In the ongoing battle against cyber-attackers, one crucial metric that cybersecurity professionals closely monitor is dwell time — the duration an attacker remains undetected within a system once they have managed to infiltrate it.

Extended dwell time and delayed response can increase the impact of a cyber-attack on an organisation. The good news is there are ways to reduce the length of an unwelcome visitor’s stay.

What is Dwell Time and Why is it Important?

Dwell time refers to the period between a cyber-attacker’s initial breach and their detection within a targeted system. It represents the attacker’s ability to navigate through the network, escalate privileges, exfiltrate data, and potentially cause significant damage. The longer an attacker remains undetected, the more time they have to exploit vulnerabilities. It could also lead to the launch of further attacks.

As Dwell Times Reduce, Attackers Up Their Game

As organisations invest in cybersecurity to stop attackers in their tracks, dwell times will inevitably reduce; a report by Sophos showed evidence of this happening in 2023*. While this appears to be positive news, it is forcing cyber-attackers to become more sophisticated in their techniques to make the most of shorter operating windows.

The average dwell time was reported to have reduced from ten to eight days for all cyber-attacks in the first half of 2023, and for ransomware attacks to five days*

To maximise dwell time, threat actors will often plan their attacks to take place between 11pm and 8am in the target’s time zone, strongly favouring a ‘late hour at the end of the week’*. For example, the Sophos report found that nearly half (43%) of ransomware attacks were detected on either a Friday or a Saturday. This is just one of many tricks cyber-attackers have up their sleeves to create havoc for as long as possible before detection, let alone breach response.

The Costs of Extended Dwell Time

Essentially, every loss can be magnified the longer the dwell time clock remains ticking.

  • Financial loss: The longer an attacker remains undetected, the greater the potential financial loss an organisation may suffer through fraudulent transactions or the compromise of payment processes.
  • Data breach and intellectual property loss: Extended dwell time allows attackers to access and exfiltrate valuable data, including customer information, trade secrets, and intellectual property. As well as the risk of reputational damage and regulatory fines, this can result in a loss of competitive advantage.
  • Compliance and legal consequences: Extended dwell time can lead to non-compliance with data protection regulations, such as the General Data Protection Regulation (GDPR). Failing to detect and respond promptly to breaches may bring legal consequences and substantial fines.
  • Operational disruption: The longer the dwell time, the greater the potential disruption of critical systems, leading to downtime, loss of productivity, and service interruption.
  • Incident response costs: The longer an attacker remains undetected, the more extensive the incident response efforts required to mitigate the damage caused.

Minimising Dwell Time: The Need for Swift Response

Given the damage a threat actor can cause with time and opportunity, taking pre-emptive measures is essential to safeguard your organisation’s security. It is also important to prepare an action plan in case of a breach. The following measures can work together to minimise dwell time.

  • Advanced threat detection: Robust security measures, including Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) solutions, and behaviour analytics tools can help identify suspicious activities and potential breaches.
  • Real-time monitoring: Continuous monitoring of network traffic, system logs, and user behaviour can enable swift threat detection. Implementing automated alerts and incidents can help cybersecurity teams to act quickly to mitigate risks.
  • Incident response readiness: It’s important to establish clear roles, responsibilities and communication protocols in your incident response plan, along with predefined steps to contain and remediate attacks. These plans should be tested and updated regularly.
  • Employee awareness and training: A vigilant workforce acts as an additional layer of defence against extended dwell time. Educate employees about cybersecurity best practices, such as recognising phishing attempts and reporting suspicious activities to help detect and respond to attacks at an early stage.

While cyber-attacks cannot always be prevented, it is possible to eliminate components of the attack so that dwell time is reduced. This is why partnering with a cyber risk management specialist is so important — regardless of the size of your organisation or the sector you work in — to ensure your cybersecurity teams always have the appropriate response measures in place.

Gallagher’s Cyber Risk Management team runs regular webinar clinics, providing a deep insight into how to plan and prepare for cyber incidents. We also provide a suite of services through Gallagher’s Cyber Defence Centre. Please reach out to us if you would like to find out more.


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.