By Lisa Lupo

Professional hackers can hack your system in less than 12 hours, but detecting data breaches take an average of 250 to 300 days — if they’re detected at all, according to The Black Report from the data security company Nuix. For the report, Nuix conducted a confidential survey of 70 professional hackers and penetration testers (pentester) at DEFCON, the world’s largest hacking and security conference.

Here’s what they said:

81% can identify and exfiltrate data in less than 12 hours.

88% can compromise a target in less than 12 hours.

50% change their attack methodologies with every target.

84% use social engineering as part of their attack strategy.

69% have almost never been caught in the act by security teams.

33% have never had their activities detected by their target organizations.

76% spend 1-10 hours per week researching security news and technology.

76% believe technical certifications are not a good indication of technical ability.

100% agree that once someone has accessed your data, it’s gone — like gone gone.

Among the most effective countermeasures are:

36% endpoint security

29% intrusion detection and prevention systems

10% firewalls

2% antivirus

Activities noted as extremely important in prevention are:

52% employee education

37% vulnerability scanning

30% goal-oriented penetration testing

16% employee incentives

15% bug-bounty programs

Among the least effective:

42% data hygiene and information governance

22% everything. This group said no security countermeasures can stop them; full compromise is only a matter of time.

REMEDIATION. Interestingly, even after a penetration test shows vulnerability, organizations usually only conduct limited remediation, which is generally focused on critical and high vulnerabilities. It is a statistic that exasperates pentesters, with 64% stating that their biggest frustration is that organizations don’t fix the things they know are broken.

“The  Nuix Black Report  illuminates the true nexus between attacker methodology and defensive posture; showing which countermeasures will improve security and which are a waste of money and resources,” said Chris Pogue, Nuix’s Chief Information Security Officer and co-author of the  report.

“Readers will learn what is the best spend for their security dollar and, more critically,  why,” he added.

Source: Nuix. Read the full report here.