A report released today by Sophos reveals that IT managers are more likely to catch cybercriminals on their organization’s servers and networks than anywhere else.

The study, 7 Uncomfortable Truths of Endpoint Security, surveyed over 3,100 IT managers in 12 different countries across industry verticals and organization sizes, and was conducted by the independent research specialist Vanson Bourne.

The report reveals that IT managers discovered 37% of their most significant cyberattacks on their organization’s servers and 37% on its networks. Only 17% were discovered on endpoints and 10% were found on mobile devices.

You’ve likely heard the adage: “It’s not a matter of if, but when you’ll be breached”, and the survey data certainly backs that up, with the majority of organizations responding to this survey (68% global average) having already been breached.

That’s why there’s growing momentum to not just focus on the tactics and tools that flat-out prevent attacks, but also to bolster threat response programs to more quickly find intruders already in the network, and to more effectively respond to attacks already underway.

In other words, for organizational security, it’s no longer enough to think about threats stopped at the ‘perimeter’. Companies must also focus on dwell time, which is the time it takes to detect an attack in progress.

Of teams that were able to definitively measure their average attacker dwell time, they responded that they could spot an attacker in as little as 13 hours, with Australia, Brazil, and Canada reporting 10 hours of dwell time on one end of the average, and Japan reporting 17 hours on the other.

If you’re not familiar with industry chatter around dwell time, 13 hours might seem like an eternity for an attacker to be rooting around your organizational assets, but compared to other industry benchmarks — such as the Verizon Data Breach Investigations Report (DBIR), whose respondents on average clock dwell time in weeks or months — 13 hours seems almost impossibly fast.

As the respondent set and the types of threats being assessed in this survey and the Verizon DBIR studies aren’t quite the same, we can’t and shouldn’t make a one-to-one comparison between the two. Instead, this report drills down into why there’s a disparity in results, and why the gulf in detection times from those with dedicated security teams versus those without can hold such variability.

Lack of visibility into attacker behavior and information about attacker paths is still a major barrier to detecting attacks and reducing dwell time. 20% of IT managers who fell victim to one or more cyberattacks last year can’t pinpoint how the attackers gained entry, and 17% don’t know how long the threat was in the environment before it was detected, according to the survey.

To improve this lack of visibility, IT managers need Endpoint Detection and Response (EDR) technology that exposes where threats originate, as well as the digital footprints of attackers moving laterally through a network. 57% of respondents reported that they did not have an EDR solution in place at the moment, but planned to implement one within the next 12 months.

Chester Wisniewski, principal research scientist at Sophos said:

If IT managers don’t know the origin or movement of an attack, then they can’t minimize risk and interrupt the attack chain to prevent further infiltration.

EDR helps IT managers identify risk and put a process in place for organizations at both ends of the security maturity model. If IT is more focused on detection, EDR can more quickly find, block and remediate; if IT is still building up a security foundation, EDR is an integral piece that provides much needed threat intelligence.

On average, organizations that investigate one or more potential security incidents each month spend 48 days a year (four days a month) investigating them, according to the survey. It comes as no surprise that IT managers ranked identification of suspicious events (27%), alert management (18%) and prioritization of suspicious events (13%) as the top three features they need from EDR solutions to reduce the time taken to identify and respond to security alerts.

If IT managers have defense-in-depth with EDR, they can investigate an incident more quickly and use the resulting threat intelligence to help find the same infection across an estate. Once cybercriminals know certain types of attacks work, they typically replicate them within organizations. Uncovering and blocking attack patterns would help reduce the number of days IT managers spend investigating potential incidents.

This report drills down into the specifics of the threats detected (what kind and where), as well as the resources spent on incident investigation. By taking a broader look at industries across geographies and organizational size, this report shines a light on the unexpected challenges facing enterprise security as a whole across the globe.