Cybersecurity for the Public Sector and Government in Brazil
Resposta direta
Cybersecurity in the Brazilian public sector protects essential services (health, education, tax collection, digital identity) and the personal data of millions of citizens held by the State. Public agencies are priority targets of ransomware, database leaks and hacktivism, and are subject to LGPD (Law 13.709/2018), the rules of the GSI/PR and the coordinated response of the CTIR Gov. Decripte structures defense based on the NIST CSF, ISO 27001 and MITRE ATT&CK, offering a 24x7 SOC, incident response in under 1h and LGPD adaptation — starting with the free Threat Management diagnostic.
Principais conclusões
- ›Public agencies — from municipalities to courts and public hospitals — are high-value targets: they concentrate citizens' sensitive data and operate essential services whose downtime has immediate social impact, which raises the pressure to pay in ransomware attacks.
- ›The processing of personal data by public authorities is expressly governed by LGPD (Law 13.709/2018, arts. 23 to 32), with specific legal grounds, a duty of transparency and oversight by the ANPD; a public agency is not exempt and answers for leaks.
- ›Information security in the Federal Public Administration is regulated by the GSI/PR (Institutional Security Office of the Presidency) through Normative Instructions and Ordinances, and incident response is coordinated by the CTIR Gov.
- ›The most frequent threats are ransomware with service outages, exfiltration and leakage of citizen databases, attacks on digital services like gov.br, fraud/financial diversion, hacktivism and improper exposure of open databases.
- ›Recognized frameworks — NIST CSF, ISO/IEC 27001, MITRE ATT&CK and CERT.br recommendations — provide the structure to identify, protect, detect, respond and recover, anchoring policies, controls and auditable metrics.
- ›Decripte combines a free Threat Management diagnostic (decripte.com.br/intelligence-center) with paid services — 24x7 SOC, Incident Response in under 1h, Pentesting, LGPD/ISO and CISO-as-a-Service — for agencies of any size, from the small municipality to the federal entity.
Why the public sector is a priority target and what is at stake
The Brazilian public sector carries a unique combination of attributes that make it one of the most coveted targets for criminal groups and hacktivists: massive concentration of citizens' personal and sensitive data (national ID, health data, biometrics, tax information, social ties), operation of essential services whose interruption has immediate social impact, and — in many agencies, especially municipal ones — limited technology budgets, a heterogeneous technology fleet and lean IT teams. A municipality that loses access to its tax collection, payroll, health and records systems faces more than a technical problem: it paralyzes public service, leaves civil servants without pay, suspends prescriptions and appointment scheduling and jeopardizes the continuity of State functions.
Unlike the private sector, where the risk calculation revolves around financial and reputational loss, in the public sector what is at stake is the State's very capacity to serve the citizen and to protect information the citizen is obliged to hand over — there is no option to "not share data with the municipality." This asymmetry creates a heightened duty of care: the citizen does not choose the security level of the agency that holds their health data or their tax records. When a public database leaks, the harm falls on millions of people who had no part in the security decision and who often do not even know their data is at risk.
Attackers perceive this pressure and exploit it. In ransomware attacks against public agencies, the urgency to restore essential services — a hospital without medical records, a tax department without a revenue system — is used as an extortion lever. Groups that practice double extortion (they encrypt the data and threaten to publish it) know that a public agency has more to lose from the disclosure of citizens' data, which raises the likelihood of payment or, at least, the political cost of the response. Hacktivism adds to this scenario: defacements of portals, taking services down through denial of service (DDoS) and ideologically motivated leaks aim to embarrass managers and expose weaknesses in a deliberately public way.
What is at stake, therefore, goes beyond the availability of a system. At stake is the citizen's trust in the State's digital transformation — in gov.br, in the digital ID, in health scheduling, in the electronic invoice. Each poorly handled incident erodes that trust and, ultimately, pushes the population back to more expensive and less efficient analog channels. Structuring cybersecurity in the public sector is, above all, protecting the legitimacy and continuity of digital public service.
Threat map against municipalities, agencies and digital public services
Ransomware is, today, the threat of greatest operational impact for the public sector. The attack pattern usually follows the chain described by MITRE ATT&CK: initial access via phishing, leaked valid credentials or exploitation of exposed services (VPNs and RDP without multi-factor authentication), lateral movement through the internal network, privilege escalation, data exfiltration and, finally, mass encryption. In municipalities and autarchies, the absence of network segmentation means a single compromised endpoint contaminates entire departments — health, education, finance and administration — bringing down all services at once. Recovery without intact and tested backups can take weeks, with essential services down the whole time.
The leakage and exposure of citizen databases is the second major front. It can occur through exfiltration during an attack, through incorrect configuration of storage exposed to the internet (buckets, databases and admin panels without authentication), through digital public service APIs with faulty access control, or through misuse of civil servants' credentials. Public health databases, social registries, tax data and identity records are especially sensitive because they enable fraud, social engineering and discrimination. LGPD classifies health, biometric and racial-origin data, among others, as sensitive personal data, with reinforced protection — and the leakage of this type of data by a public agency is an incident of mandatory notification to the ANPD and to data subjects.
Attacks on digital public services — transparency portals, records systems, identity platforms like gov.br, tax and health systems — include SQL injection, authentication and authorization flaws, abuse of password recovery functions, session hijacking and identity fraud for improper access to benefits. Fraud and financial diversion appear in payment systems, procurement and payroll, frequently combining corporate email compromise (BEC) with alteration of the bank details of vendors and civil servants. And the improper exposure of open databases occurs when data that should be anonymized or of restricted access is published without proper treatment, violating the border between transparency (Access to Information Law) and data protection (LGPD).
Finally, hacktivism and denial of service (DDoS) target availability and image. Defacements of official portals, unavailability of accountability sites on symbolic dates and politically motivated leaks are vectors that require edge protection (WAF, DDoS mitigation) and continuous monitoring. Mapping these threats against each agency requires intelligence: knowing which civil servants' credentials have already leaked, which services are exposed on the internet, which databases may be misconfigured and which groups have the agency as a target. That is exactly the mapping Decripte's free Threat Management offers as a starting point.
Os dados da sua empresa de governo e setor público já estão expostos? Descubra agora — de graça.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The regulatory framework: LGPD in the public sector, GSI/PR and CTIR Gov
The General Data Protection Law (Law No. 13.709/2018) dedicates a specific chapter to the processing of personal data by public authorities (arts. 23 to 32). LGPD makes clear that public-law legal entities must process data to fulfill their public purpose, in pursuit of the public interest, with the objective of executing legal competencies or fulfilling legal attributions of the public service — and that they must inform the situations in which they carry out processing, providing clear information about the legal basis, the purpose and the procedures. Public agencies are not exempt: they are subject to the law's principles (purpose, adequacy, necessity, transparency, security, prevention and accountability), to the duty to adopt security measures, and to the oversight of the National Data Protection Authority (ANPD). The shared use of data between public entities and the transfer to private entities have their own rules, and the ANPD may request a data protection impact report.
In the event of a security incident that may pose relevant risk or harm to data subjects, LGPD imposes on the controller — including the public agency — the duty to notify the ANPD and the affected data subjects within a reasonable timeframe. This means a municipality or autarchy that suffers a leak of citizens' data has concrete legal obligations: assess the extent, notify, mitigate and be accountable. The figure of the data protection officer (DPO) also applies to the public sector, serving as the point of contact with the ANPD and with data subjects. Structuring LGPD compliance in a public agency, therefore, is neither optional nor merely formal — it is a condition of the legality of processing the data of millions of citizens.
At the federal level, information security is regulated by the Institutional Security Office of the Presidency of the Republic (GSI/PR). The GSI issues Normative Instructions and Ordinances that define the National Information Security Policy, minimum cybersecurity requirements for the Federal Public Administration, incident management, requirements for contracting IT solutions and governance guidelines. GSI Normative Instruction No. 1 and its complementary Ordinances establish everything from the information security management structure to cloud security requirements and incident handling. Although many of these rules directly bind the federal Executive, they have become established as a reference of good practice for states, municipalities and other entities, which can and should adopt them as a baseline.
Incident response in the federal government is coordinated by the CTIR Gov — Government Cyber Incident Prevention, Handling and Response Center, linked to the GSI/PR, which acts as the government CSIRT, receives incident notifications, issues alerts and guides handling. Completing the regulatory ecosystem are Law No. 12.527/2011 (Access to Information Law — LAI), which defines what is public and what is confidential and balances transparency with data protection; the Internet Civil Framework (Law No. 12.965/2014), with principles of privacy, log retention and neutrality; and the government's interoperability and usability standards — e-PING (Electronic Government Interoperability Standards) and e-PWG (Web Standards). For the national technical ecosystem, CERT.br (of NIC.br) publishes good practices and incident statistics that support defense. Decripte anchors its deliverables in this framework, adding international frameworks like NIST CSF and ISO/IEC 27001 to give an auditable structure to policies and controls.
How Decripte implements cybersecurity in public agencies
Implementation begins with the diagnostic, and the diagnostic begins for free. Decripte's free Threat Management (decripte.com.br/intelligence-center) maps the agency's exposure surface on the internet — exposed services and portals, accessible admin panels, possibly misconfigured databases — and monitors relevant threats, such as civil servants' credentials and institutional domains already leaked in previous incidents, with the support of a team and artificial intelligence 24x7. This initial map turns a diffuse perception of risk into a prioritized list of concrete problems, and gives the public manager an objective basis to decide where to invest first. It is the natural step for an agency that needs to start structuring security without an initial budget.
From the diagnostic, Decripte structures defense following the NIST Cybersecurity Framework — Identify, Protect, Detect, Respond and Recover — and aligns controls with ISO/IEC 27001 to ensure an auditable Information Security Management System, compatible with the GSI/PR requirements for the Federal Public Administration and useful as a baseline for any entity. In the Identify and Protect layer, the scope includes continuous Vulnerability Management (discovery, prioritization by risk and remediation tracking), Preventive/EDR on endpoints and servers (behavioral detection and threat containment), and Edge/WAF protection for exposed digital portals and services, mitigating injection, application abuse and DDoS. Pentesting validates, with real techniques mapped in MITRE ATT&CK, whether the controls resist a determined attacker.
In the Detect and Respond layer, Decripte's 24x7 SOC monitors the agency's environments without interruption, correlating events, hunting threats and triggering the response when it detects malicious activity. For the public sector, continuous operation is decisive: attacks on essential services do not respect business hours, and the difference between containing ransomware at the first compromised endpoint and discovering it after the whole network has been encrypted is, precisely, the 24x7 surveillance. Incident Response with engagement in under 1h ensures that, when something happens, a specialized team is immediately available to contain, eradicate and recover — minimizing the time public service is down.
In the governance layer, LGPD/ISO Consulting and CISO-as-a-Service give the agency the compliance structure and security leadership that many cannot maintain internally. This includes adapting the processing of citizens' data to LGPD (database mapping, public-sector legal bases, policies and support for the DPO), preparation for audits, definition of policies aligned with the GSI/PR and e-PING, and the figure of an outsourced CISO who translates technical risk into management decisions. For agencies with digital identity initiatives, crypto assets or contracts with distributed-ledger technologies, the Web3 front covers emerging surfaces. All of this is delivered in the "from MEI to Enterprise" model: a small municipality engages the essentials and grows according to maturity; a federal entity or court structures a complete program.
Sua operação em governo e setor público aguenta um ataque hoje? Comece o diagnóstico gratuito.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Incident response in an essential service: containment without paralyzing the citizen
Responding to an incident in an essential service has a constraint that exists in almost no other context: it is not enough to contain the attack, you must contain it without shutting down what the citizen needs. When the affected system is a public hospital's medical record, appointment scheduling, the tax system or the civil servants' payroll, the response must balance the urgency of isolating the compromised environment with the obligation to maintain or quickly restore the service. That is why incident response in the public sector begins long before the incident: with a documented response plan, defined roles, agreed communication channels and tested backups.
Decripte's response flow follows the established phases — preparation, detection and analysis, containment, eradication, recovery and lessons learned — in line with NIST CSF and with the guidance of the CTIR Gov and CERT.br. In detection, the SOC identifies the compromise and classifies the severity. In containment, the affected assets are isolated (segmentation, blocking of compromised credentials, cutting off lateral movement) while preserving, whenever possible, the critical services in a secure environment. In eradication, the attacker's presence is removed and the entry points are closed. In recovery, systems are restored from intact backups, with validation that the environment is clean before returning to production. Evidence preservation (chain of custody) is maintained throughout the process, enabling forensic analysis and any eventual investigation.
The regulatory dimension of the response is as important as the technical one. In incidents involving citizens' personal data, the agency has the duty to notify the ANPD and data subjects when there is relevant risk or harm, in accordance with LGPD. At the federal level, there is the notification to the CTIR Gov and compliance with the GSI/PR rules. Decripte conducts the technical response and, simultaneously, supports the agency on the trail of legal and communication obligations, preventing the rush to restore services from leading to omissions that increase accountability. Communicating well — internally, to the press when necessary and to the population — is part of the response: silence and misinformation erode even further the trust already shaken by the incident.
Engagement in under 1h is what makes this flow viable in practice. In ransomware, each hour of delay expands the encryption and the exfiltration; in an active leak, each hour expands the volume of exposed citizen data. Having a response team on standby, integrated with the SOC that already knows the environment, is the difference between a circumscribed incident and an institutional crisis. For agencies that do not yet have a response contract, the recommendation is to start now with the free diagnostic — because the worst moment to look for a response team is during the attack.
The citizen's angle: personal data in the hands of the State
There is a citizen behind every record in a public database. When a person gets a document, schedules an appointment in the public health system, pays a tax, receives a social benefit or authenticates on gov.br, they hand the State data they often have no alternative but to provide. This relationship of obligation creates, for the public agency, a stricter duty of protection than that of a private company: the citizen cannot "switch providers" if the municipality is negligent with their health data. LGPD recognizes this asymmetry by reinforcing principles of purpose, necessity and security in processing by public-law legal entities and by guaranteeing the data subject rights of access, correction and information about the use of their data.
The harm of a leak in the public sector is particularly serious because the data under the State's custody is, frequently, the most sensitive and the most permanent in a person's life. A card number can be changed; a national ID, a health history, a biometric or a racial-origin data point cannot. Leaked public databases feed identity fraud, targeted scams, improper credit opening and even discrimination. That is why LGPD treats sensitive personal data — health, biometrics, genetic data, religious conviction, political opinion, racial or ethnic origin, sex life — with reinforced protection, and why a public agency's care with these databases has a direct and lasting reflection on people's concrete lives.
Protecting the citizen also means balancing transparency and privacy. The Access to Information Law guarantees the population's right to know how the State works and how it spends public money, but that right does not authorize the indiscriminate publication of personal data. A transparency portal that exposes national IDs, addresses or health data alongside public-spending information confuses transparency with a privacy violation. Correctly structuring what is public data, what should be anonymized and what is confidential — on the border between the LAI and LGPD — is part of the cybersecurity and data governance work that protects, at the same time, the right to information and the right to privacy.
Finally, protecting the citizen is protecting trust in digital government. Every public service that migrates to digital — from the ID card to health scheduling, from the invoice to the electronic signature — depends on the citizen believing their data will be safe. A single major leak of a public database harms not only the direct victims: it erodes the whole population's willingness to use the State's digital services. Investing in cybersecurity in the public sector is, ultimately, investing in the viability of Brazil's own digital transformation project — and the citizen is the final beneficiary of each well-implemented control.
Where to start: from the free diagnostic to the complete program
Many public managers freeze in the face of cybersecurity, believing that a large budget and a specialized team are needed to take the first step. They are not. The first step is to understand the agency's real exposure, and that can be done at no cost. Decripte's free Threat Management (decripte.com.br/intelligence-center) delivers an objective map of vulnerabilities and risks, monitors threats relevant to the agency's domain and credentials and counts on a team and artificial intelligence operating 24x7 — turning an abstract fear into a list of prioritized and actionable problems that fits the reality of a small department.
With the diagnostic in hand, the agency progresses at the pace of its maturity and its budget. The nearly universal priorities in the public sector are: intact and tested backups (the best defense against ransomware), multi-factor authentication on all remote and privileged access, network segmentation to contain lateral contamination, vulnerability management to close the most exploited doors, and an incident response plan with a team on standby. From there, the 24x7 SOC, Incident Response in under 1h and LGPD adaptation make up a complete, auditable security program, anchored in NIST CSF, ISO 27001 and the GSI/PR rules.
Decripte serves agencies of all sizes — municipalities of small towns, state departments, autarchies, courts, hospitals and public health networks, schools and public education networks, and federal entities — in the "from MEI to Enterprise" model. The small municipality starts with the essentials and grows; the large entity structures from the outset a comprehensive program with governance, SOC, response, pentesting and compliance. In all cases, the logic is the same: reduce real risk, protect citizens' data and ensure the continuity of essential services. Start today with the free diagnostic and discover, concretely, where your agency is exposed.
Termos do setor
- CTIR Gov
- Government Cyber Incident Prevention, Handling and Response Center, linked to the GSI/PR. It functions as the federal government's CSIRT: it receives security incident notifications from Federal Public Administration agencies, issues alerts and guides handling and coordinated response.
- GSI/PR
- Institutional Security Office of the Presidency of the Republic, the body responsible for regulating information security in the Federal Public Administration through Normative Instructions and Ordinances, defining the security policy, minimum cybersecurity requirements and incident management and governance guidelines.
- Sensitive personal data
- A category defined by LGPD covering data on racial or ethnic origin, religious conviction, political opinion, membership in a union or organization, data related to health, sex life, genetic and biometric data. It receives reinforced protection due to its potential to cause discrimination and serious harm to the data subject when exposed.
- Essential service
- A public service whose interruption causes direct and immediate impact on the population, such as health (hospitals, scheduling, medical records), tax collection, digital identity, civil servants' payroll and records. The continuity of these services is a priority in public-sector incident response.
- e-PING
- Electronic Government Interoperability Standards — a set of premises, policies and technical specifications that regulate the interoperability of electronic government systems and services in Brazil, guiding integration between agencies and the standardization of data and digital public services.
- LAI
- Access to Information Law (Law No. 12.527/2011), which regulates the constitutional right of access to public information, defining rules of active and passive transparency, response deadlines and situations of confidentiality. It must be harmonized with LGPD to ensure transparency without exposing citizens' personal data.
Por onde começar
- Start with the free diagnostic: run Decripte's Threat Management at decripte.com.br/intelligence-center to map the agency's exposure on the internet (exposed services and portals, accessible panels) and discover whether credentials and institutional domains have already leaked.
- Inventory assets and data: identify which systems operate essential services and which databases contain citizens' personal and sensitive data, classifying them and mapping the legal bases of processing required by LGPD for the public sector.
- Ensure intact and tested backups: implement offline or immutable backups, with periodically tested restoration, as the main line of defense against ransomware and the outage of essential services.
- Activate multi-factor authentication and segment the network: require MFA on all remote and privileged access and segment the network by department/function to prevent a single compromised endpoint from contaminating the whole agency.
- Establish continuous vulnerability management: discover, prioritize by risk and fix the vulnerabilities of exposed systems, portals and digital services, closing the entry points most exploited by attackers.
- Deploy 24x7 monitoring and detection: engage a 24x7 SOC with EDR on endpoints and WAF at the edge of digital services, correlating events to detect and contain threats before they become large-scale incidents.
- Have an incident response plan ready: document the flow (preparation, detection, containment, eradication, recovery), roles, chain of custody, and the duties to notify the ANPD, data subjects and the CTIR Gov, with a response team on standby engageable in under 1h.
- Structure continuous governance and compliance: align controls with NIST CSF, ISO 27001 and the GSI/PR rules, appoint the DPO, and consider CISO-as-a-Service and LGPD/ISO consulting to keep the program alive, auditable and evolving.
Perguntas frequentes
Is a public agency subject to LGPD?
Yes. LGPD (Law No. 13.709/2018) dedicates articles 23 to 32 to the processing of personal data by public authorities. Public-law legal entities must process data to fulfill their public purpose and in the execution of legal competencies, observing the law's principles (purpose, necessity, security, transparency, accountability) and the duty to inform the situations of processing. Public agencies are not exempt: they are subject to the ANPD's oversight and answer for incidents and leaks of citizens' data.
How do I engage the CTIR Gov in case of an incident?
The CTIR Gov (Government Cyber Incident Prevention, Handling and Response Center), linked to the GSI/PR, is the federal government's CSIRT and receives security incident notifications from Federal Public Administration agencies, issuing alerts and handling guidance. Federal agencies must notify the CTIR Gov in accordance with the GSI/PR rules. In parallel, it is advisable to have a specialized incident response team that conducts the technical containment and supports compliance with legal obligations. Decripte conducts the response and supports the agency on this regulatory trail.
My municipality was attacked by ransomware. What do I do now?
Act immediately: isolate the affected systems from the network to contain propagation (without abruptly shutting down assets that may hold evidence), preserve records and evidence, and engage a specialized incident response team — Decripte's Incident Response is engageable in under 1h. Do not pay a ransom without guidance. Assess the extent of the citizen data leak to fulfill the duties to notify the ANPD and data subjects foreseen in LGPD. Restore systems from intact backups only after confirming the environment is clean, and document the whole process.
How do I adapt the processing of citizens' data to LGPD in a public agency?
Start by mapping all personal and sensitive databases and the purposes of each processing operation. Identify the legal basis applicable to the public sector (execution of public policies, legal competencies, compliance with a legal obligation). Implement security measures, define policies and processes for serving data subjects' rights, appoint the DPO as the point of contact with the ANPD, and establish an incident response plan with the notification duties. Decripte's LGPD consulting conducts this process end to end, integrating it with technical security.
Which information security rules apply to the Federal Public Administration?
At the federal level, the GSI/PR (Institutional Security Office of the Presidency) issues the main rules — Normative Instructions and Ordinances — that define the information security policy, minimum cybersecurity requirements, incident management, cloud security and governance. Incident response is coordinated by the CTIR Gov. Completing the set are LGPD, the Access to Information Law, the Internet Civil Framework and the e-PING/e-PWG standards. Frameworks like NIST CSF and ISO 27001 serve as a technical baseline, including for states and municipalities.
Small public agency, no budget and no IT team, where do I start?
Start with what is free and objective: Decripte's Threat Management (decripte.com.br/intelligence-center) maps the agency's exposure and monitors threats with a team and AI 24x7, at no cost, delivering a prioritized list of problems. Then, focus on the highest-impact, lowest-cost priorities: tested backups, MFA on remote and privileged access, network segmentation and fixing the most critical vulnerabilities. Decripte serves in the "from MEI to Enterprise" model, allowing the agency to progress at the pace of its budget and its maturity.
How do I balance the Access to Information Law with LGPD data protection?
The Access to Information Law (Law No. 12.527/2011) guarantees active and passive transparency about the functioning and spending of the State, but it does not authorize the indiscriminate disclosure of citizens' personal data. The balance lies in correctly classifying what is information of public interest, what should be anonymized and what is confidential or personal. Transparency portals and open databases must apply treatment (anonymization, restriction) to personal data, in compliance with LGPD, before publication. This data governance is part of the cybersecurity work Decripte structures.
Planos indicados para Governo e Setor Público
Serviços da Decripte mapeados para as ameaças e regulamentações do seu setor — do diagnóstico gratuito ao SOC gerenciado.
Consultoria LGPD Setor Público
Adequação à LGPD (arts. 23-32), IN GSI/PR e decretos de governança digital.
SOC 24x7 Gerenciado
Detecção e resposta a APTs, espionagem digital e ataques a infraestrutura crítica.
Resposta a Incidentes
Coordenação com CTIR Gov, ANPD e notificação obrigatória aos órgãos competentes.
Gestão de Vulnerabilidades
Patch management e hardening de serviços públicos digitais e portais cidadão.
A Decripte implementa a segurança do seu setor — sem você montar um time interno.
Pentest, SOC 24x7, resposta a incidentes e conformidade, com SLA e relatórios executivos. Ou comece de graça vendo o que já vazou da sua empresa.
