Why the UK Government Is Urging Businesses to Return to Pen and Paper
As cyber attacks reach nine-year high, officials warn companies must prepare for the day screens go dark
In an age defined by digital transformation, the UK government is delivering an uncomfortable message to business leaders: prepare to operate without technology. As cyber attacks surge to their highest levels in nearly a decade, officials are urging companies to dust off an old-fashioned backup plan—paper.
The advice, prominently featured in the National Cyber Security Centre's 2025 Annual Review, reflects a sobering reality. When hackers strike with sufficient sophistication, even the most technologically advanced companies can find themselves suddenly cut off from every digital system they depend on. And in those critical hours or days, a printed contingency plan may be the difference between survival and collapse.
The Numbers Tell an Alarming Story
The NCSC handled 204 "nationally significant" cyber attacks in the year ending August 2025, a dramatic increase from just 89 such incidents the previous year. Even more concerning, 18 of these incidents were classified as "highly significant"—representing a 50% increase for the third consecutive year.
"Cyber security is now a matter of business survival and national resilience," Dr. Richard Horne, CEO of the NCSC, warned at the agency's annual review launch on October 14. "With over half the incidents handled by the NCSC deemed to be nationally significant, and a 50% rise in highly significant attacks on last year, our collective exposure to serious impacts is growing at an alarming pace."
The government's concern was underscored by an unprecedented open letter sent to CEOs and chairs of FTSE 350 companies, signed by Chancellor Rachel Reeves, Security Minister Dan Jarvis, and other senior officials. The message was clear: hesitation is a vulnerability.
When Britain's Biggest Brands Went Dark
The urgency behind the government's warning stems from a devastating series of attacks that have struck some of Britain's most recognizable companies throughout 2025.
In April, Marks & Spencer suffered a cyber attack that forced the retailer to suspend online sales for six weeks and ultimately cost the company £300 million. The attack disrupted the fashion, home, and food divisions, emptied store shelves, interrupted supply chains, and damaged customer trust through stolen data.
The Co-op faced similar chaos. The supermarket chain estimated a £206 million underlying margin impact from their cyber attack, with disruptions rippling across 2,300 outlets and exposing sensitive member information.
Even luxury brands weren't spared. Harrods' cyber disruption cost approximately £30 million, while Pandora and Adidas also faced significant incidents.
But perhaps the most dramatic example came in late August, when Jaguar Land Rover was forced to shut down production at all its factories in the UK and overseas after discovering it had been hacked. Executives told the government the attack was more disruptive and complex than the hacks that hit M&S and Co-op, warning that some suppliers were unlikely to survive without taxpayer support.
What made the JLR incident particularly catastrophic was that the company reportedly had no active cyber insurance coverage at the time of the attack. Some industry sources suggest total losses could reach £4.7 billion if the shutdown extends into November. The human cost has been equally severe, with one in six businesses in JLR's supply chain already implementing redundancies.
Breach Notification TrackerThe Rise of the Teenage Hacker
Adding to the complexity of the threat landscape is an unexpected phenomenon: there has been a resurgence in teenage hacking gangs thought to be based in English-speaking countries, with seven teenagers arrested in the UK this year as part of investigations into major cyber attacks.
In July 2025, the National Crime Agency arrested four individuals aged 17 to 20 in connection with cyber attacks on Marks & Spencer, Co-op, and Harrods. In September, two more teenagers—19-year-old Thalha Jubair and 18-year-old Owen Flowers—were arrested and charged in connection with an attack on Transport for London.
Jubair also faces charges in the United States for alleged involvement in a hacking campaign affecting at least 47 U.S. victims, with victims reportedly paying at least $115 million in ransom payments. If convicted, he faces up to 95 years in federal prison.
Many of these young hackers are linked to "Scattered Spider," a decentralized cybercrime collective known for aggressive social engineering tactics. The group has claimed responsibility for multiple attacks, identifying themselves as "Scattered Lapsus Hunters," a merger of Scattered Spider and Shiny Hunters collectives.
The Case for Analog Backup
Against this backdrop, the government's advice to create paper-based contingency plans may seem quaint, but security experts say it's profoundly practical.
"You wouldn't walk onto a building site without a helmet, yet companies still go online without basic protection," said Graeme Stewart, head of public sector at Check Point. "Cybersecurity must be treated like health and safety: not optional, but essential."
The NCSC is urging firms to embrace "resilience engineering"—a strategy focused on building systems that can anticipate, absorb, recover, and adapt when attacks occur. Plans should be stored in paper form or offline and include information about how teams will communicate without work email and other analog workarounds.
Paul Abbott, whose Northamptonshire transport firm KNP closed after hackers encrypted its systems in 2023, offers a stark warning based on his experience. Despite investing £120,000 annually in cyber security, insurance, and managed systems, his company still fell victim. "It's no longer a case of 'if' such incidents will happen, but when," he told BBC Radio 5 Live.
His advice now centers on what he calls the three pillars: security, education, and contingency—with a critical focus on planning what's needed to keep a business running during an attack or outage.
What Should Be in Your Paper Playbook?
While the specific contents of a contingency plan will vary by organization, security experts recommend several essential elements:
Crisis Communication Procedures: Phone trees, emergency contact lists, and alternative communication channels that don't rely on corporate email or messaging systems.
Critical System Inventory: A complete list of essential systems, their dependencies, and manual alternatives for core business functions.
Key Personnel Roles: Clear definitions of who does what during a crisis, including decision-making authority when normal approval processes are unavailable.
Vendor and Partner Contacts: Critical supplier information, service agreements, and escalation procedures that can be accessed without digital systems.
Recovery Procedures: Step-by-step instructions for system restoration, including the order in which systems should be brought back online.
Data Breach Cost Calculator
Data Backup Locations: Information about where backups are stored and how to access them if primary systems are compromised.
The key is ensuring these plans are genuinely accessible during a crisis. If they're only stored digitally, they become useless the moment hackers take systems offline.
A Three-Pronged Government Strategy
The ministerial letter to business leaders outlined three specific actions companies should take immediately:
1. Use the Cyber Governance Code of Practice: Developed with industry leaders, this sets out critical actions boards and directors should take to govern cyber risk effectively.
2. Sign Up for Early Warning: The NCSC's free early warning service informs organizations of potential cyber attacks on their networks, providing valuable time to detect and stop incidents before they escalate.
3. Implement Cyber Essentials: Companies should ensure their entire supply chain complies with the Cyber Essentials standard. The government is also offering free cyber insurance for small businesses that complete this program.
The State-Sponsored Dimension
While much of the recent attack activity has been financially motivated ransomware, state actors continue to present a significant threat to UK cyber security. The NCSC's review describes Russia as a "capable and irresponsible threat actor in cyberspace" and warns that China is a "highly sophisticated and capable threat actor, targeting a wide range of sectors and institutions across the globe, including the UK."
The report also warns that hackers, including those with links to Beijing, are using artificial intelligence to improve the potency of their attacks. This represents a new frontier in the cyber threat landscape, as AI tools make it easier to craft convincing phishing emails, identify vulnerabilities, and scale attacks.
When Digital Dependency Becomes Vulnerability
The incidents of 2025 have exposed a fundamental paradox of modern business: the same digital systems that drive efficiency and innovation also create catastrophic single points of failure.
One of the most serious attacks in recent memory occurred when a cyber incident on a blood testing provider caused major problems for London hospitals, resulting in significant clinical disruption and directly contributing to at least one patient death.
Privacy Compliance Calculator
This stark example illustrates why the NCSC is emphasizing not just prevention, but resilience. Organizations need to move beyond the mindset that adequate cybersecurity can prevent all breaches. Instead, they must prepare for the reality that sophisticated attackers may eventually get through.
Anne Keast-Butler, Director of GCHQ, wrote in the forward to the annual review: "This year, the realities of cyberattacks have hit the headlines and impacted the bottom lines of many companies. Incidents like the high-profile attacks on Marks & Spencer, the Co-op Group and Jaguar Land Rover serve as a stark reminder that the cyber threat is not just an abstract concept but a real one with real-world costs."
The Bottom Line
For too long, cybersecurity has been regarded as a technical issue for IT departments to manage. The events of 2025 have made clear this is no longer tenable. Cyber resilience must be a board-level priority, with executives taking personal responsibility for their organization's preparedness.
The advice to maintain paper-based contingency plans may seem like a step backward in an era of cloud computing and digital transformation. But it's actually a recognition of reality: when everything goes digital, you need an analog escape hatch.
Dr. Horne's message to business leaders is unequivocal: "The best way to defend against these attacks is for organisations to make themselves as hard a target as possible. That demands urgency from every business leader: hesitation is a vulnerability, and the future of their business depends on the action they take today. The time to act is now."
The question is no longer whether your organization will face a cyber attack, but whether you'll be prepared when it comes. And when every screen goes dark, will you be able to find the light switch?
IR Maturity Assessment Team
For more information about cyber security resources and the NCSC's free tools, visit ncsc.gov.uk
