
The UK government has written to chief executives across the country urging them to keep physical, offline copies of their cyber contingency and business continuity plans, as the number of severe cyber attacks continues to rise.
Why The Government Is Acting Now
The move follows a sharp increase in what officials call “nationally significant” cyber incidents. In its latest annual review, the National Cyber Security Centre (NCSC) reported handling 429 cyber incidents over the past year, of which 204 were classed as nationally significant, more than double the previous year’s total of 89. Eighteen of those were categorised as “highly significant”, marking a 50 per cent rise.
These figures highlight a growing problem for UK organisations. Attacks on major companies have recently disrupted production lines, logistics operations, and supply chains. The government says this shows how cyber threats now pose not only a security risk but also a direct threat to jobs and the wider economy.
Cyber Resilience Should Be A Board Level Priority
Technology Secretary Liz Kendall, Chancellor Rachel Reeves, Business Secretary Peter Kyle, Security Minister Dan Jarvis, and the heads of both the NCSC and the National Crime Agency have jointly signed letters to business leaders, including all FTSE 350 companies. The message is that cyber resilience must become a board-level priority, and organisations must be ready to operate without IT systems for extended periods if necessary.
What The Letter Tells CEOs To Do
The letter from the government essentially makes three key points/recommendations to company leaders, which are:
1. It says they should treat cyber resilience as a governance issue and align with the government’s new Cyber Governance Code of Practice.
2. It recommends that all organisations sign up to the NCSC’s Early Warning service, which alerts firms to potential vulnerabilities or active threats.
3. It advises implementing the Cyber Essentials scheme, both within their own operations and throughout their supply chains.
Crucially, the letter also stresses the importance of keeping copies of critical plans “accessible offline or in hard copy”, including details of how to communicate and coordinate during an IT failure. This is actually part of a wider government effort to embed what the NCSC calls “resilience engineering”, which can basically be described as an approach that focuses on anticipating, absorbing, recovering from, and adapting to cyber attacks.
The Logic Behind Paper Copies
Although it may sound strange in what is increasingly a digital world, the advice to hold printed plans is intended to be a practical response to one of the key realities of modern cyber incidents. For example, when ransomware or destructive malware locks or wipes digital systems, even backups stored in the cloud can become inaccessible. In those situations, an organisation needs something it can rely on immediately, i.e., contact lists, instructions, and decision trees that are available without power, network access, or authentication.
The NCSC’s annual review explains that organisations should have “plans for how they would continue to operate without their IT, and rebuild that IT at pace, were an attack to get through.” Storing that information offline ensures that teams can still coordinate a response even if email, messaging, or identity systems have been taken down.
From Prevention To Resilience
The government’s letter reflects a wider change in strategy from simply preventing attacks to building the ability to withstand them. For example, the NCSC now encourages what it calls resilience engineering, i.e., designing systems and processes that can recover quickly after disruption.
That includes maintaining immutable backups that cannot be encrypted or tampered with, segmenting networks to prevent attacks spreading, testing recovery procedures, and running scenario exercises that simulate complete loss of IT. This approach assumes that no organisation can be completely immune to attack, so readiness and rapid recovery become essential.
Warnings From The NCSC
In its latest report, the NCSC said cyber security had become “a matter of business survival and national resilience.” The agency noted that half the incidents it managed in the past year met the top three severity categories, which cover impacts to government, essential services, or large sections of the public and economy.
The NCSC is urging organisations to make themselves as hard a target as possible, warning that hesitation in improving resilience leaves them exposed. It is also promoting its Cyber Action Toolkit for smaller firms, which provides simple step-by-step measures to improve security and response capabilities.
Support From The Security Industry
Cybersecurity professionals appear to have broadly supported the government’s message, saying it reflects lessons learned from recent incidents where businesses lost access to key systems for weeks. Industry experts have described the advice as practical rather than symbolic, noting that while printed plans may seem old-fashioned, they can be vital when digital tools fail.
The concept of treating cyber security like health and safety, something every employee understands as part of everyday working life, has gained traction in recent years. The government’s call reinforces this by urging boards to build resilience into core operations rather than treating it as an optional add-on.
Preparation
For larger companies, the message essentially means that cyber risk must now be reported and discussed at board level, with directors accountable for ensuring readiness. That includes confirming who would take charge in an emergency, how to communicate without email, and where physical copies of key documents are stored.
For smaller firms, the focus is more on preparation. For example, the NCSC’s free services, including the Early Warning system and Cyber Essentials certification, are designed to reduce the burden of building basic protection. Having physical backup plans does not replace digital defences, but it ensures that even in the worst-case scenario, there is a clear process for keeping the business running.
The government also highlights the benefits of requiring suppliers to meet similar standards, as supply chain weaknesses can often be exploited by attackers. Making resilience part of procurement policies helps reduce the risk of disruption spreading between organisations.
The Advantage of Offline Contingency Plans
A key advantage of offline contingency plans is that they allow teams to act immediately when systems go down. For example, staff can access emergency contacts, escalate issues, and follow recovery steps without waiting for IT access to return. In critical industries, such as healthcare, manufacturing, and logistics, those minutes or hours can make the difference between a temporary disruption and a complete operational shutdown.
Organisations that follow the NCSC’s guidance can also expect tangible benefits. The agency notes that companies meeting Cyber Essentials standards are significantly less likely to make cyber insurance claims. Better planning also tends to reduce recovery times and financial losses.
Challenges And Concerns
Although there is broad support for the government’s recommendations, there are (inevitably) some practical and logistical challenges. For example, paper copies need to be updated regularly to reflect new systems and staff changes, and they must be stored securely to prevent sensitive information from being accessed or lost. Some companies have also expressed concern about the administrative burden of maintaining both digital and physical documentation.
Others question whether a focus on manual fallbacks could distract from investment in prevention. However, security experts argue that resilience and defence are complementary, i.e., both are necessary, and neither alone is sufficient.
For small and medium-sized enterprises, limited resources remain a concern. Even with free government tools, implementing and maintaining robust resilience measures can take time and expertise. Nonetheless, the government’s stance is that preparedness is no longer optional, given the rising frequency and severity of attacks.
The Bigger Picture
Ministers have said that further steps will follow, including continued promotion of the Cyber Governance Code of Practice and potential new requirements under the forthcoming Cyber Security and Resilience Bill.
The letters sent this month highlight a clear change in tone, to one where cyber resilience is no longer being treated as an IT issue, but as a matter of national and economic security. For UK businesses, the message is simply that if the screens go dark, the organisation should still be able to function, and that begins with having the right plans on paper.
What Does This Mean For Your Business?
The government’s intervention could be said to mark a notable moment in how cyber risk is now being framed, i.e., as a question of continuity and national resilience rather than purely technical defence. The decision to write directly to company chiefs shows the extent to which cyber attacks have moved from the IT department to the boardroom, becoming an operational, financial, and reputational issue that demands visible leadership. The emphasis on hardcopy plans might appear unusual in a digital economy, yet it underlines an uncomfortable truth, which is that digital systems are not invincible and that planning for their failure is now a core part of responsible management.
For UK businesses, this change could prove both challenging and beneficial. For example, it requires time, training, and discipline to maintain offline contingency plans and rehearse manual processes, but it also forces a clearer understanding of dependencies and critical operations. Those already investing in resilience may find themselves better protected from both financial losses and prolonged service disruption. Smaller firms, meanwhile, stand to gain from the free support and practical guidance now being promoted by the NCSC, which aims to bring consistent standards across the economy.
The wider implications reach beyond business. For government and regulators, the campaign is part of a long-term effort to build systemic strength in the face of increasingly complex attacks. For insurers and investors, it offers a signal that resilience planning is becoming a measurable component of good governance. For the public, it reinforces the expectation that essential services, from food distribution to healthcare, should be able to keep operating even when technology fails.
The government’s advice accepts that no cyber defence is perfect, but that preparedness can dramatically limit the impact. By putting resilience on paper as well as on screen, the UK’s leadership is attempting to bridge the gap between digital ambition and practical survivability. If businesses take that message seriously, the result may be a more stable and dependable digital economy, and one that can withstand not just the next attack, but the inevitable disruptions still to come.