Over five million people in England and Wales are affected by cybercrime every year. That number is widely accepted across law enforcement, government, and the cyber security community. What is far less discussed is what happens to those people after the incident.
The answer, in most cases, is very little.
The support gap nobody talks about
According to the UK Home Office, 36% of cybercrime victims do not report the crime at all, and of those who do, ONS data shows only one in eight fraud offences ever reach the police or Action Fraud. As Rory Innes, Founder of The Cyber Helpline, puts it: perpetrators are almost never brought to justice, and victims are largely left to navigate the aftermath alone.
These are not edge cases. They represent the standard experience for millions of people every year, people dealing with romance scams, digital fraud, account compromise, cyber stalking, sextortion, and intimate image abuse. People who, in most cases, have no idea where to go or what to do next.
The cyber security industry has spent decades building sophisticated frameworks to protect organisations. It has built very little to protect the individuals those organisations employ and serve.
Why individuals fall through the gap
When a business is breached, there is a process. There are incident response plans, legal obligations, communications teams, and insurers. The machinery of corporate cyber security kicks in.
When an individual is targeted, there is no equivalent machinery. Social media platforms do not have a helpline. Reporting to the police typically results in an automated response, if anything at all. And the advice most commonly offered, change your password, contact your bank, frequently misses the point entirely.
The problem is not just a lack of resource. It is a lack of understanding. Cybercrime against individuals is rarely a purely technical problem. It is a human one. A compromised email account may be the work of an abusive partner. A sextortion case involves not just technical exposure but serious mental health and physical safety risk. Changing a password in the wrong circumstances can escalate a situation rather than resolve it.
This is where the cybersecurity community has consistently underestimated what is required. Technical expertise alone is not sufficient. What victims need is someone who understands both the technology and the human context, and who can take the right action, at the right time, in the right order.
What organisations need to understand
For security leaders and IT teams, this is not a distant issue. The effects of cybercrime extend far beyond financial loss, with many victims suffering long-term mental health issues and a sustained sense of insecurity. When a member of staff is a victim of cybercrime in their personal life, the impact does not stay outside the office door.
Cyber stalking, compromised personal devices, intimate image abuse, all of these can create direct security implications for an organisation. A targeted employee is a potential attack vector. And yet most organisations have no policy, no process, and no guidance for what to do when a staff member comes to them and says it has happened to them.
There are practical steps organisations can take. Knowing where to refer employees is the starting point. Having a clear internal position on how to support staff through a personal cyber incident is the next. And understanding that the right first response is rarely a technical one, it is a human one, is perhaps the most important shift of all.
The role of the cybersecurity community
The cyber security industry has the skills to make a material difference to individual victims. It has the technical knowledge, the experience of incident response, and the ability to navigate the landscape that most victims find completely inaccessible.
What it has not always had is the structure, the soft skills, and the pathways to deploy that expertise in a way that actually helps individuals. Building those things takes deliberate effort, training people not just in the technical response but in how to communicate with someone in crisis, how to assess risk across a situation that is part technical and part deeply personal, and when to involve law enforcement or other specialist support.
The organisations and individuals within the cybersecurity community who make that effort are doing something genuinely valuable. The ones who do not are leaving a gap that affects millions of people every year.
How to get involved
The Cyber Helpline is a UK charity providing free, expert support to individuals and sole traders affected by cybercrime, digital fraud, and online harm. It was founded by and operates within the cybersecurity community — and it is actively looking for support.
If you work in cyber security, there are several ways to contribute:
- Volunteer — Use your skills directly supporting victims, contributing to open source investigations, or developing threat response guidance.
- Donate — The Cyber Helpline operates without government funding. Financial contributions directly support the free service it provides.
- Fundraise — Choosing The Cyber Helpline as your charity for a run, walk, or challenge raises both funds and awareness.
- Refer — If a colleague, employee, or contact has been affected by cybercrime, signpost them to thecyberhelpline.com. Free, expert help is available.
- Partner — Organisations can support through sponsorship, pro bono expertise, or donating tools and technology.
Hear the full conversation
In the latest episode of Cyber Security In Focus, Katie Watson speaks with Rory Innes, founder and CEO of The Cyber Helpline, recipient of the Alan Turing Award at the National Cyber Awards, and one of the most compelling voices on what the cybersecurity community owes to the individuals it has largely overlooked.
Listen to 1 in 10 Will Be a Victim of Cybercrime on Spotify, YouTube, and Apple Podcast or wherever you get your podcasts.
