What Happens When Technology Fails?
In July 2023, passengers across the globe were stunned to find that, in the age of smartphones and digital convenience, they were suddenly handed handwritten boarding passes. Among them was Anthony Bosman, an academic at Andrews University in Michigan, who discovered he couldn’t download his mobile boarding pass while attempting to fly from Michigan to Florida. What followed was an unexpected blast from the past.
“It felt like a blast from the past,” recalls Bosman. Forced to check in manually at the airport, he watched an airline employee search for his name on a paper list before writing out his boarding pass by hand. “The ticket agent commented that her hand was tired from having to write so many of them,” he adds.
This experience was not isolated. Passengers in various countries, including India, encountered the same retroactive experience. The reason? A bug in the CrowdStrike security software had disrupted critical systems in banks, telecoms firms, health services, and online retailers globally. The disruption caused widespread chaos, leading organizations to revert to manual processes—a practice some companies are now beginning to prepare for actively.
How Did a Bug Bring Businesses to Their Knees?
The CrowdStrike bug underscored a harsh reality: digital systems, no matter how sophisticated, can fail. That week, a senior executive at CrowdStrike appeared before the U.S. Congress to apologize for the chaos the bug caused. For a brief time, many organizations had to abandon their tech-based processes and embrace the traditional pen-and-paper methods.
History shows this isn’t the first time systems have gone down. Past cyber-attacks and IT failures have also left companies in disarray. British general practitioners, staff at foreign exchange firms, medics at hospitals in France, and employees of local councils have all experienced similar outages, being forced to “go back to pen and paper” to keep operations running.
Although such incidents may seem rare, they have highlighted the need for companies to prepare for potential IT disruptions. Some cybersecurity experts now recommend that businesses integrate paper-based systems into their disaster recovery plans, not just as a temporary workaround but as a practical solution.
What Can We Learn from Norsk Hydro’s Experience?
One company that has experienced the value of going offline is Norsk Hydro, a Norwegian aluminum and renewable energy firm. In 2019, a ransomware attack locked staff out of over 20,000 computers, affecting 35,000 employees in 40 countries. Despite the scale of the attack, Hydro’s leadership made a crucial decision: they refused to pay the ransom. Staff had to find alternative ways to work and continue production.
“They dug old binders out of basements with instructions on how to produce particular aluminum products,” recalls a spokesperson for Hydro. By sheer luck, some locations had printed out order requests just before the ransomware hit. “Their creativity… was tremendous,” he adds.
While digital systems were locked, factory equipment remained unaffected. Employees worked with local retailers to purchase computers and printers so they could print out important information. In some facilities, staff even dusted off old fax machines to ensure operations could continue.
“You need to do what you need to do,” says the spokesperson. While production did fall by up to 50% at certain plants, the creative workarounds helped keep the business afloat. Reflecting on the experience, the spokesperson suggests that companies should keep printed copies of essential information, such as internal phone numbers and work checklists, to ensure some level of continuity during a cyber-attack.
Why Are Disaster Recovery Plans So Important?
A resilience director at a disaster recovery and business continuity firm agrees with this advice. His company works with businesses to prepare for such disruptions. He notes how one industrial distribution firm client took an innovative approach to disaster recovery by creating “disaster recovery packs” for each branch.
“These packs include paper forms and a fax machine, a contingency in case their digital ordering system becomes unavailable,” he explains. The packs are a critical backup plan to ensure the business doesn’t halt when digital systems fail.
He also recommends that companies schedule training days when employees practice using pen-and-paper alternatives—such as flipcharts and whiteboards—to familiarize themselves with non-digital methods. This way, staff can continue working efficiently during IT outages.
Is Simplicity the Key to Security?
In some industries, paper-based processes are implemented not just as a backup but as a security measure. For instance, parts of the U.S. court system require that certain documents be filed on paper or stored on secure devices, such as encrypted USB drives.
However, only some sectors can transition to paper during a disruption. “If bankers lose access to their trading terminals during an IT incident, they can’t easily switch to paper-based alternatives,” he notes. The slow pace and difficulty of scaling pen-and-paper systems across large operations can be challenging.
Nevertheless, a cybersecurity expert emphasizes that practicing workarounds is still beneficial. Research has discovered that companies that conducted IT failure role-play exercises shortly before experiencing a real cyber-attack “benefitted” from the practice.
What Are Other Creative Workarounds for IT Failures?
There are other alternatives for companies that can only partially depend on paper-based solutions. The expert points to one firm that, after a cyber-incident, purchased crates of Chromebooks for staff so they could continue working without needing access to the company’s network. Similarly, some organizations use backup communication systems, such as dormant WhatsApp or Signal messaging groups, to communicate internally if email servers fail.
The expert and the resilience director stress the importance of maintaining off-site or segregated data backups. These backups ensure crucial information is not permanently lost in a ransomware attack.
How Can Companies Prepare for the Inevitable?
The CEO of a data backup firm based in Florida echoes the need for robust disaster recovery strategies. Her company provides cloud-based and on-site backup solutions, offering clients a separate network to ensure data can be retrieved even if the central system is compromised. “We have had a 100% ransomware recovery rate thus far,” she says.
She highlights one case in which a client had to use a Verizon MiFi—a mobile broadband router—to access backup data after their leading network was shut down during a cyber-incident.
“The lesson here is simple,” she concludes. “You should expect, at some point, to be a victim of a cyber-attack. What do you do in the meantime? How do you keep the wheels turning?”
Conclusion: How Should Businesses Approach Cyber-Preparedness?
Despite the sophistication of modern computer systems, simple, improvised workarounds used during a crisis can make the difference between business survival and collapse. As cyber-attacks become more frequent, companies must be prepared to switch to alternative methods—digging out the fax machines, stocking Chromebooks, or reverting to pen and paper.
