When the UK’s National Cyber Security Centre (NCSC) recommends that organizations revisit pen and paper plans, it may sound retrograde. After all, modern cybersecurity strategies often focus on AI-enhanced threat detection, zero trust architecture, and real-time telemetry. But this latest guidance isn’t about going backwards. It is a response to a rapidly evolving threat landscape where ransomware can disable entire enterprises, cutting off communication, halting production, and leaving even well-defended organizations unable to function.
According to the NCSC, the recommendation to maintain physical copies of incident response plans is part of a broader shift toward resilience engineering. This is a mindset that prioritizes recovery as much as defense. In other words, the question is no longer "how do we stop an attack" but "how do we continue to operate while under attack and recover effectively after it ends."
In a letter issued to UK business leaders this month, the NCSC outlined the importance of storing response plans offline or in print, and encouraged organizations to think through analog workarounds for communication and coordination should IT systems go offline. As Richard Horne, CEO of the NCSC, explained: “Organisations need to have a plan for how they would continue to operate without their IT, and rebuild that IT at pace, were an attack to get through” (BBC News, 2025).
This guidance comes amid a sharp rise in the severity of cyberattacks. In the first nine months of 2025, the NCSC dealt with 429 incidents, a figure consistent with previous years. However, the number of those deemed "nationally significant" more than doubled. A total of 204 incidents were classified as either Category 1 (national emergency), Category 2 (highly significant), or Category 3 (significant), compared to 89 in 2024. Category 2 incidents alone rose by 50%, marking the third consecutive year of growth in high-severity attacks (Reuters, 2025).
Several of these incidents have had real-world operational and reputational consequences. Marks & Spencer, the Co-operative Group, and Harrods all experienced significant cyberattacks in 2025 that led to service disruption, data exposure, and broader operational fallout. While the specific details of each case differ, Co-op reported internal logistics issues following a malicious breach, and Harrods confirmed a third-party supplier compromise that exposed the personal data of more than 430,000 customers (its second confirmed incident this year). These attacks underscore a wider pattern we've observed across the consumer sector, as discussed in our earlier blog, Retail Under Siege: What Recent Cyber Attacks Tell Us About Today’s Threat Landscape.
This trend isn’t limited to retail. Other recent examples include a confirmed breach at HMRC, which remains under investigation, and a coordinated cyberattack on airport infrastructure that disrupted operations at Heathrow, Brussels, and Berlin. One suspect has already been arrested in connection with the airport incidents, highlighting how cross-sector attacks are escalating in both frequency and severity.
This surge in both volume and severity suggests that traditional cybersecurity models, which focus heavily on perimeter controls, are no longer sufficient. The concept of resilience engineering reflects the need to plan for operational continuity even if digital systems fail. This includes preparing paper-based protocols, rehearsing manual workarounds, and ensuring that incident response roles and contact information are accessible without relying on the systems likely to be targeted in an attack.
This change in mindset also reflects a shift in the attacker landscape. While many sophisticated ransomware operations continue to originate from Eastern Europe, the UK has seen a noticeable uptick in cybercrime linked to domestic actors. According to the NCSC, seven teenagers have been arrested in the UK in 2025 as part of investigations into major cyberattacks. These groups often exploit freely available exploit kits, AI-powered phishing tools, and access to compromised credentials sold on the dark web, making sophisticated attacks increasingly accessible to less experienced threat actors.
Organizations that have already adopted a mature cybersecurity posture should not view this guidance as a step backwards. Rather, it is a call to revisit and extend what resilience truly means. Tabletop exercises should now include scenarios where identity platforms, cloud email systems, or even physical access controls are unavailable. Teams should practice establishing secure communication without Slack, Outlook, or Teams. Response roles, escalation paths, and legal contacts should all be documented in offline formats.
Vendor risk management also requires renewed attention. As the Harrods breach demonstrated, sensitive data can be exposed even when your own systems are secure. Contracts should specify cybersecurity expectations for suppliers, and incident response obligations should be defined and tested.
In the face of increasing threat complexity, organizations must also ensure that board-level stakeholders are fully engaged in cyber planning. Cybersecurity is no longer just an IT concern. It is a business continuity concern, a regulatory concern, and in many cases, a reputational one. As Graeme Stuart from Check Point observed, “You wouldn't walk onto a building site without a helmet — yet companies still go online without basic protection” (BBC News, 2025). His analogy underscores the idea that digital resilience must become as fundamental as physical safety.
To support these efforts, the NCSC continues to offer free tools and guidance. For example, small businesses that complete the Cyber Essentials programme may qualify for free cyber insurance, reducing both risk and financial exposure in the event of an attack.
As Sabeen Malik, VP of Global Government Affairs & Public Policy at Rapid7, explained during the Take Command summit:
“Besides having a plan B for the private sector to implement, there needs to be real concerted global effort to purge the scourge of bad data practices including where governments can use their leverage collectively to reimagine programs and policies dealing with online data management and practices.”
Ultimately, the call for pen and paper isn’t about going analog in a digital world. It is a pragmatic reminder that when everything digital fails, your business must still function. In 2025, cyber resilience means having a plan that works even when your systems don’t.
