The NCSC’s Warning To UK Firms: How To Boost Incident Response

December 2025, Andy Green, Partner

Published on: SC Magazine

The NCSC is warning UK organisations to ensure their incident response plans are down on pen and paper. How does this fit into a wider strategy to boost resilience? 

Cyberattacks often leave companies unable to access systems, forcing them to resort to pen and paper. But as the chance of a significant breach increases, the UK National Cyber Security Centre (NCSC) is encouraging firms to prepare for this eventuality.

In a recent warning to all UK companies, the NCSC recommended businesses leaders go back to basics, ensuring they have prepared physical copies of their incident response plans before an attack takes place.

The NCSC issued its alert after releasing stats showing attacks are having a bigger impact on UK companies as part of its 2025 Annual Review.

The figures show the NCSC dealt with 429 cyberattacks during the first nine months of 2025, a similar amount to the same period a year earlier. However, nearly half of incidents were deemed to be "nationally significant," compared to just 89 during the previous year.

2025 has seen attacks on Jaguar Land Rover, the Cop-op and Marks and Spencer, all of which had a major impact on consumers and the UK economy. In its review, the NCSC called on firms to focus on “resilience engineering” to improve their ability to “anticipate, absorb, recover from and adapt to” a “wide array of unexpected shocks”, including cyber-attacks.

As part of this, the NCSC recommends that incident response plans should be stored offline or on paper and include measures to communicate without access to systems and the internet. How can this be done?

Why Pen And Paper Works

Reverting to pen and paper isn’t a new concept, but, as the NCSC is reminding businesses, it’s something that works when under extreme pressure during an attack.

There are “very good reasons” for ensuring plans are available entirely offline, says Gemma Moore, co-founder and director of Cyberis. “When a cyber incident hits, in the worst case scenario you may have lost access to every workstation in your business. This means no access to your laptop or workstation, email, file shares and instant messaging. If your plans are all stored online, you will have lost access to those as well.”

The NCSC’s recommendation to ensure business continuity and disaster recovery plans are down on paper was “spot on,” says Rob Derbyshire, CTO at Securus Communications. “This is part of the standard preparedness we try to instill in our customers, but sadly, many still rely on shared drives and SharePoint instances to store these critical pieces of information.”

Yet as cyberattacks are increasingly viewed as an inevitable part of doing business, attitudes are changing. Incident response is evolving from “a reactive approach” to a “resilience-first mindset,” says Marie Hargraves, principal crisis management consultant at Semperis. “The goal is not only to prevent attacks, but to recover quickly and maintain operations under pressure.”

This aligns with frameworks such as the NIST Cyber Security Framework 2.0 and NCSC’s own Cyber Incident Response assurance scheme, which emphasise governance, detection, response and recovery.

Boosting Resilience In UK Companies

With government figures showing the UK is the most-attacked country in Europe, experts agree that firms must boost resilience by first getting the cybersecurity basics right.

As part of this effort, organisations must “double down” on foundational controls such as multi-factor authentication (MFA), says Dray Agha, senior manager, security operations centre EMEA at Huntress. “Crucially, ensure backups are isolated, immutable and regularly tested for restoration,” he adds.

This standard of security should also apply to third parties and the supply chain to avoid being caught out. “Firms must extend their resilience by requiring robust security practices from their critical partners and suppliers,” Agha advises.

Firms can access resources to help them improve resilience via organisations such as the NCSC, which provides free tools and advice. “Businesses can review those to ensure they have the cybersecurity basics covered,” says Hargraves, adding that the recently-introduced UK Cyber Security and Resilience Bill “introduces stricter obligations with regards to incident reporting and supplier security, so businesses must be well prepared for any regulatory changes”.

Incident Response Plans

Having a decent incident response plan will add further resilience to ensure you are ready when a cyber-attack hits. As the NCSC recommends, an offline incident response plan can ensure that critical stakeholders “have important information to hand,” even if there is “a catastrophic failure of information systems” – such as might occur in a full ransomware attack, says Moore. 

“Important information like roles and responsibilities, critical processes, escalation paths and decision flows can be easily accessible to even non-technical stakeholders when the worst happens,” she explains. “That clarity means you can get on with managing the incident rather than wrestling with logistics.”

The plan needs to be agreed upon and acknowledged by everyone in the business, including senior personnel. All firms should start treating cybersecurity as “a board-level priority,” says Hargraves. “It takes investment as well as a cultural change to improve business resilience.”

Invest in leadership and culture, Agha reiterated. “Cyber resilience must be owned at the board level, with executives championing regular, realistic simulation exercises that move plans from paper to muscle memory.”

Practice is important to ensure firms get it right on the day. A playbook tested under stress “always beats a polished PDF,” says Andy Green, partner at Avella Security “The organisations that practise their response are more likely to survive disruption; the ones that don’t will learn the hard way.”

A key strategy for businesses is to plan to operate an incident with limited or no IT resources, says Derbyshire. As part of this, he advises asking:  “How would we cope without email, collaboration software, access to shared files? How would this impinge on our ability to contact customers and suppliers, and try and deal with the incident?

“While these are all rhetorical questions, businesses need to run practice scenarios to determine the impact of an event, and refine their plans accordingly – including where they are stored.”