

Internal recruitment of staff who work across different functions provides multiple benefits. Such a practice demonstrates that every employee must contribute to security responsibilities. The initiative helps organizations advance their digital transformation goals. An integrated security culture supports the digital transformation process while addressing the security concerns of 40% of companies who believe their vulnerability to attack will rise during this period.

Mapping the shift in accountability

When a cyber incident happens who gets held responsible? Regulators now direct their accountability judgments to the chief information security officer (CISO). In October 2023, the USA-based SEC prosecuted not just SolarWinds but also its CISO, Timothy G. Brown, with fraud and internal control failures. Although most charges were later dismissed, the regulatory bodies have used new language to define the liability of CISOs explicitly.

An Empty Response to CISO Liability

Most organizations have implemented policy modifications to reflect the changing accountability structures, according to 94% of respondents. Numerous organizations implement changes that lack genuine substance. The most commonly implemented measure, which grants CISOs attendance rights at strategic discussions, stands as an unremarkable development (52%).

Some measures are defensive or box-ticking exercises. The 47% of organizations that plan “increased scrutiny of security disclosure documentation from supervisory agencies” are simply committing to rule compliance. The same proportion of organizations plan to provide legal defense to their cybersecurity employees for potential agency investigations. Among the surveyed group, only 20% of respondents stated that CISOs face legal obligations for cybersecurity standards.

“These security measures are nice, but little more than self-preservation”, says Fastly CISO Marshall Erwin. “Those aren’t actually improving your security posture.”

Who Does the Buck Stop With?

A major problem stems from an unclear distribution of cybersecurity incident responsibility among different parties. The organization lacks an explicit cybersecurity leader because multiple staff members at various levels demonstrate minor accountability responsibilities. According to the survey results, the CISO ranks third in accountability (10%), with security engineers taking first place (22%). Security managers come in second at 21%.

Some positive indicators exist. The increasing number of teams taking on cybersecurity accountability demonstrates that incident responsibility now extends past traditional security roles, which include application Cybersecurity at the Crossroads 10 developers (14%), SOC analysts (9%), and site reliability engineers (9%).

These theoretical results would create universal responsibility among all individuals. In practice, it means no one is. Only 42% of respondents clearly identify roles and responsibilities for cybersecurity. A lack of clear ultimate responsibility exists for nearly twothirds of organizations, since 58% experience unclear cybersecurity incident accountability. At the end of the day, someone needs to take responsibility.

Employees in the Cross Hairs

The entire organization needs to understand security as an organization-wide responsibility while providing employees with the authority to execute policy. Social engineering attacks stand as the most feared security threat for the upcoming year, according to 44% of respondents. The transition to hybrid work environments has created new security challenges because 75% of organizations expect their remote workers to become attack targets.

The majority of organizations (88%) confirm they properly explain cybersecurity compliance to their entire workforce. The approach appears successful because 81% of employees outside IT state their work affects cybersecurity, and 68% of staff members comply with cybersecurity rules. The main challenge stems from insufficient cybersecurity education, which 55% of the Nordic organizations face.

The ability to follow established rules depends on having sufficient resources to do so. An impressive 87% of companies say they provide those resources, meaning that only just more than 10% do not. Reporting procedures are not always clear. The majority of respondents (73%) confirm that incident reporting follows a clear process accessible to all staff, but non-IT employees lack confidence in identifying and responding to security threats (64%).

Choosing the Right Tools for a Shifting Landscape

Cybersecurity threats require continuous evolution, which demands corresponding updates to our defensive tools.

44% of the Brazilian and Mexican organizations polled identify social engineering as their main security concern. This encompasses other common threats like phishing, which is a crucial step in attacks such as business email compromise and ransomware. (Lack of relevant technical skills ranked second at 39%.)

Multiple security threats converge into an intricate environment, which complicates the situation further. The threat of account takeover identified by 18% of respondents originates from phishing attacks. Data exfiltration (a worry for 32% of those asked) is a common outcome of ransomware compromise.

As mentioned earlier, the SolarWinds hack and Kaseya ransomware attack have led organizations to identify third-party compromise as a significant security concern, according to 15% of respondents.

Investing for Protection

The broad investment of organizations into protection measures includes strategic purchases of products and services aimed at countering threats. Organizations show positive investment trends toward contemporary authentication systems, which rank as the thirdmost important investment at 40%. Identity and access management tools, together with multi-factor authentication, will help organizations fight against social engineering attacks that serve as the foundation for many other security threats.

The growing danger of API exploitation makes many organizations reconsider their security measures through API gateway security investments, which reached 43%. A total of 39% of organizations have purchased web application firewalls. The investment in WAF products exceeded the 24% of organizations that expressed concern about web application exploitation, yet these products serve as standard defensive measures against multiple attack types, including small DDoS events. Web application and API security solutions receive an average yearly investment of $1.58 million from organizations.

We were surprised to find DDoS investments in eighth place, at 31%, and bot mitigation near the bottom at 20%. Bots serve as primary instruments in credential stuffing attacks, which frequently lead to account takeover incidents.

The investment went toward incident response services to manage cybersecurity incidents. Risk transfer stands as one possible approach, which shares the top investment rank with modern authentication at 40%, along with cyber insurance. Organizations choose to prevent cyber threats and respond to incidents through managed security services companies, since a staggering 51% of respondents have adopted this approach.

Organizations that choose security outsourcing often work with multiple service providers, since 33% of all survey participants adopted this approach, while 34% placed their security response under a single external service provider. 19% of organizations choose to unite their security response activities under internal teams, while 14% split their security response activities between internal teams and external partners.

The Current Security Tools Remain Difficult to Integrate With Each Other

The use of duplicate tool sets creates difficulties for respondents. On average, organizations make use of 7.85 network and application security solutions, while Brazil and Mexico combined stand out with 8.95 solutions. Among those polled, there’s a 44.5% tool redundancy rate.

Rewriting the Security Playbook: Centralized and Built-In from Day One

If there’s one key takeaway from our latest survey, it’s this: businesses are caught between escalating cyber threats and limited cybersecurity budgets. While 91% of those polled recognize cybersecurity as essential, almost half (46%) admit they still feel vulnerable due to underinvestment. Many plan to increase spending, but history shows that intent doesn’t always lead to action. A major hurdle? Justifying the cost to senior leadership, who often see greater value in directing those funds elsewhere.

The reliance on fragmented and overlapping tool sets exacerbates this problem because these cybersecurity franken-stacks are both expensive and complex to integrate and maintain. They are also a natural consequence of reactive cybersecurity strategies that evolve piecemeal over time to track a changing threat landscape.

Time for Security by Design

Organizations must innovate to tackle burgeoning security risks more efficiently while stopping costs and complexity from spiraling out of control. This demands a standard mechanism of identifying and mitigating threats that they can apply across the whole business.

Toolset consolidation is a key component of this mechanism, as it helps to reduce complexity and cost. It requires mature risk management, mapping tool functions to risks based on each risk’s impact and probability. This will vary based on factors such as sector and company size.

The other requirement is a set of universal principles for security, and the will to apply them in the development of everything from customer-facing products and services through to internal workflows. Applied from the design stage onward, this will strengthen security from the inside out.

Implementing this security by design concept into software architecture is a priority for just 20% of our respondents, ranking sixth among other mitigations. That’s understandable, because it’s a cultural change as much as a technical one, and those are difficult to engineer.

We also face another problem: 32% of our respondents feel that cybersecurity is a waste of time and budget that would be better spent elsewhere. Those feeling that way are far more likely to decrease their cybersecurity investment (55%).

Lack of cybersecurity visibility among senior executives is a problem here, warns Erwin. “If your security program is effective, then you are mitigating a lot of risk and reducing the likelihood of compromise or incident. However, your leadership will not see that value directly,” he says.

This attitude will be more difficult to change, but mapping a direct line between cybersecurity investments and quantifiable risk-based outcomes is the first step.

1. https://apnews.com/article/mexico-president-hacking-attack-ransomhub-ransomware-a97fa044850ba05f574f71d2af3d67c8

2. https://www.reuters.com/business/aerospace-defense/brazil-air-traffic-control-not-affected-by-global-outage-some-flights- delayed-2024-07-19/

3. https://socradar.io/lockbit-conti-and-blackcat-166-ransomware-attacks-put-brazil-in-the-crosshairs-in-2024