A Guide to Selling Cyber Security Solutions to The Public Sector

The National Crime Agency (NCA) warns cyber crime is rising in scale and complexity. Cyber attacks are a growing challenge, with annual losses to fraud and cyber crime in the UK now totalling over £3 billion, according to a report by Comparitech.

Now, malicious actors are increasing their interest in government and public organisations – the National Audit Office reports that 40% of cyber security incidents in 2020-21 affected the public sector.

Building a cyber-resilient public sector has become a huge priority for the UK government, and essential to its success will be how well it collaborates with the private sector.

Public sector cyber security is a growing market, and today’s landscape provides an opportune time to sell cyber security solutions to the government, the NHS, and public sector organisations.

Our mini guide explains how.

The public sector cyber security landscape

A few factors are fuelling a hotbed for cyber crime in the public sector.

Firstly, technology is advancing at such a rapid pace; it brings with it new cyber risks. AI and machine learning are mostly forces for good, but they also increase the frequency, speed, and efficiency of cyber-attacks. Furthermore, the NCA warns that off-the-shelf tools enable criminals with relatively little IT knowledge to commit cyber crimes they couldn’t have before.

The pandemic also opened opportunities for cyber crime. Like businesses, public sector organisations began to operate some of their services virtually, with many staff working remotely. This rapid change of systems and increased attack surface was a magnet for cybercriminals.

The government and public sector also contract out a lot of IT work, which makes them increasingly dependent on the security of their partners and suppliers.

Another challenge comes from a talent shortage in the cyber security field, an issue recently reported by Cybersecurity Dive. The available potential workforce isn’t keeping pace with demand. Significantly, cyber security specialists are paid more in the private sector, so talent may be less attracted to public service roles.

The nature of cyber security threats is also changing. Gartner’s predictions for 2023 reveal that “by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” Moving forward, there needs to be an increasing focus on security, education, and awareness.

Catching cyber criminals is another challenge; the dark web economy provides a cloak, meaning many go undetected. In addition, cyber criminals and the technical infrastructure they use are often based overseas. This makes international collaboration essential.

Compared to private sector businesses, the government has unique challenges – cyber criminals who target the public sector aren’t committing ransomware attacks to make money. Instead, government hacks are much more calculated and often politically motivated (a prime example is the Clinton email hacking scandal in the US).

The public sector is becoming a popular target, and it faces significant challenges to achieve cyber resilience, which the government seeks to address in its Cyber Security Strategy: 2022 to 2030 policy paper. A further £37.8 million of additional funding (on top of the £2.6 billion already being invested in cyber and legacy IT) is being allocated to support these aims.

For businesses providing cyber security solutions, the opportunities are immense. As cyber criminals use more sophisticated tactics and methods, cyber security has become big business to public and private sectors alike – a survey by McKinsey reveals a $2 trillion global market opportunity for cyber security technology and service providers.

What are the different types of cyber crime?

Cyber crime comes in many forms, from viruses, hacking, and data breaches to identity theft, phishing, DOS (denial of service), scams, ransomware, and malware attacks. These crimes can involve stealing sensitive information, like passwords and personal data, or hijacking whole computer systems and disrupting business operations.

What does cyber security mean to the public sector?

Cyber security in the public sector involves developing readiness and critical capabilities to keep all data, digital assets, and infrastructure safe. This involves:

• Continual improvement of threat awareness

• Robust cyber protection across all locations (including remote working) across a wide range of public sector bodies

• Accelerated detection to identify attacks as soon as there is a compromise

• Minimising delays when there is an attack to mitigate disruption to services

The government’s cyber security strategy is based on two main pillars and has five key objectives. The pillars are to:

• Build cyber security resilience; and

• Defend as one

The objectives are to:

1. Manage cyber security risk

2. Protect against cyber attack

3. Detect cyber security events

4. Minimise the impact of cyber security incidents

5. Develop the right cyber security skills, knowledge, and culture

Two core aims of the government’s Cyber Security Strategy, outlined by Steve Barclay MP (currently Health Secretary, but then Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office) are to “strengthen our hand in technologies that are critical to cyber; second, that we should limit our reliance on individual suppliers or technologies which are developed under regimes that do not share our values.

“UK science and technology will be the engine room of this change.”

How does the government buy its cyber security? 

Public sector procurement is subject to a legal framework to ensure free and open competition, provide value for money, and keep it in line with internationally and nationally agreed obligations and regulations.

The Crown Commercial Service (CCS) currently provides most commercial and procurement services to the public sector. You can familiarise yourself with CCS guidance here. The most relevant procurement channel for suppliers selling cyber security solutions is the Digital Marketplace.

Other procurement channels, which depend on the value of the contract and what is being sold, include Contracts Finder and Find a Tender. If the procurement value is less than £10,000, local councils can also award contracts directly to suppliers without putting them out to tender.

The Procurement Bill, which will reform the existing Procurement Rules, is currently going through due Parliamentary process. The new simplified public procurement system should come into effect sometime in 2024. Read more in our guide to public sector procurement 2023.

Cyber security in healthcare

Technology is transforming how people access and receive health and care services. As a result, cyber security is critical in healthcare to protect from cyber threats, keep sensitive data secure and ensure people can continue to access the healthcare information and the services they need.

The Lancet reports the main challenges of cyber security in the NHS as follows:

• navigating accountability

• a lack of clearly defined responsibilities and security preparedness

• the highly inconsistent and heterogenous nature of the NHS IT landscape

• under-investment in healthcare IT

• a high risk of human error due to a lack of training

Cyber security in schools 

Cyber attacks in education are ramping up. According to Infosecurity Magazine, over three-quarters of schools have experienced at least one type of cyber incident.

In schools, there is more than just the issue of protecting systems and data; there is the additional task of educating children about staying safe online.

The Department for Education’s manual on meeting digital and technology standards in schools and colleges is a good starting point for understanding school cyber security requirements.

Cyber security in central government 

Under a new cyber security regime known as GovAssure, all government departments and a select number of arm’s length bodies will review their cyber security under revised and more stringent measures. The Cabinet Office’s Government Security Group (GSG) will run the new scheme, with input from the National Cyber Security Centre (NCSC). It is designed to protect the UK government’s IT systems from growing cyber threats.

Fundamental changes in the way the government protects itself from cyber threats will include:

• Using NCSC’s Cyber Assessment Framework (CAF) to review the assurance measures all government departments have

• Departments will also be assessed by third parties to increase standardisation and validate results

• Centralised cyber security policy and guidance to help government organisations identify best practices

Where to meet cyber security buyers? 

To sell cyber security solutions to the public sector, it is critical to understand your target market. The best way to do this is to get in front of public sector buyers, as this will increase your understanding of the challenges they are seeking to solve.

Attending public sector events is your best way in. There are a few good reasons why. Let’s take GovNet’s events as an example. These established events provide opportunities to highlight your brand, generate high-quality leads and build lasting ties with relevant specialists.

Bespoke events span various sectors, including Education, Healthcare, Technology, Fraud, and Justice. The events are an excellent opportunity to connect with key industry figures and check out the competition. Partnering with GovNet also gets you in front of the most significant public sector buyers via pre-booked 1-2-1 meetings.

To sell to the public sector, you must understand specific quirks. Here are some insights into how the NHS, schools, and central government procure goods and services.

How to sell to schools

Schools run much more like businesses these days, but there are still some unique procurement hurdles to navigate. Most public sector schools and academies buy goods and services via the government’s framework agreement. In addition, they can also get bids or quotes from external suppliers or run a Public Contracts Regulations (PCR) compliant buying process.

Read more about how to sell into schools here.

How to sell to hospitals

NHS procurement is incredibly complex; five main routes exist for selling into the UK’s public healthcare system. These are:

• selling directly to trusts or primary care organisations

• selling through the new NHS Supply Chain

• selling through collaborative purchasing arrangements

• via national framework collaborations and contracts

• through government tenders and contracts

Read our in-depth guide on how to successfully sell into the NHS here.

How to sell to central government

Until the new procurement rules come into play next year, the channels for selling to central government largely depend on how much a contract is worth. The categories are:

• less than £10,000

• Between £10,000 and £118,000

• More than £118,000

Find out everything you need to know about selling to central government here.

Find out more about selling on the government’s Digital Marketplace here.

How to take advantage of the current public sector cyber security strategy

New and enhanced cyber security measures are being introduced. Key challenges revolve around legacy IT and data issues and aligning disparate central and arms-length bodies to focus on a cohesive strategy. The government will rely on partnerships with industry to strengthen its resilience.

Cyber security businesses have an essential role to play. But they will need to understand the cyber security procurement process and demonstrate that they know specific public sector needs (this will involve identifying potential risks, analysing current security measures, and understanding goals).

Demonstrating a clear ROI is essential, as value is crucial in assessing public sector suppliers. In addition, it is necessary to demonstrate compliance with regulations and illustrate how cyber security can add value, such as minimising downtime and improving productivity.

Above all, firms must show that they can protect against a wide range of threats. A robust cyber security product portfolio is essential. This may include endpoint protection, threat intelligence, incident response, and managed services.

To get in front of public sector cyber security buyers, find out more about GovNet’s events here.