The wake-up call moment many of us face

Excerpt: The hidden tech requirements that nearly cost us everything - and how to spot them before it's too late.

---

Government Work? Check This First.

What I wish I'd known before I found the perfect contract

---

I still remember the exact moment.

Sitting at my desk, cup of tea going cold, reading through a government tender that was absolutely perfect for us. Right in our wheelhouse. Exactly what we do. The kind of steady, reliable work that could transform a struggling small business into a thriving one.

I was nodding along, mentally ticking boxes, already imagining telling the team we'd finally caught a break.

Then I hit page fourteen.

"Suppliers must hold current Cyber Essentials certification."

I didn't know what that meant. I had to Google it. At 11pm. With a growing sense of dread.

That was the night everything nearly fell apart - and the night everything started to change.

The Requirements Nobody Mentions

Here's what I've learned since: government contracts come with tech requirements that most small businesses have never heard of. They're buried in the tender documents, treated as assumed knowledge, and they will disqualify you instantly if you don't have them.

Nobody warns you. Nobody sends a helpful checklist. You find out when you're already excited, already invested, already telling your partner this could be the one.

Let me save you that midnight panic.

Cyber Essentials

This is the big one. If you're bidding for any government contract involving sensitive information - and most of them do - you'll need Cyber Essentials certification.

It's a government-backed scheme proving you have basic cyber security controls in place. Firewalls. Password policies. Access management. Software updates. The fundamentals.

Two years ago, I didn't know any of this existed. Now I'm a consultant helping other businesses get certified. That's how important it turned out to be.

What you need to know:
- It's achievable for small businesses. We did it with three laptops and no IT department.
- It takes weeks, not months. We managed it in six.
- It costs hundreds, not thousands. Some providers offer it for as little as twenty quid a month.
- Start now, not when you find a contract. You can't rush this at tender deadline.

Cyber Essentials Plus

Some contracts require the enhanced version. Same principles, but independently verified. Someone actually tests your systems rather than taking your word for it.

It costs more and takes longer. If you're serious about government work, plan for this eventually. But basic Cyber Essentials will get you through most doors initially.

Insurance Levels

This one nearly killed us too.

Government contracts typically require specific levels of liability insurance. Professional indemnity. Public liability. Sometimes cyber insurance. The amounts are usually higher than what a small business carries by default.

When times were tight, I'd cut our insurance back to the legal minimum. Saved us money. Also nearly locked us out of the best opportunity we'd ever had.

What you need to know:
- Check the insurance requirements before you get excited about the contract value.
- Talk to your broker early. Increasing cover takes time and underwriting.
- Factor the insurance cost into your bid. It's a real expense.
- Some contracts are flexible on exact levels. Some aren't. Read carefully.

Data Protection

If you'll be handling any personal data - names, addresses, contact details - you need to demonstrate GDPR compliance. This isn't just about having a privacy policy on your website.

You might need:
- A documented data protection policy
- Evidence of staff training
- Clear data processing agreements
- Sometimes a named Data Protection Officer

For small businesses, this can feel like overkill. But government takes it seriously. If you can't evidence your compliance, you won't win the work.

IT Policies and Documentation

Here's one that surprised me: many tenders ask for documented IT policies. Not just "do you do this?" but "show us the written policy."

Password policies. Acceptable use policies. Incident response plans. Backup procedures.

We had none of this written down. We did most of it instinctively - Kev knew not to click on dodgy emails, Sandra backed up the accounts regularly - but none of it was documented.

What you need to know:
- Start documenting what you already do. It's often less work than you think.
- Templates exist. You don't need to write from scratch.
- Keep policies simple and realistic. Don't promise things you can't deliver.
- Review them annually. Out-of-date policies are worse than no policies.

Supply Chain Requirements

This one catches people off guard. It's not just about your security - it's about everyone you work with.

Government contracts increasingly ask about your supply chain. Who are your subcontractors? What's their security posture? Can you evidence that they meet basic standards?

If you rely on third parties for any part of your delivery, you need to know their security status. And you need to be able to prove it.

The Timeline Trap

Here's the brutal truth: you cannot fix these things at tender deadline.

Cyber Essentials takes weeks. Insurance changes take time to arrange and underwrite. Policies need to be written, implemented, and evidenced. Staff need to be trained.

If you wait until you see the perfect contract, you've already lost it.

What you need to know:
- Get Cyber Essentials certified now, before you need it.
- Review your insurance levels this month.
- Start documenting your policies this week.
- Treat this as ongoing readiness, not last-minute scrambling.

The Checklist I Wish I'd Had

Before you get excited about a government tender, check for:

• [ ] Cyber Essentials requirement (basic or Plus)
• [ ] Specific insurance levels (professional indemnity, public liability, cyber)
• [ ] Data protection compliance requirements
• [ ] Documented IT policies required
• [ ] Supply chain security requirements
• [ ] Any specific certifications (ISO 27001, etc.)
• [ ] Security clearance requirements for staff

If you can't tick these boxes, you can't win the work. Better to know now than at page fourteen.

What Happened To Us

We got certified. We sorted the insurance. We documented everything. We won the contract.

That government work transformed our business. Steady income. Credibility. A foundation to build on.

But it so nearly didn't happen. If I'd given up that night at page fourteen - and I came close - none of this would exist. No IT department. No consultancy work. No blog posts.

The requirements that nearly stopped us became the requirements that made us better.

Start Before You Need To

That's my message. That's why I'm writing this.

Somewhere out there, there's a small business owner who hasn't seen the perfect contract yet. It's coming. Maybe next month, maybe next year. And when it arrives, they'll either be ready or they won't.

Get ready now.

Check your certification status. Review your insurance. Document your policies. Build the foundation before you need to stand on it.

The hidden requirements aren't trying to exclude you. They're just... hidden. Now you know where to look.

Go find them. Tick the boxes. Be ready.

The contract that changes everything might be closer than you think.

---

Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. He keeps a copy of that original tender document in his desk drawer. Page fourteen is highlighted. As a reminder.