Breach Discovery: How Long Does Detection Take?

By |2019-09-06T08:38:30-07:00May 10th, 2019|

How quickly you can detect a security breach will help determine the extent of the incident’s impact on your company and your customers. How efficiently you notify the impacted individuals is crucial as well. Time to detection can affect the amount of data you lose and your compliance with relevant regulations. Increasingly, the media is reporting information about the time it takes companies to respond to a breach, meaning the effectiveness of your response can influence the public’s perception of your company as well.

So, how long do detection and notification typically take, and how long should they take? To help us understand these questions, we’ll break the process down into three steps — occurrence, discovery and notification.

  • Occurrence is when the breach happened.
  • Discovery is when the company became aware of the breach.
  • Notification is when the company informed the appropriate regulatory bodies or affected individuals of the breach.

Table of Contents


After an incident occurs, detection is the next thing that must happen for the issue to get resolved. Ideally, you can detect a breach as quickly as possible, but how long does it typically take to detect a breach?

How Long Does It Take to Detect a Security Breach?

According to the Ponemon Institute’s 2018 Cost of a Data Breach Study, based on interviews with 2,200 professionals from 477 companies, the average time to detect a data breach is 197 days. This figure represents a decrease from 206 days in the 2017 study and 201 days in the 2016 survey but is still longer than you may have expected.

Another study published on the International Association of Privacy Professionals (IAPP) website had somewhat different findings. The study looked at the time it took to detect and respond to security incidents over 18 months using an automated security platform. It found the average time between occurrence and discovery was 13.21 days. The IAPP author noted the study’s results skew toward shorter timeframes because it uses data that reflect best practices in incident response and the use of an automated platform. Using manual solutions would likely result in longer response timeframes.

In many cases, though, the time to detection is a matter of months, not days. A breach occurred at credit and debit payments company Verifone in mid-2016, for example, but the company did not discover it until January. A recent data breach atclothing retailer Brooks Brothers took more than a year to discover. The breach, which involved malicious software aimed at capturing payment card information, occurred from April 2016 to March 2017, but the company didn’t know about it until May 2017.

Reducing the time it takes to detect a security breach can result in significant savings. According to the Ponemon Institute study, companies that detected a breach in less than 100 days had an estimated average total cost of $3.11 million. For those that took more than 100 days, the average data breach cost was $4.21 million — more than $1 million more. For all data breaches, the average cost was $3.86 million.

How Do Companies Discover Breaches?

According to the 2017 Verizon Data Breach Investigation Report, external methods of breach detection outnumber internal ones by almost three to one. That means law enforcement, fraud protection services and other third parties discover breaches more frequently than the affected company. Often, this is not the most efficient method of breach detection. It’s vital for companies to know how to detect a data breach and to take steps to prevent them and identify them if they occur.

The fundamental process for identifying a data breach involves two main steps. First, you must determine which data is sensitive or of value, including datasets that are part of your business processes, as well as extraneous copies of data. Next, you need to set up a system for monitoring that data. By watching your data, you can get an idea of what normal access looks like. Then, you can note anything that’s out of the ordinary and investigate it to ensure it’s not a breach. The most effective way to monitor your data is to use software from a professional cybersecurity company.

What qualifies as a data breach depends on the breach laws that apply to your organization, but it is usually an incident involving the accidental release of personal information to an authorized individual or organization. Not every instance of unusual activity, and not even every security incident, is a data breach — most are not. There will be more data to analyze between occurrence and discovery than between discovery and notification. It’s still essential, however, for organizations to monitor all their valuable and sensitive data and to take the time to investigate any suspicious activity.

Does the Type of Breach Affect Detection Time?

Does the type of data breach impact detection? Some kinds of breaches may be more challenging to detect than others, and some detection methods can take longer to work than others.

According to the study IAPP published, the average time between occurrence and discovery differed depending on whether the breach involved data stored electronically or as a hard copy. The average discovery time for breaches involving electronic data was 6.8 days, while the timeframe for paper documents was 22.9 days. With digital filing, the organization may have a security system that alerts it to the breach. With paper records, however, no such system exists. Instead, someone has to notice a document has gone missing or went out to the wrong person.

The study also compared data breaches under different regulations: the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates health care data, and the Gramm-Leach-Bliley Act (GLBA), which governs financial information. There wasn’t a large difference between these two kinds of breaches. HIPAA violations took 10.7 days to discover, while breaches under GLBA took 10.4 days.

What Are the Next Steps?

After you detect a breach, what should you do?

  • Notification: Data breach regulations require organizations that discover a data breach to inform the relevant regulatory agencies and the affected individuals. The exact requirements depend on which laws apply to you and the nature of the breach.
  • Containment: Once you are aware of a breach, you also need to contain it to limit the damage it can cause. The more quickly you can get the breach under control, the lower your costs and risk of damage will be. According to the Ponemon Institute study, companies that could contain a breach within 30 days saved more than $1 million compared to those that took longer than 30 days.
  • Eradication: Following containment, you need to find and resolve the root cause of the breach. It’s crucial that you’re extremely thorough when removing the threat to prevent potential further damage.
  • Recovery: Next, you must fully restore all the affected systems and devices. This phase should involve updating your system to better protect against threats. This step can also occur at the same time as the eradication phase.
  • Lessons learned: The last step involves reviewing the incident and the lessons you learned. You can use this information to better prepare for potential future issues and improve your response time. This process enables continuous improvement of your breach response policies, procedures and technologies.


The time it takes to notify the affected individuals following the detection of a breach is critical as well. Your organization needs to have a plan in place for sending out timely notifications to ensure compliance and minimize the impacts of any breach that occurs.

How Long Does It Take to Notify Customers?

Different regulations have different requirements for the timeframe within which a company must notify the affected individuals after a data breach. Take some time and examine the laws that apply to you to determine the requirements that apply to your organization.

Under the European Union’s General Data Protection Regulation (GDPR), for example, you must provide notification “without undue delay and, where feasible, not later than 72 hours.” This requirement is a much shorter timeframe than those included in many other regulations.

In the U.S., 19 states have requirements for the timeframe in which you must send out notifications of a data breach. Ohio, for example, requires companies to provide notice within the shortest timeframe possible, but no later than 45 days after becoming aware of a breach. Florida mandates businesses must provide notice within 30 days of discovering a breach.

Under the HIPAA breach notification rule, you must provide most kinds of notifications “without unreasonable delay and no later than 60 days following the breach discovery.” For breaches that affect fewer than 500 individuals, organizations can submit notifications to the U.S. Department of Health and Human Services (HHS) annually.

The IAPP study found the average discovery-to-notification time was 29.1 days, shorter than the required timeframes of states like Florida and Ohio, but longer than those of the GDPR.

Sometimes, the time it takes to send out notifications is much longer than this, though. For example, the Minnesota Department of Human Services was the victim of two data breaches in June and July of 2018. The breaches exposed the personal information of 21,000 patients, including first and last names, Social Security numbers, dates of birth, medical information and financial information. The affected individuals didn’t receive notification until October.

Many different factors influence how long it takes. Companies need to figure out the affected data, what impact the breach may have on the impacted individuals, which requirements apply to the organization and how best to send out notifications. This process can take time. The more prepared an organization is to send out data breach notices, however, the better chance they have of completing the task promptly. It’s crucial that organizations prepare ahead of time for a potential data breach that requires notifications.

Sometimes, if the breach is the result of a malicious attack, law enforcement may also ask that a company not announce it publicly to assist in apprehending the people responsible. Data breach laws often include exceptions that say a company can delay notification to comply with requests from law enforcement.

Of course, longer gaps between occurrence and detection also push back notification.

Does the Type of Breach Affect Notification Time?

The IAPP also looked at whether the type of data involved in a breach affected the time it took to provide notification. The study found that, although it took longer to discover paper-based breaches than those involving electronic data, the opposite was true when it came to notification. For electronic data, the average time between discovery and notification was 33.8 days. For paper documents, it was 28.1 days.

This difference may be because electronic incidents tend to affect more data than paper-based ones. Investigating a digital incident and determining the impacted data may also be more complex and take longer.

The study also looked at notification times for breaches under HIPAA versus breaches under GLBA. It found sending notifications about HIPAA-related breaches took 32.3 days on average, while GLBA notifications took 15.8 days.

Although the time between occurrence and detection were similar, HIPAA-related incidents took about twice as long to report as GLBA incidents. IAPP noted one possible explanation for the difference in notification times could be the fact that GLBA requires companies to provide notification as soon as possible, while the HIPAA breach notification rule allows 60 days from the date of discovery. The number of incidents and the level of resources financial and health care organizations have could be contributing factors.

What Are the Effects of a Long Breach Detection Gap?

The longer it takes to detect a breach and notify the affected individuals about it, the higher the potential for damage becomes. If a hacker goes undetected for a longer period, they will have more time to steal information or funds. Going undetected also gives them a chance to install other malware or gain access to other parts of the network. In the case of accidentally exposed data, the longer it remains exposed, the higher the chances of someone discovering it. It’s vital to detect a breach as fast as possible. Longer detection time also results in higher data breach cost.

Notifying customers as quickly as possible about the exposure of their data is also crucial. The sooner they know about the breach, the sooner they can take steps to limit its impacts, such as changing their usernames and passwords, enabling multi-factor authentication, reviewing bank and credit accounts, reporting fraudulent activity and instituting a credit freeze, as needed.

Detect Security Threats With Timeliness

When it comes to detecting security threats and providing notification of data breaches, time is of the essence. Reducing time to detection and notification lessens the impact a breach may have on customers and the effect it may have on a company’s reputation and ability to operate. Responding to incidents quickly is also critical for compliance with regulations.

Preparing for a potential breach by creating response plans can help reduce detection and notification timeframes, as can providing training to employees. Monitoring your response process and measuring the time various steps can take can also help you find areas in which you can improve.

One of the most effective ways to reduce response time is using reliable, high-quality cybersecurity and monitoring tools such as those from BlackStratus. We offer CYBERShark, a cloud-based managed security and compliance solution that provides 24/7 network monitoring, advanced correlation, real-time alerts, integrated incident management workflow and more. We also offer LOGStorm, an advanced log management solution, and SIEMStorm, comprehensive security management software.

Are you interested in learning more about our cybersecurity report solutions and how they can help you detect threats and protect your network? Explore our website or contact us today.

Request A Free Demo

Related Posts


Don Carfagno

Strategic executive management and delivery responsibilities of BlackStratus MSP product line offerings of SIEM and Logging for direct, SOC-as-a-Service and channels. Operations professional with 20 years of security management experience. I place a high premium on cost reduction and containment for all aspects of a business. With many years of experience supporting software sales organizations I am uniquely trained to develop and coach cross functional teams. My main area of interest, what makes me want to come to work, is company building and creating successful teams. I enjoy to creating and championing the successful attitude throughout an organization.

LinkedIn Google+