The government has prioritised digital transformation across local and central government departments. This is an exceptionally good idea because the benefits are myriad. However, it also comes with myriad risks, which means that cyber security in government contracts is also a priority.
The reason is simple: government departments deal with a lot of highly sensitive data related to government activities, civil servants’ personal data, private citizens’ data, public services, and confidential information related to defence, ICT, and health. It’s essential to protect this data from all types of cyber threats, including malicious cyber actors.
It’s not just government bodies that have to implement stringent cyber security controls. Suppliers in the public sector must meet the same security standards if they want to win public procurement contracts.
This includes obtaining certification to prove certain levels of cyber security before they can even think of bidding on contracts. We’re going to look at some certification options, as well as cyber security risks, security measures, and staying abreast of developments in cyber security technology.
Cyber Essentials Certification
Cyber Essentials is a government-backed certification that’s mandatory in many vulnerable public sector bodies. It’s based on self-assessment and protects against the most common cyber attacks. The assessment is verified by an independent Certification Body to ensure cyber security standards are met.
Cyber Essentials Plus is a step up the security ladder. A hands-on technical verification ensures the accuracy and quality of the self-assessment.
SMEs and other businesses new to public procurement and that aren’t familiar with government-level cyber security can use the Cyber Essentials readiness toolkit. The kit provides an action plan that helps suppliers develop a cyber security strategy that meets certification requirements.
Cyber Essentials and Cyber Essentials Plus certification must be renewed every 12 months.
Alternative Certification Options
Cyber Essentials is strongly recommended for all public sector suppliers, but other options comply with the government cyber security strategy.
For example:
ISO270001 is an internationally recognised level of cyber security. However, it doesn’t cover some of the areas included in Cyber Essentials. Buyers and suppliers must have both certifications – or have other equivalent cyber security measures in place.
Protection Required
Public sector organisations and their suppliers must use at least six types of protection against cyber threats.
1) Data security
Protection for the volumes of sensitive data in government hands, including citizen’s data and classified information. Security must protect against cyber threats like data breaches and ransomware.
2) Cloud security
More and more government business is conducted in the cloud. However, the cloud presents unique cyber security risks, for example, unauthorised access by third parties.
3) Network security
Network security is the first line of defence against cyber attacks. Measures should include access control and damage control to limit access should an attacker find a way in.
4) Application security
Apps are ubiquitous. The problem is that apps present a cyber security risk and require tailored security solutions to prevent data breaches and cyber attacks.
5) Endpoint security
Endpoint security measures are an essential part of government cyber security. They are necessary for government-owned laptops and mobile devices that are vulnerable to attack. Protection measures must prevent and remediate malware infections and other risks.
6) Mobile security
Protection is specifically tailored to mobile devices which are an attractive target for determined hackers and cyber criminals. Protection is required against mobile malware and smishing (phishing via SMS).
Inadequate Cyber Security & Related Risks
Cyber Essentials covers the most common cyber attacks but its effectiveness against more advanced threats is limited. This is why additional security measures are often recommended for contracts with particularly sensitive or confidential information.
Stakeholders must have a comprehensive cyber security strategy to cover all risks, including sophisticated cyber criminals, organised crime, and hacktivists.
Unfortunately, budgets are limited across government departments, making it difficult for public sector bodies to afford adequate protection. That’s why robust cyber security and cyber resilience are so important for suppliers. The more protection you can provide, the safer government data, the better your chances of winning contracts.
Compliance With The Government Cyber Security Strategy
There are several cyber security laws and regulations with which public sector organisations and suppliers must comply. Let’s take a look.
DPA (Data Protection Act 2018)
The primary law governing personal data processing in the UK. Compliance is mandatory. Non-compliance can result in a fine up to £17.5 million or 4% of annual global turnover.
UK-GDPR (UK General Data Protection Regulation)
The UK-GDPR complements the DPA. Compliance is mandatory for all public and private sector organisations that collect, process, and store private and personal data. Non-compliance carries the same penalties as the DPA.
EU Cybersecurity Act
The Act applies to government organisations and suppliers involved with ICT products, services, and processes. One of the key components of the Cyber Security Act is support for SMEs that must obtain the proper certifications to compete in the UK and EU markets.
Compliance is strongly recommended for ICT manufacturers, service providers, critical infrastructure operators, and public sector agencies. Non-compliance results in legal liabilities and loss of cyber security certifications. Critically, your reputation can be damaged to such an extent that you won’t be able to compete in the EU market.
Computer Misuse Act 1990
The Act is enforced with the DPA and UK-GDPR. Its primary purpose is prosecuting cyber criminals accused of unauthorised access, removing and tampering with data, and cyber attacks.
Compliance is mandatory. Non-compliance results in:
- £5000 fine or six months in prison for unauthorised access or malicious use of data.
- Unlimited fine or five years in prison for intention to commit cyber crime.
- Unlimited fine or five years in prison for modification, malicious tampering, removal, and data ransom.
- Unlimited fine or 10 years in prison for complacency and aiding in computer misuse.
EU Artificial Intelligence Act
The Act governs the development, deployment, and use of AI technology. It includes regulation of high-risk AI, banning unacceptable AI, transparency, accountability, and support for SMEs.
Compliance is mandatory. Non-compliance results in significant fines and legal action.
PECR (Privacy and Electronic Communications Regulations)
PECR governs electronic communications networks and services in line with the DPA and UK-GDPR.
Compliance is mandatory and includes:
- Informing customers and users that they use cookies.
- Asking for consent to track cookies.
- Explaining how long the cookies will be used.
- Notifying the ICO and affected parties within 24 hours of detecting a data breach.
Note: The government intends to introduce a Cyber Security and Resilience Bill to bolster existing national cyber security and increase the security of infrastructure and digital services. The Bill will be introduced to Parliament in 2025.
Cyber Security is Non-Negotiable for SMEs in Public Procurement
According to a survey by KPMG, 86% of UK procurement managers said they would consider removing SMEs from their supplier list if inadequate cyber security led to data breaches.
86%!
There’s more. 70% said SMEs could do more to protect client data and 94% said that the quality of cyber security standards is vital in their decision to award contracts to SMEs.
94%!
Approximately 66% of procurement managers said that suppliers must demonstrate their cyber security accreditations.
Finally, 47% said that they already have clauses in their contracts that require suppliers to notify them if a breach or cyber attack occurs. A higher percentage of managers plan on adding similar clauses to their contracts.
Unfortunately, but understandably, buyers often terminate contracts where a data breach has occurred.
It boils down to this: Improving cyber security might be expensive for SMEs, but not developing a cyber security strategy is far more so.
SMEs must take it upon themselves to learn more about cyber risks, the consequences, and the solutions, including certifications available, like Cyber Essentials.
Tips for SMEs to Strengthen Cyber Security
SMEs are particularly vulnerable to cyber attacks. So it’s important that they adopt cyber security strategies that protect their own interests and make them more attractive to public sector organisations.
Here are five tips for SMEs to develop the right cyber security skills to meet government requirements
- Protect critical assets: Identify mission-critical resources – the things that would sink your business in the event of cyber security incidents. Implement cyber security measures that protect them..
- Develop a what-if plan: What if X happens? How will you respond to limit damage and restore business continuity?
- Educate staff: Your staff must be able to identify cyber risks and take steps to avoid them. You should have a reporting system to help identify particularly vulnerable points and strengthen cyber security in those areas.
Staff should also understand the risk they pose to the business, for instance, when they check work emails on their personal phones in a public Wi-Fi area. Creating awareness reduces cyber risks.
- Stay on top of trends: Just like fashion, trends in cyber attacks come and go. Take smishing, for example, it was still relatively new a few short years ago and now it’s a trend that you and your staff must watch out for.
- Develop a recovery plan: In the interests of business continuity, you should have a disaster recovery plan that you can implement to keep operations rolling on, with as little disruption as possible.
Flaunt Your Cyber Security To Win Contracts
Once you’ve gone to the trouble to upgrade your cyber security strategy, you must make it pay for its keep. To do that, you need to win contracts, but first, you must find them.
Supply2Gov provides a free tender alert service using the biggest database in the UK. Simply register, choose your package, add your details and suitable contracts will wing their way to your inbox.
Supply2Gov also provides Cyber Essentials and Cyber Essentials Plus certification for SMEs and other business enterprises that need to develop cyber resilience in line with the national cyber security strategy. So, what are you waiting for?