How Long Does It Take to Detect a Cyberattack?

The average time it takes to detect cyberattacks or security breaches varies depending on a number of factors. Still, based on recently gathered data, a few trends emerge — and they might surprise you.

Are you thinking minutes or hours here? If only it were that quick.

Typical Cybersecurity Attack and Containment Time

A look at some of the recent cybersecurity data shows a broad range from days to months to detect and contain a breach or attack.

Verizon’s 2021 Data Breach Investigations Report (DBIR) analyzing over 79,000 breaches across 88 countries showed that roughly 60% of incidents were discovered within days, but 20% took months before organizations realized something was wrong.¹

The IBM Cost of a Data Breach Report 2023, which examined 553 organizations in 16 countries, went into more detail about the length of time to detect and contain an attack. In attacks that were disclosed by the attacker, the mean time to identify and contain an attack took 320 days.² Breaches identified by organizations’ internal security systems took a mean time of 241 days to identify and contain.² Finally, breaches identified by a benign third party took a mean time of 273 days to identify and contain.²

Cybersecurity Risk Factors

Cyberattacks target organizations of all sizes. Often, small to medium-sized businesses mistakenly feel that hackers will only target large organizations. But studies have shown that small businesses are three times more likely to be targeted by cybercriminals than larger companies.³

How you proactively prepare could determine how much of a chance a hacker has to break through your defenses. Preparing now could save your business from big headaches and could limit the potential for damage.

Two major cybersecurity risk factors to consider are:

• Where are you vulnerable to cyberthreats?
• If a hacker is able to capitalize on a vulnerability, what's the risk to your business? 

During a cyberattack, you could have your files encrypted and backups deleted. If this ransomware attack happens, the hacker may ask you to pay a ransom to unlock your data.

If your data is locked for an extended length of time, you could even be putting your organization at risk of going out of business.

What to Do During a Cyberattack

Once a hacker has entered through a compromised device and onto your network, their main goal will be to move slowly and undetected through your system while watching your internal data.

This phase of undetected watching and waiting is called dwell time. If not detected by the business right away, it’s possible a hacker could dwell within your network for months, gathering information before revealing themselves. During this time they could be searching for information such as:

• Bank account details (to access your finances)
• Supplier invoice patterns (to learn how to mimic your suppliers and send imposter emails)
• The configuration of your backups (to understand how to encrypt them)

This is why it’s crucial to be prepared. We recommend that every organization has a cybersecurity incident response plan in place. Use this plan to document such information as:

• Root cause
• Entrance point
• What data was accessed or taken
• Extent of exposure during the attack
• How you’ll remove the hacker from your system
• How you’ll restore your files
• Communication protocols for internal and external audiences
• An incident recap to document lessons learned and new prevention measures

Already having such a plan in place ahead of time can go a long way and is one of many proactive measures to take.

Related: What is the Average Cost to Recover from a Cyberattack?

Prepare Your Defenses Against Cybercriminals

You can be proactive or reactive. Reactive responses generally mean a hacker has executed their attack and released their payload into your environment. This is also referred to as a zero-day attack. Having to react to a hacker could be devastating and costly to your business.

A better way to detect a cyberattack is proactively by installing tools to spot malware and other intrusions and protect your business.

The first important tool is an Endpoint Detection and Response (EDR) solution, which looks for odd occurrences and behaviors involving your data. You’ll also want to implement a Managed Detection and Response (MDR) solution to provide 24/7 monitoring of your networks, endpoints and cloud environments. MDR monitors logged data across your networked infrastructure — searching for any indication of a threat presence.

Both MDR and EDR search for malicious actors on your network. They proactively watch your network and alert you and your security partner to ensure that the malicious actors are discovered and kept out of or removed from your system before they inflict more damage.

Join Forces with a Technology Management Partner

A Technology Management partner can provide peace of mind while providing a layered, proactive approach to cybersecurity. 

Elevity is here to help mitigate cyber threats with our 4S approach by using the right Strategy, Security, Solutions and Support you’ll need to monitor your network around the clock and keep your business protected. 

But first, it’s important to know where you currently stand with cybersecurity and risk. That’s why we created a free tool you can use to assess yourself. It only takes a few minutes, and once you’re finished, we’ll send an email with recommendations for the next steps.

Click the link below to take our Cybersecurity Risk Assessment today.

¹Verizon, Data breach detection time: How to minimize your mean time to detect a breach, accessed October 12, 2023.

²IBM, Cost of a Data Breach Report 2023, accessed October 12, 2023.

³Cybersecurity & Infrastructure Security Agency, Accelerating Our Economy Through Better Security: Helping America’s Small Businesses Address Cyber Threats, May 2, 2023.