UK government urges firms to keep paper backups for cyberattack recovery

The UK’s National Cyber Security Centre (NCSC) is urging businesses to keep offline copies of cyber-attack contingency plans, as critical hacks on major companies expose the risks of total digital dependency.
NCSC, UK government, cybersecurity, ransomware, contingency planning, resilience engineering, paper-based backups, Jaguar Land Rover, Marks & Spencer, cybercrime, data extortion

The UK government has issued a strong warning to company leaders to prepare for cyber incidents by maintaining paper-based contingency plans. The National Cyber Security Centre (NCSC) emphasised that firms must plan how to continue operations and rebuild IT systems if networks are compromised.

The advice follows a series of high-profile cyberattacks this year targeting major UK firms, including Marks & Spencer, The Co-op, and Jaguar Land Rover, which experienced production halts and supply disruptions after their systems were breached.

According to NCSC chief executive Richard Horne, organisations need to adopt ‘resilience engineering’ strategies, systems designed to anticipate, absorb, recover, and adapt during cyberattacks.

The agency recommends storing response plans offline and outlining alternative communication methods, such as phone trees and manual record-keeping, should email systems fail.

While the total number of cyber incidents investigated by the NCSC, 429 in the first nine months of 2025, remained stable, the number of ‘nationally significant’ attacks nearly doubled from 89 to 204. These include Category 1–3 incidents, ranging from ‘significant’ to ‘national cyber emergency.’

Recent cases highlight the human and operational toll of such events, including a ransomware attack on a London blood testing provider last year that caused severe clinical disruption and contributed to at least one patient death.

Experts say the call for offline backups may sound old-fashioned but is pragmatic. ‘You wouldn’t walk onto a building site without a helmet, yet companies still go online without basic protection,’ said Graeme Stewart, head of public sector at Check Point. ‘Cybersecurity must be treated like health and safety: not optional, but essential.’

The government is also encouraging companies, particularly SMEs, to use the NCSC’s free support tools, including cyber insurance linked to its Cyber Essentials programme.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot