Blog
How Long are Businesses Vulnerable Before a Security Breach?

How Long are Businesses Vulnerable Before a Security Breach?

On average, a merchant was vulnerable for 470 days before an attacker was able to compromise the system.

Updated
December 9, 2022
Posted
October 14, 2015
Security Budget
HIPAA
GDPR
Data Breaches
Vulnerability Scan
Cybersecurity
PCI
Penetration Testing
How Long are Businesses Vulnerable Before a Security Breach?

Most businesses don’t realize they are vulnerable…until it’s too late.

Businesses and organizations fear that dreaded data breach that could cost them millions, but how long are their systems actually vulnerable to attack?

Research from SecurityMetrics states that, on average, a merchant was vulnerable for 470 days before an attacker was able to compromise the system. After compromising the system, attackers were able to capture sensitive cardholder data for an average of 176 days before the merchant discovered the vulnerability and remediated it. This chronology is known as the window of compromise.

See also: Top 5 Security Vulnerabilities Every Business Should Know

Security ignorance to blame

The interesting thing about the window of compromise is the fact that the average business was vulnerable for more than an entire year before a hacker came to investigate. An entire year gives any business more than adequate time to patch vulnerabilities before they are exploited. But . . . it isn’t happening.

See also: SecurityMetrics PCI Guide

Why do merchants continue to remain vulnerable?

Reasons that increase the likelihood of vulnerabilities include: uncompleted vulnerability scans, ignored vulnerability scan results, zero-day vulnerabilities, ineffective patching, no IT support, lack of regular environment testing, etc.

With the exception of zero-day exploits, where the vulnerability wasn’t known until the time that it was openly compromised and no patch, or “fix” was available, most other vulnerabilities that lead to data breaches could have been averted if IT security had been a higher priority. If merchants don’t conduct tests and analyses of their systems, they’re going to leave themselves open to attacks, where it’s a simple matter of time until they’re discovered.

See also: A Hacking Scenario: How Hackers Choose Their Victims

How to find and irradiate vulnerabilities

New vulnerabilities are discovered daily. A vulnerability is a system, environment, software, or website weakness that can be exploited by attackers. According to GFI, an average of 19 vulnerabilities per day were reported in 2014, totaling almost 7,000 vulnerabilities per year.

Many vulnerabilities can be found via:

  • Vulnerability scans, which are automated, affordable, high-level tests that identify many known weaknesses in network structures.
    Not only are vulnerability scans a quarterly PCI DSS requirement, robust vulnerability scans are able to identify more than 50,000 unique external weaknesses. After a scan completes, it is crucial for merchants to fix any located vulnerabilities on a prioritized basis.

Contact us if you’re looking for a scan vendor

See also: 10 Qualities to Look For When Selecting an Approved Scanning Vendor

  • Penetration tests are an extremely aggressive approach to finding and removing vulnerabilities.
    A penetration test simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities. Actual analysts, often called white-hat or ethical hackers, try to discover vulnerabilities that can be exploited.
    They use methods similar to those of illicit hackers, including password cracking, buffer overflow attacks, cross-site scripting, and SQL injection. Through these and other efforts, they attempt to gain administrative system access and extract data from a network.
    After the penetration test is complete, merchants should take the advice from the penetration test report and fix the located vulnerabilities on a prioritized basis.

Recommendation: improve vulnerability management

Creating a vulnerability management plan is crucial to decreasing a merchant’s window of vulnerability. This process will help identify, classify, remediate, and mitigate future instances of vulnerabilities. As a part of your vulnerability management strategy, include regular vulnerability scans, an annual penetration test, and the timely application of system security updates and patches. (PCI DSS compliance requires security updates within 30 days of release.)

Vigilant vulnerability management is the most efficient way for you to proactively reduce the window of compromise, greatly narrowing the opportunity for hackers to successfully attack your systems and steal your valuable data.

Read the Window of Compromise white paper.

Join thousands of security professionals.

Subscribe Now

Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000