Article
14 Oct 2025
Paper Plans Matter: NCSC's Wake-Up Call
Prompted by the NCSC's recent guidance, we thought it was a good moment to share lessons from the trenches. At Yopla we believe resilience is not an optional add on. It is part of how you build digital maturity, how you scale, and how you recover when things go sideways. Let me begin with Charles Wardman, our co founder, whose years working deep in incident recovery taught him something essential. When everything goes dark, you need a fallback that is not digital.
Why the NCSC is urging leaders to go back to paper
The National Cyber Security Centre has written to business leaders across the UK urging them to keep printed copies of their cyber contingency plans. Their message is simple.
Be ready to operate without IT.
The advice follows a series of serious attacks that stopped production at Jaguar Land Rover and caused outages for Marks and Spencer and The Co op. The NCSC’s latest review found that almost half of all UK cyber incidents this year were classed as “nationally significant”, double the previous year.
Richard Horne, the NCSC’s chief executive, summed it up clearly. Every organisation needs a plan for how it would continue to operate without IT and how it would rebuild that IT quickly if an attack got through.
This is not nostalgia. It is practicality. It is about being ready to keep the lights on when your screens go dark.
The numbers tell the story
The NCSC handled 204 nationally significant cyber incidents in the past year, more than double the previous year's figure of 89. Of these, 18 were deemed highly significant, marking a 50% year on year increase for the third consecutive year.
The pattern is clear. Every leader, whether you are one person at your kitchen table or the boss of thousands of people, must have a plan to defend against criminal cyber attacks and you must have a plan for continuity.
But it goes deeper than numbers. The incidents we have seen this year have hit household names and disrupted real lives. Supply chains frozen. Customer data compromised. Weeks of lost revenue. Legal consequences. Reputational damage that takes years to repair.
For Co-Op's CEO, Shirine Khoury Haq, the experience was deeply personal. The attack affected 6.5 million members and, as she put it in an open letter to business leaders, "nothing truly prepares you for the moment a real cyber event unfolds."
The coffee shop test
Imagine a single coffee shop. Orders written by hand, a till that takes cash, one person managing the flow. Simple, low risk, no dependency on systems. That is your starting point, what I call your quantum.
As that shop grows into ten branches with stock control, payroll and delivery systems, its digital dependency grows too. That is the trade off. The further you scale, the more vital it becomes to know what you would do if those systems stopped working.
Your quantum is not theory. It is the point you can return to when everything else fails.
From defence to resilience
Traditional cyber security focuses on prevention. Resilience is about recovery.
The NCSC calls this resilience engineering - designing organisations that can anticipate, absorb, recover and adapt when things go wrong.
At Yopla we often describe it as common sense with structure. It is about preparing for failure rather than pretending it won't happen. Most organisations focus on firewalls, antivirus software, access controls. These matter. But they are only half the picture.
Cyber resilience involves accepting the fact that no cyber security solution is perfect or capable of protecting against every possible form of cyber threat. Security tries to keep attackers out. Resilience assumes they will get in eventually and prepares you to survive and recover when they do.
We talk more about this mindset in our piece on AI vs Manual Work: Why Readiness Decides the Winner.
Build your own paper plan
Here is a simple framework to help you design a practical backup plan for your organisation.
Focus Area | Practical Actions You Can Take |
|---|---|
1. Plan for the offline day | Ask, if our systems were unavailable tomorrow, how would we operate? Identify the key people you would need to contact and how. Print your emergency contact tree and decision making structure. Store copies in fireproof safes at multiple locations. Test that leadership can access this without logging in. |
2. Document your manual processes | Write step by step procedures for core operations without computers. How to take orders on paper, process cash payments, issue handwritten receipts, track inventory manually. Laminate these guides and keep them at each workstation. Train staff on these procedures before you need them. |
3. Keep your finances moving | Every business runs on cash flow. Ensure you have alternative internet access such as mobile tethering or home broadband so authorised staff can access banking securely. Ensure at least three authorised signatories can access accounts from different locations. Document the escalation path to your bank's emergency team. Never write passwords down, but do record the steps to request emergency access. |
4. Stay in touch | Communication is your lifeline. Keep up to date mobile numbers for your leadership team, key clients and suppliers in a format that works without email. Create a phone tree on paper showing who calls whom in an emergency. If your phones rely on Wi Fi, have at least one on a mobile network. During a crisis, one honest phone call outweighs twenty emails. |
5. Keep serving customers | If you cannot take card payments, take cash. If you cannot send invoices, use small BACS payments and confirm by phone. Prepare simple holding messages on paper that explain the situation without creating panic. Transparency builds trust. Customers forgive disruption if you are transparent and keep them informed. |
6. Protect your people and operations | Keep paper or offline copies of essentials such as staff rotas, supplier contacts, regulatory compliance documents and key contracts. Store in clearly labelled folders that anyone can access without logging in. Train your team to work manually for short periods if needed. Culture and capability determine how well people cope under pressure. |
7. Stockpile essential supplies | Keep physical supplies that enable non digital operation. Receipt books, carbon copy order pads, calculators, pens, cash float, manual card imprinters for card payments if terminals fail. Check and replenish monthly. Without these basics, even the best plan fails in practice. |
8. Map your critical dependencies | Draw a physical diagram showing which business functions depend on which systems. Identify the order in which you would need to restore them. Mark which operations can continue offline. Keep this map printed and accessible to leadership without requiring system access. |
9. Create a physical recovery playbook | Document your complete recovery plan in a printed binder. Who to call first, what order to restore systems, how to verify data integrity, when to communicate with customers. Store copies at multiple locations including senior leaders' homes. Review and update after every incident or drill. |
10. Rebuild carefully | When systems come back online, start small. Restore in phases. Communications first, then finance, then operations. Check that your data is intact and that systems are safe before reconnecting. Verify data integrity before reconnecting systems. Document what broke and why, then update your plans. Every incident is a chance to improve your resilience. |
What good looks like
The best organisations do not rely on luck. They test their plans.
Once a year, run a short paper day. Turn off your main systems for an hour and see how your teams cope. You will learn where the gaps are and how people behave under pressure.
Resilience is not about perfection. It is about confidence. Confidence that your people can keep going when the tech stops.
That same principle sits at the heart of our approach to digital transformation and leadership readiness. The aim is always the same, strong systems, empowered people, and calm recovery when things go wrong.
The reality: most businesses are not ready
67% of medium sized and 74% of large British businesses experienced a cyber breach or attack in the past year. This is not just a problem for the big players.
Yet when systems fail, most organisations discover they cannot function. Staff do not know how to process orders manually. No one can access supplier phone numbers without the CRM. The cash float has not been counted in months. Customer service grinds to a halt because every script lives in a digital knowledge base.
We have written this for the leader who does not have a technical background but knows they need to take this seriously. If you can read a balance sheet, you can understand cyber risk. Both affect your ability to operate, both require mitigation, and both sit squarely in your remit as a leader.
In closing
The NCSC's advice could not be simpler. Write it down. Keep a copy. Be ready to use it.
At Yopla we have seen that the businesses who plan this way recover faster, retain trust and come back stronger. They do not panic when systems fail because they have already thought through what happens next.
Sometimes the smartest thing you can do for your digital future is to start with a pencil and a bit of paper.
Want to discuss how this applies to your organisation? Let's talk about building resilience that actually works when you need it most.