Analysis: Public sector cyber contracts have doubled since Covid

Procurement records show 250 deals being signed each year, including engagements to support incident response and promote security-aware culture
Photo: TheDigitalWay/Pixabay

By Sam Trendall

22 Jun 2023

Government procurement records indicate that the number of cyber-related contracts being awarded by public bodies has more than doubled since the start of the pandemic.

Assessment of data on government’s Contracts Finder online database finds that, during the 2019 calendar year, public sector entities signed 118 commercial engagements featuring the word ‘cyber’ in the contract title or service description. This represented an increase of 30 on the 88 deals awarded in the preceding year – and nearly double the 62 such contracts recorded in 2017.

The 250 cybersecurity-centric contracts now being signed by public bodies each year is more than double the numbers posted prior to the pandemic.

The number of cyber-related agreements continued to rise in 2020 – during which the coronavirus crisis struck in the early weeks of the year – growing to 167. 

In both 2021 and 2022, the volume of cyber deals accelerated again, coming in at 253 and 248, respectively.

The 250 cybersecurity-centric contracts now being signed by public bodies each year is more than double the numbers posted prior to the pandemic.

PublicTechnology’s analysis of government procurement data comes two weeks ahead of its annual Cyber Security Conference on 4 July – a free-to-attend one-day event in London which features exclusive insights from senior security leaders representing the likes of the Ministry of Justice, Cabinet Office, the National Crime Agency and Transport for Greater Manchester.

Among the deals signed in 2022 were numerous contracts awarded by the Ministry of Defence, including two worth about £1.5m each and intended to address the ‘ABCs’ of cyber across the defence sector: awareness; behaviour; and culture. The ultimate objective of these commercial agreements was to “increase cyber awareness and improve cyber hygiene” throughout the ranks of defence and military personnel.

The Department of Health and Social Care signed a six-figure deal to access “cyber threat intelligence” on the security risks facing the rollout of the coronavirus vaccine across the UK.

The growing and often unpredictable need for security skills, meanwhile, was demonstrated last year by the Cabinet Office’s implementation of two agreements with commercial partners to provide “surge capacity”, if and when needed, to support the organisation’s internal cyber team.

The Cabinet Office is also home to the Government Security Red Team – the role of which is operate throughout the civil service and help test departmental defences by mimicking potential threats through exercises such as penetration testing.

As exclusively revealed by PublicTechnology, the unit last year signed a six-month contract in which a specialist supplier was tasked with targeting three – unnamed – central government departments with hostile digital and in-person reconnaissance and attempting to exploit any vulnerabilities found. The findings of these activities were then be presented back to the department in question and to security officials at the Cabinet Office.

The ever-present threat of successful attacks was evidenced in 2022 by the number of public bodies retaining firms to provide support with “incident response”, as required. Preparatory deals of this nature were awarded by the likes of the Ministry of Justice, Department for Education, the Information Commissioner’s Office, and the then Department for Business, Energy and Industrial Strategy, as well as by local authorities representing areas including Sunderland, Doncaster, and Essex.

BEIS was also at the forefront of significant cyber procurement activity at the start of the current year when, alongside the Home Office, it become one of the first departments to go through the government’s new regime of independent cyber-resilience audits – dubbed GovAssure.

The initiative, which was first trailed in January 2022 in the Government Cyber Security Strategy and was formally launched in April, will require all Whitehall departments and some arm’s-length bodies to undergo external assessments of their cyber posture once a year. 

The PublicTechnology Cyber Security Conference – which is open only to public-sector delegates – will gather together cyber and information security professionals from across public services. Beginning with a keynote from Ministry of Justice security chief Amie Alekna, discussing how engage the entirety of an incredibly diverse and dispersed workforce in their cyber responsibilities, the programme also features exclusive presentations from senior leaders representing the Ministry of Defence, Oxford University, the City of London Police and the Government Security Group.

The free event also offers a full day of complimentary award-winning food and drink, and the chance to engage with peers from across the public sector. Find out more or register here for your free place.

Sam Trendall is the editor of PublicTechnology, CSW's sister publication, where this story first appeared

Read the most recent articles written by Sam Trendall - The best medicine: How the MHRA is embracing AI as a way to protect and prosper

Share this page