UK Government Tells CEOs: Keep Printed Cyber Plans Handy
21 October 2025Amid a sharp rise in high-impact cyber incidents, the UK government has issued direct advice to business leaders: maintain physical, offline copies of critical cyber response and continuity plans. The message? Be prepared to keep your business running, even if your systems are down.
Why This Is Happening Now
The warning follows a significant uptick in serious cyber threats. According to the latest review by the National Cyber Security Centre (NCSC), 429 incidents were handled in the past year—204 of which were deemed “nationally significant”, up from 89 the previous year. Eighteen were classified as “highly significant”, representing a 50% increase.
Recent attacks have disrupted supply chains and halted operations across various sectors, making it clear that cyber threats now pose serious economic risks, not just IT concerns.
Cyber Security at the Boardroom Table
In a letter co-signed by Technology Secretary Liz Kendall and several other senior ministers and agency heads, the government has urged business leaders—particularly those heading FTSE 350 companies—to treat cyber resilience as a board-level issue.
What Businesses Are Being Asked To Do
- Adopt the new Cyber Governance Code of Practice and integrate cyber risk into corporate governance.
- Register for the NCSC’s Early Warning service to stay ahead of potential threats.
- Implement Cyber Essentials standards within their own organisation and across their supply chains.
Perhaps most strikingly, the letter encourages companies to keep printed versions of cyber plans and contact information available in case digital systems become unusable during an attack.
Why Paper Plans Still Matter
In the event of a ransomware attack or catastrophic system failure, access to cloud-based or encrypted backups may be lost. That’s where hard copies come in—they ensure that key people can still act, even if the internet is down or authentication services are offline.
Shifting From Defence to Resilience
This shift in tone reflects a broader change in cybersecurity strategy. Rather than assuming every attack can be prevented, the focus is now on how quickly an organisation can recover. That includes testing recovery scenarios, segmenting networks, and ensuring backup systems can’t be compromised during an attack.
The NCSC’s Message
Describing cybersecurity as essential for business continuity and national resilience, the NCSC is urging firms to think beyond prevention. Its Cyber Action Toolkit and Early Warning services are part of a growing toolkit to help companies improve their readiness—especially small and medium-sized enterprises that often lack dedicated cyber teams.
Industry Backs the Call
Cybersecurity professionals have welcomed the government’s stance, noting that paper-based contingency plans, while seemingly old-fashioned, are a practical necessity when systems fail. Recent incidents have shown that organisations with printed playbooks recover faster and suffer less disruption.
Accountability and Preparedness
For larger firms, the message is clear: cybersecurity is now a governance issue. Boards must identify who takes charge in a crisis, how to communicate offline, and where key information is stored physically. For smaller businesses, the emphasis is on getting the basics right—many of which are now free through NCSC initiatives.
The Case for Hardcopy Plans
Physical plans allow immediate access to emergency contacts, instructions, and coordination steps without relying on any technology. In time-critical industries like healthcare or manufacturing, having a paper-based response plan could mean the difference between a temporary hiccup and a major shutdown.
Challenges to Consider
Maintaining accurate paper documentation isn’t without its hurdles—it must be regularly updated and kept secure. Some firms worry about the administrative burden. Others fear it may distract from investing in better digital protections. However, most experts agree: resilience and prevention must go hand in hand.
Planning for the Worst
The government’s call to action aligns with a wider legislative and strategic push. The upcoming Cyber Security and Resilience Bill is expected to formalise many of these recommendations, further embedding resilience into UK business culture.
What This Means for Your Business
This development signals a turning point: cybersecurity is no longer just an IT concern, but a matter of leadership and long-term viability. CEOs and boards are now expected to ensure their organisations can survive and respond to cyber disruption.
For organisations of all sizes, this may require a cultural shift—toward treating cyber planning like health and safety: routine, visible, and everyone’s responsibility. Investing in resilience now can pay dividends when the unexpected happens—keeping operations moving, protecting data, and maintaining public trust.
As the government points out, no system is completely invulnerable. But with the right plans on paper—and the right people ready to act—businesses can greatly reduce the fallout from even the most severe digital disruptions.
