How Long Has a Hacker Been Living Rent-Free in Your Business? IBM's Dwell Time Report Explained for UK SMBs

1 Apr

Imagine someone breaking into your office, feet up on your desk, sipping tea from your favourite mug, helping themselves to your filing cabinet, and casually rifling through your customer records—every day, for nearly nine months. Sounds ridiculous, doesn’t it? You’d call the police, change the locks, install CCTV, and probably have a panic attack. But when the same thing happens digitally? Silence. Shrug. Business as usual.

IBM’s latest Cost of a Data Breach report confirms this isn’t a far-fetched what-if. It’s happening. Right now. And if you're running a UK small or medium-sized business, it should make your blood run cold. Because the truth is, someone could already be in your systems, observing everything, and you wouldn't have a clue.

A Breach in Broad Daylight (That You’ll Only Notice Next Spring)

Here’s how it usually plays out: someone clicks the wrong link. Or reuses a password. Or leaves Remote Desktop exposed to the internet. The bad actor slips in quietly. No alarms. No flashing lights. They poke around. They learn your systems. They figure out what matters to you. Then they wait.

That’s what dwell time is—the time between a breach happening and anyone realising it. According to IBM’s 2024 data, it takes organisations an average of 204 days to even detect a breach, and then another 73 days to contain it. That’s 277 days of free rein in your network.

Nine months. That’s three whole quarters. That’s your year-end accounts, your customer list, your HR records, your sales pipeline, and maybe even your personal emails—all available to someone with no business seeing them.

They’re not smashing windows. They’re cloning inboxes. Reading everything. Maybe they’re inside your Microsoft 365 tenant. Maybe they’re watching invoices pass through your accounting platform. Or maybe they’re just waiting to encrypt it all in one neat little package and demand a ransom.

"But We’re a Small Business. We’re Not a Target."

You might think you’re safe because you’re small. That you fly under the radar. That your size protects you. Let me stop you right there.

Attackers love small businesses. You’re easier to break into, slower to respond, and more likely to pay to make the problem go away. You don’t have a full-time cybersecurity team. You don’t have SIEM logs pouring into a SOC. You’ve probably never even said the word "telemetry" out loud.

And yet you handle payroll. You handle customer data. You process payments. You log into supplier systems. That’s gold to an attacker. Even if you’re not the prize, you might be the perfect stepping stone.

You don’t need to be famous to be breached. You just need to be vulnerable. And if you haven’t taken a long, hard look at your digital front door lately, odds are—it’s wide open.

The Cost Isn’t Just Financial—It’s Everything

The IBM report estimates that a breach identified after 200 days can cost nearly £4 million. Even if we throw out the extremes and scale it to SMB terms, we’re still talking six figures in costs. For most small businesses, that’s more than enough to cause chaos, if not closure.

Let’s say you’re lucky. You don’t have to pay a ransom. You don’t face a fine from the ICO. You don’t lose your biggest contract. Even then—you’re still looking at:

Legal fees
Incident response costs
System rebuilds
Client loss
Reputation damage
Lost productivity

And let’s not forget the sleepless nights. The phone calls to explain the unexplainable. The emails filled with apology and uncertainty. That’s a cost too.

The Myth of "Nothing Worth Stealing"

You might think: we don’t hold anything sensitive. Nothing a criminal would want. Just some client emails and invoice PDFs. Maybe the odd internal document.

Think again.

Attackers don’t need your data to be valuable to them—they only need it to be valuable to you. If you can’t function without your systems, or access your files, or operate legally without your records—then you’ll pay to get them back. That’s the business model.

The irony is, the less prepared you are, the more likely you are to pay. And that’s exactly what makes you a prime target.

A True Story That Should Keep You Up at Night

In 2022, a UK healthcare provider discovered that attackers had been sitting silently in their network for four months. No one noticed. Not a whisper. During that time, patient records were stolen, internal systems monitored, emails copied. Then came the ransomware. Everything locked. Data dumped online. NHS contracts lost. ICO fines issued. Patients informed.

The business never recovered.

This wasn’t some underfunded clinic with one old PC in a back office. This was a reasonably modern, connected organisation. But they weren’t watching. And so, they got hit—hard.

The Hard Truth: It’s Already Happening

The most terrifying thing isn’t the cost, or the fines, or even the public humiliation. It’s the fact that dwell time means you’re not breached instantly. It means you’re breached already—you just haven’t found out yet.

Attackers love silence. They thrive on ignorance. Every day they go undetected is another day to watch, plan, and exploit. And if you think your antivirus is enough, or your firewall will stop everything, or your IT guy "keeps an eye on things"—you’re not prepared.

You’re next.

So What Do You Do?

There’s no silver bullet. But there is awareness. There is preparation. There is effort. And that’s where most small businesses fall short.

You start by asking the uncomfortable questions:

If we were breached tomorrow, how would we know?
Who would tell us? A partner? The police? A customer?
What would we do? Who would we call?

Then you look at the basics: securing logins, turning on MFA, checking audit logs, patching software, backing up data, and yes—getting certified with Cyber Essentials. It’s not overkill. It’s overdue.

Final Word: Don’t Wait for the Letter from the ICO

IBM’s report isn’t just a bunch of numbers. It’s a red flag. A warning shot. A look behind the curtain at how bad it really is.

And it’s telling you that attackers don’t need to be fast or loud. They just need you to do nothing.

So take this seriously. Sit your team down. Build a plan. Find out what you don’t know. Because one day, you might find out the hard way that the attacker wasn’t knocking at the door. They were already inside.

And they had nine months to make themselves at home.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com