The real risk isn’t the breach. It’s the time before anyone notices.

Cyber incidents rarely unfold the way headlines suggest.
The recent attack on several London councils is a reminder of that.

The critical question isn’t “who did it”.
It’s how long attackers were inside before anyone realised.

In cybersecurity, that hidden window of time is called dwell time.
And it remains one of the most misunderstood and dangerous metrics in incident response.

What dwell time really means (and why it matters)

Most organisations think in terms of:

• detection
• containment
• recovery

But dwell time sits before all of those.

It is the silent gap between compromise and detection, the period when attackers creep, escalate access, gather information, and exfiltrate data unnoticed.

In many incidents, dwell time is measured not in minutes…
But in days or weeks.

The London council's incident has not yet been disclosed:

• when the intrusion began
• how long attackers had access
• how early signals appeared
• whether alerts were visible
• whether noise buried the indicators
• how quickly exfiltration was spotted

These unknowns matter more than the breach itself.
Because what happens before detection defines everything that comes after.

Why is dwell time increasing across Europe

European organisations face a unique mix of pressures:

• shared IT infrastructure
• hybrid cloud environments
• decentralised monitoring
• legacy systems
• skills shortages
• growing regulatory demands

When infrastructure is shared, as in the affected councils, visibility can become fragmented.
And when visibility fragments, dwell time increases.

This is precisely the scenario an attacker exploits.

Three patterns behind long dwell times

Alert noise overwhelms analysts

When every alert looks important, nothing feels urgent.
Critical signals hide inside the noise.‍

Manual triage slows detection.

If analysts need to query logs, validate alerts, and manually chase data, dwell time expands, even with strong teams.‍

Shared services create shared blind spots.

When multiple organisations share systems, a gap for one becomes a gap for all.

The hard truth leadership needs to hear

Most organisations don’t fail because an attacker gained access.
They fail because they don’t notice quickly enough.

Dwell time determines:

• how much data is accessed
• whether exfiltration succeeds
• whether lateral movement occurs
• how deep the attacker gets
• how costly the outcome becomes

This is the lesson repeated across incident after incident.

What every organisation should be asking

Whether you’re a council, enterprise, MSP or public-sector body, a few questions matter more than any specific tool or platform:

• How long would it take us to detect an intrusion?
• Do we have real visibility across all environments,     including shared systems?
• Are critical alerts buried in noise?
• Is triage manual or automated?
• Do we know how quickly we could confirm exfiltration?
• Do we have confidence in where our data lives, who can     access it, and how it is processed?

European organisations are increasingly expected to know these answers from regulators, leadership, and the public.

Final thought

Cybersecurity isn’t only about preventing breaches.
It’s about shrinking the time between intrusion and awareness.

Because the breach itself isn’t the most considerable risk.

The real danger is the time before anyone realises it happened.

‍

‍