Beyond the Breach Statistics: The Hidden Trauma Behind Britain’s Cyber Crisis

It’s 3am on a Tuesday morning. Somewhere in the UK, a security operations centre is bathed in the blue glow of multiple monitors. A cyber security professional, let’s call her Sarah, has been awake for 22 hours straight. She’s responding to a ransomware attack that has crippled patient care at an NHS trust. Behind the incident tickets and threat intelligence feeds, real people are being affected. Operations are cancelled. Blood test results are delayed. Lives are potentially at risk.

The headlines the next day will talk about the financial cost, the operational disruption, and the number of patients affected. What they won’t mention is Sarah, or the thousands like her, who will carry the weight of this incident long after the systems are restored.

When the Headlines Fade

2024 and 2025 have been brutal years for UK cyber security. We’ve witnessed an unprecedented wave of attacks that reads like a who’s who of British institutions: the NHS Synnovis attack affecting major London hospitals, forcing the postponement of over 1,100 operations and 2,100 outpatient appointments; the Legal Aid Agency breach exposing 2.1 million people’s sensitive data going back 15 years; Marks & Spencer suffering a devastating 46-day outage costing £300 million; Transport for London’s breach affecting 5,000 customers; the Ministry of Defence contractor breach exposing 272,000 military personnel records; and attacks on Co-op, Harrods, Scottish schools, Southern Water, and the Electoral Commission.

The statistics are staggering: 43% of UK businesses experienced cyber breaches in the past year. Ransomware attacks doubled from 2024 to 2025. The National Cyber Security Centre handled 542 nationally significant incidents. One hacking incident occurs approximately every minute in the UK.

But here’s what the statistics don’t capture: the cyber security professionals who responded to each one of these incidents. The incident responders who worked through the night. The CISOs who fielded angry calls from boards and regulators. The forensic analysts who had to piece together how the breach happened. The security awareness teams who faced criticism for “not doing enough” to prevent phishing attacks.

Every one of these attacks has a human cost that extends far beyond the victims and affected organisations.

The Invisible Scars

Recent research reveals that 51% of cyber security professionals report serious mental health impacts from work-related stress. Yet when CIISEC partnered with PTSD Resolution in May 2025 to address this crisis, it marked one of the first formal recognitions that our industry has a mental health emergency.

Think about that for a moment. More than half of the professionals defending our digital infrastructure are suffering significant psychological harm, and we’re only just beginning to talk about it.

The parallels with military service are striking, and they’re not coincidental. Like soldiers on the front line, cyber security professionals operate in a 24/7, “always on” environment. They face constant attacks from sophisticated adversaries. They experience the pressure of protecting critical national infrastructure where failure could have life-threatening consequences. They’re expected to absorb intense pressure without showing vulnerability. And crucially, they often experience moral injury when breaches occur despite their best efforts.

Colonel Tony Gauvain of PTSD Resolution describes it perfectly: “Executive burnout and the trauma experienced in high-pressure cyber security roles share many similarities with the military trauma we regularly treat. Both involve high-stakes decision-making, constant vigilance, and potential for moral injury when security breaches occur despite best efforts.”

What Does Cyber PTSD Look Like?

PTSD symptoms have become, in the words of CIISEC CEO Amanda Finch, “endemic” in the cyber security profession. These include:

Reliving the trauma: Flashbacks to critical incidents, replaying the breach timeline over and over again, obsessing about what could have been done differently.

Hypervigilance: The constant feeling of being on edge, unable to switch off, checking systems compulsively even during time off, experiencing anxiety when away from work.

Emotional exhaustion: The crushing weight of knowing that you must be right 10,000 times, whilst attackers only need to be right once. The burden of defending against an enemy that never stops, never sleeps, and is constantly innovating.

Moral injury: The profound distress that occurs when a breach happens despite doing everything right. The guilt when patients are harmed, when people’s data is stolen, when businesses suffer.

Difficulty sleeping: Racing thoughts, nightmares about breaches, inability to truly rest.

Depression and reduced sense of accomplishment: Feeling that nothing you do is ever enough. Being recognised only when something goes wrong. Questioning your competence and value.

Nicole Beckwith, a cyber security expert who has created trauma training for Interpol agents, puts it bluntly: “You are going to see and experience bad things if you are involved in DFIR, OSINT, or sometimes even in IT working on other people’s computers. Your mind needs training to be able to cope with those things before and after you encounter them.”

The Pressure Cooker Environment

When the Synnovis ransomware attack hit NHS services in June 2024, it wasn’t just an IT problem to be solved. Cyber security professionals were working around the clock knowing that real patients were being affected. Operations were being cancelled. Blood transfusions were being delayed. The Russian cybercriminal group Qilin eventually published nearly 400GB of stolen patient data on the dark web, including NHS numbers and blood test results.

Imagine being the security team member who discovered that breach. Imagine knowing that despite your best efforts, despite the long hours and the constant vigilance, patient data was stolen and published. Imagine fielding questions from distressed colleagues, from management, from regulators, all whilst trying to contain the damage and prevent further harm.

Now imagine that this isn’t an isolated incident. The attacks keep coming. The pressure never stops. The stakes remain impossibly high.

As one IT professional told researchers: “There’s never a downtime. It’s non-stop and every day is a battle.”

The Silent Suffering

When large-scale attacks are played out publicly, we hear about the media circus, the potential lawsuits, the impact on customers, the declining share prices, the financial costs to the business. The psychological effect on the cyber security professionals defending against these attacks is swept under the rug.

We don’t talk about the incident responder who can’t sleep after dealing with a healthcare breach that affected patient care. We don’t discuss the CISO who faces a scapegoating culture where they’re expected to resign after a breach, despite implementing every reasonable control. We don’t mention the security analyst who develops anxiety about checking their phone because it might be another alert.

The cyber security workforce is haemorrhaging talent because of this unspoken crisis. CISOs have the lowest average tenure of any C-suite executive, just 26 months compared to 5.3 years for their counterparts. A shocking 46% of cyber security leaders have considered leaving their roles due to stress. The good guys are burning out, and we’re losing experienced professionals at the very moment we need them most.

The Cost of Silence

When we don’t acknowledge the psychological toll of cyber security work, we create several dangerous outcomes:

Burnout becomes normalised. It’s accepted as just “part of the job” rather than recognised as a serious occupational health issue that can and should be addressed.

People suffer in silence. The stigma around mental health, combined with a culture that values “toughness” and technical competence, means professionals don’t seek help until they’re in crisis. As one expert noted, mental health issues in cyber security often remain hidden until “it’s like trying to put toothpaste back in the tube.”

We lose talented professionals. When stress becomes unbearable and support is absent, skilled practitioners leave the field entirely, exacerbating the talent shortage and increasing pressure on those who remain.

Security suffers. Burnt-out, stressed, and traumatised professionals cannot perform at their best. Decision-making suffers. Attention to detail wavers. The very security we’re trying to protect becomes compromised.

Breaking the Silence

So what can we do about this? How do we begin to address the psychological warfare being waged on our cyber security professionals?

We need to talk about it. Openly, honestly, without shame. Mental health must become as routine a topic of conversation in cyber security as threat intelligence or vulnerability management.

We need training before trauma occurs. Just as military personnel receive psychological preparation before deployment, cyber security professionals need trauma-informed awareness training. They need to understand what they might experience, how to recognise symptoms in themselves and colleagues, and what coping mechanisms are available.

We need accessible support. The partnership between CIISEC and PTSD Resolution is a vital first step, providing access to trauma therapy and psychological support for over 10,000 professionals. We need more initiatives like this across the industry, and the AI and Cyber Security Association will be seeking key partnerships in 2026 to provide more of these much-needed services.

We need to change the narrative. Cyber security teams should be viewed like emergency services, as dedicated professionals working around the clock to defend critical infrastructure, rather than as a cost centre or overhead burden. Recognition shouldn’t come only when something goes wrong.

We need organisational accountability. Companies must invest in mental health support for their security teams. This means providing Employee Assistance Programmes, building in recovery time after major incidents, ensuring adequate staffing levels, and creating a culture where seeking help is encouraged, not discouraged.

We need proper incident response planning that includes people. Yes, have your technical runbooks and disaster recovery plans. But also have plans for supporting the wellbeing of the team responding to the incident. Build in breaks. Rotate responsibilities. Check in on people’s mental state, not just the status of containment efforts.

A Personal Reflection

Throughout my career in cyber security, I’ve witnessed first-hand the toll this work takes on brilliant, dedicated professionals. I’ve seen colleagues push themselves to breaking point. I’ve watched talented practitioners leave the field entirely because the psychological cost became too high.

As someone who is openly neurodivergent and applies trauma-informed approaches to security awareness training, I believe we have a duty to bring the same care and consideration to our own workforce that we ask them to bring to protecting our organisations. We cannot continue to treat our cyber security professionals as infinitely resilient machines that can withstand any amount of pressure.

The attacks on the UK throughout 2024 and 2025, from the NHS breaches to the retail ransomware wave, from the MoD contractor compromise to the Legal Aid Agency exposure, weren’t just technical incidents. They were human experiences, lived by real people who carried the weight of responsibility, the pressure of response, and often, the trauma of the aftermath.

The Way Forward

As we head into 2026, we must recognise that building cyber resilience isn’t just about technical controls, security awareness training, or incident response capabilities. It’s also about building resilient people. It’s about creating an industry where mental wellbeing is prioritised alongside technical skills. Where seeking support is seen as a sign of strength, not weakness. Where we measure success not just by the absence of breaches, but by the wellbeing of the people working tirelessly to prevent them.

The next time you read about a major cyber-attack in the headlines, I invite you to think beyond the statistics, beyond the financial costs, beyond the operational disruption. Think about the people who responded to that attack. The ones who worked through the night. The ones who made difficult decisions under impossible pressure. The ones who will carry the weight of that incident long after the news cycle has moved on.

If you know someone who is actively working on a live cyber-attack incident, I urge you to check in on them. It’s time we acknowledged their sacrifice, supported their wellbeing, and built an industry that values their mental health as much as it values their technical expertise. Protecting our digital infrastructure requires more than just technology and processes, it requires people. And people need to be protected too.

If you or someone you know is struggling with work-related stress, burnout, or trauma in cyber security, support is available. CIISEC members can access trauma awareness training and therapy through their partnership with PTSD Resolution. For organisations looking to support their cyber security teams’ mental health, resources are available via CyberMindz, CIISEC, and specialist occupational health providers who understand the unique pressures of cyber security work.
_________________________________________________________________________________________

Citations and Resources

Major UK Cyber Attacks 2024 – 2025 Mentioned In This Article

NHS Synnovis Attack (June 2024)
https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/top-attacks-uk-public-sector-2024.html

Marks & Spencer (April 2025)
https://cloudandmore.co.uk/biggest-uk-cyber-attacks-2025/

Legal Aid Agency (2025)
https://www.ansecurity.com/latest-uk-cyber-attacks-a-wake-up-call-for-2025/

MoD Contractor/SSCL (2024)
https://cloudandmore.co.uk/8-biggest-uk-cyber-attacks-of-2024-so-far/

Transport for London (Sept 2024)
https://www.sharp.co.uk/news-and-events/blog/the-biggest-uk-cyber-attacks-of-2024

Key Mental Health Statistics

51% of cyber security professionals report serious mental health impacts
Source: CIISEC State of the Profession report (2020/21) and cited in: CIISEC, “PTSD Resolution Partnership,” 22 May 2025
https://www.ciisec.org/news/ptsd-resolution-and-ciisec-partner-to-address-mental-health-in-cyber security/

46% of cyber security leaders considered leaving roles due to stress
https://www.cpomagazine.com/cyber-security/breaking-the-cycle-of-cyber security-ptsd/

CISO average tenure: 26 months (vs 5.3 years for other C-suite)
https://www.cpomagazine.com/cyber-security/breaking-the-cycle-of-cyber security-ptsd/

UK Cyber Threat Landscape

43% of UK businesses experienced breach in last 12 months (2025)
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/

Ransomware doubled: <0.5% (2024) to 1% (2025) = 19,000 organisations
https://www.theregister.com/2025/04/11/uk_cyberattacks

542 nationally significant incidents handled by NCSC (4 per week)
https://www.ncsc.gov.uk/news/uk-experiencing-four-nationally-significant-cyber-attacks-weekly

One hacking incident per minute in UK
https://www.theiet.org/media/press-releases/press-releases-2025/press-releases-2025-october-december/1-october-2025-cyber-crisis-surge-in-attacks-leaves-uk-public-feeling-unsafe-online

Expert Quote Citations

Nicole Beckwith (Cyber security Expert, created INTERPOL training): “You are going to see and experience bad things if you are involved in DFIR, OSINT, or sometimes even in IT working on other people’s computers. Your mind needs training to be able to cope with those things before [and after] you encounter them.”

• Source: Cybercrime Magazine, 18 Nov 2024
• https://cyber securityventures.com/cybercrime-can-give-you-a-mental-breakdown/

Colonel Tony Gauvain (PTSD Resolution Chairman): “Both involve high-stakes decision-making, constant vigilance, and potential for moral injury when security breaches occur despite best efforts.”

• Source: CIISec partnership announcement, 22 May 2025

Amanda Finch (CIISec CEO): PTSD symptoms have become “endemic” in the cyber security profession

• Source: Tech Monitor, 9 July 2025
• https://www.techmonitor.ai/technology/cyber security/cyber security-mental-health-reckoning