Hello,<p>When companies or organisations are victims of a cyber-attack, they often claim that it will take a significant amount to time (i.e., months) to investigate and assess the impact of the incident, what parts of their systems were accessed, the type and amount of data stolen by the attackers, etc.<p>As someone with no expertise in cybersecurity I have no idea if that argument makes sense or not. I suppose that larger companies with more complex IT structures will need more time to complete an assessment compared to smaller ones. But, a technical investigation spanning months?<p>Part of the relevance of this question is because, often, the potential victims of a cyber-attack are not just the company or organisation that was breached but their employees, suppliers, customers, etc. The limited or lack of information while the investigation is being conducted might leave them "out in the cold" for quite a long time.<p>So, I wanted to ask you. Thanks.