A new study from IBM suggests it takes 206 days on average for companies to discover a breach and another 73 to fix it.

With cybercriminals becoming savvier and assaults becoming much more complex, it seems many companies will have been exposed for months without even realising it. The average cost to the business could be as much as $3.92 million, with the firm feeling the impact over three-year periods.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services.

“With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.”

On average, 67% of the financial impact of security breaches are felt within the first 12 months, 22% is seen in the second year and 11% in the third year after the incident. The long-tail costs are felt more painfully in highly-regulated industries such as healthcare, financial services, energy and pharmaceuticals. Telecoms was not mentioned specifically, but we suspect it will also be among the more impacted industries.

What you have to bear in mind is that this is a security vendor stoking the fire. The dangers of inadequate security in the digital era are very well-known, but you have to take the estimates with a pinch of salt here; it is in the IBM interest for companies to be in heightened states of fear and paranoia.

Looking at the time in which it takes to detect a breach, this is quite a remarkable number and perhaps demonstrates the retrospective approach many firms have taken to security over the last few years. These attitudes are slowly changing, security is moving up the agenda, though this does not compensate for the years of inadequacy.

The IBM report suggests the lifecycle of a breach is 279 days, not accounting for all the regulatory headaches which would follow. That said, those who are able to detect and contain a breach with 200 days are $1.2 million better off when it comes to the financial impact.

Here are a few of the more interesting stats from the report: