The average attacker is inside your network for two and a half weeks before you notice

· Carl Heaton · Security Commentary

Picture the worst version of a ransomware attack. It is not the locked screens and the ransom note. It is the fortnight before that, when someone was already inside your network, reading your files, finding your backups, and deciding what to take, and nobody in the building knew. That gap between break-in and discovery is where most small businesses are quietly exposed, and new research says it is getting wider.

A study from the security firm ExtraHop, reported by ITPro, found that attackers now hold quiet access to a network for an average of two and a half weeks before they are spotted, with some staying hidden for months or years. Nearly half of the organisations surveyed did not realise they had been breached until after data was already gone, a 31% rise on the year before. And 14% found out only when the attackers themselves got in touch, usually with a demand for money.

Prevention gets the budget, detection gets you caught out

Most security spending goes on keeping attackers out: the firewall, the email filter, the antivirus. That work matters, and it stops a lot. But it quietly assumes the fight happens at the front door. These figures describe what happens once someone is already past it, and on that ground most firms are not looking.

The delay has a few causes, and none of them are exotic. Attackers hide their traffic inside encrypted connections and copy the rhythm of normal, legitimate activity, so nothing looks out of place. Four in 10 firms blamed exactly that. A third pointed to attackers using stolen high-privilege accounts, which raises no alarm because, on paper, an authorised user is doing authorised things. And 30% admitted the signals were there but lost in the noise, buried under so many alerts that the real one never got a second look.

The time this buys the attacker is the whole point. As the report put it, "every hour ransomware goes undetected drastically increases its potential blast radius." A wider window lets them move sideways through the network, find and delete your backups, and turn what might have been a contained mess into a business-wide crisis. The ransom note is not the start of the incident. It is the attacker announcing they have already finished.

The UK numbers say this is landing on smaller firms

This is not a big-company problem watched from a distance. Fresh figures from the national Report Fraud service, run by the City of London Police, show 323 UK organisations reported a ransomware attack between April 2025 and March 2026. More than half were small and mid-sized businesses. Reported losses rose 50% in a year to around £270,000, and the police were clear that this figure is an underestimate, because many firms never disclose the full cost. Manufacturing took the most hits, followed by scientific and technical firms, then education.

Put the two studies together and the shape is plain. Smaller UK firms are being attacked, the losses are climbing, and the attacker is often inside for weeks before anyone notices. Prevention alone was never going to catch that.

What to do this quarter

You do not need a 24-hour security team to shrink the gap. A few practical moves change the odds.

  • Assume they get in, and plan for the day after. Ask a blunt question: if an attacker were on our network right now, what would tell us? If the honest answer is nothing, that is the gap to close first.
  • Protect the backups as if they are the target, because they are. Attackers hunt for backups during that quiet fortnight so you cannot recover without paying. Keep at least one copy offline or otherwise out of reach of your main network, and test that you can actually restore from it.
  • Watch the accounts, not just the perimeter. A login from a strange place or at a strange hour, or an ordinary account suddenly reaching for admin rights, is the kind of signal that catches a quiet intruder. Turn on the alerts your existing tools already offer, and make sure a named person reviews them.
  • Cut the noise so the real alert survives. Alert fatigue is not a personal failing, it is a design problem. Fewer, better-tuned alerts that someone actually reads beat a firehose everyone ignores.

How Steelwise can help

Working out what would actually tell you an attacker was already inside, and whether your backups would survive the attempt to destroy them, is exactly the kind of review we do with clients, before an incident rather than during one. Get in touch.

Further reading

← All filings