Recent advice suggests people should plan for potential cyberattacks by returning to pen and paper.
The government has urged business leaders across the country to keep physical copies of their plans at the ready as a precaution.
The recent wave of hacking attacks has demonstrated the chaos that can occur when hackers take down computer systems.
The warning comes as the National Cyber Security Center (NCSC) reported an increase in national attacks this year.
Criminal hacks at Marks and Spencer, The Co-op and Jaguar Land Rover have left shelves empty and production lines halted this year as the companies struggled without their computer systems.
Organizations need to “have a plan for how they will continue to operate without their IT (and rebuild that IT at an appropriate pace) if the attack passes,” said Richard Horne, executive director of the NCSC.
Firms are being urged to move beyond cybersecurity controls to a strategy known as “resilience engineering,” which focuses on building systems that can anticipate, absorb, recover and adapt in the event of an attack.
Plans should be kept on paper or offline, the agency suggests, and include information about how teams will communicate without work email and other analog workarounds.
These types of cyber attacks Contingency plans are not new but it is notable that the UK Cyber Authority gives this issue a prominent place in its annual review.
While the total number of hacks the NCSC dealt with in the first nine months of this year was 429, roughly the same as the same period last year, there was an increase in hacks with more serious consequences.
The number of “nationally significant” incidents accounted for almost half, or 204, of all incidents. Last year, only 89 were in this category.
The incident of national significance covers the top three categories of cyber attacks across the NCSC and UK law enforcement agencies. categorization model:
- Category 1: National Cyber Emergency.
- Category 2: Extremely Significant Incident.
- Category 3: Significant Incident.
- Category 4: Significant Incident.
- Category 5: Moderate incident.
- Category 6: Local incident.
Of this year's incidents, 4% (18) were in the second most significant category, “extremely significant.”
This represents a 50% increase in the number of such incidents, marking the third consecutive year of increase.
The NCSC did not specify which attacks, public or undisclosed, fall into which category.
But as a guide, it is expected that the wave of attacks on UK retailers in the spring, which affected Marks and Spencer, The Co-op and Harrods, will be classified as a Serious Incident.
One of the worst attacks on a blood testing provider last year caused major problems in London hospitals. This resulted in significant clinical impairment and directly contributed to the death of at least one patient.
The NCSC did not specify what category this incident falls into.
The vast majority of attacks are financially motivated: criminal gangs use ransomware or data extortion to blackmail victims into sending bitcoins as ransom.
While most cybercriminal gangs are headquartered in Russia or the former Soviet Union, there has been a resurgence of teenage hacker gangs believed to be based in English-speaking countries.
Seven teenagers have been arrested in the UK this year as part of investigations into major cyber attacks.
In addition to recommendations for increased training and collaboration, the government is asking organizations to make better use of the free tools and services offered by the NCSC, such as free cyber insurance for small businesses that complete the popular Cyber-Essentials program.
Paul Abbott, whose Northamptonshire haulage firm KNP closed after hackers encrypted its operating systems and demanded money in 2023, says it's no longer a question of “if” such incidents will happen, but when.
“We spent £120,000 a year on [cyber-security] with insurance, systems and third party managed systems,” Mr Abbott told BBC Radio 5 Live on Tuesday.
He says his focus now is on security, education and contingency plans, with planning for what's needed to keep the business running in the event of an attack or disruption key.
“The call to use pen and paper may seem old-fashioned, but it is practical,” said Graham Stewart, head of public sector at cybersecurity firm Check Point, noting that digital systems can be rendered “useless” if attacked by hackers.
“You wouldn't go to a construction site without a helmet, but companies still go online without basic protection,” he added.
“Cybersecurity must be treated with the same seriousness as health and safety: not an optional extra, not an afterthought, but part of everyday working life.”
