Case study: NHS Test and Trace chooses Risk Ledger to secure supply chain
But NHS Test and Trace does not operate alone. To meet the greatest public health challenge we have seen in modern times, they have been working with and through valued partners across the country.
A supply chain of that magnitude needed a tool that could scale as quickly as their operations. So choosing Risk Ledger made perfect sense.
Why did they choose Risk Ledger?
“We had complex supply chains to manage and we were growing rapidly. At the same time, we weren’t just testing and producing results, we also had to develop a delivery network akin to Amazon to support all of that activity,” explains the NHS Test and Trace Cyber Security Risk and Assurance Team.
The team considered traditional options such as scanning tools, smart questionnaire platforms, assessment exchanges and spreadsheets. “But we had an eye to the future and limited resource to manage everything,” the NHS Test and Trace team says. “We wanted something automated and efficient that would scale quickly and could be applied to multiple use cases.”
How does Risk Ledger help?
NHS Test and Trace were able to quickly collect and analyse risk data from their supply chain – much faster than they ever thought possible. That meant they could hit the ground running on their mission to break chains of COVID-19 transmission to help people to return towards a more normal way of life.
NHS Test and Trace now have oversight of their supplier connections, beyond just the first tier or third parties but into the fourth, fifth and sixth. They are embedding Risk Ledger into their procurement processes so all new suppliers are required to create a profile on the Risk Ledger platform. This gives NHS Test and Trace unparalleled visibility of supply chain risks in real-time.
Biggest wins so far
A risk that would otherwise have been missed
Through the detailed control-based information on their Risk Ledger profile, NHS Test and Trace discovered that an essential supplier was vulnerable to a widescale, non-targeted malware attack.
NHS Test and Trace's security experts decided to work directly with the supplier, helping them to improve their defences and mitigate the risk. Through Risk Ledger, NHS Test and Trace avoided extensive delays as a result of having to source the product from elsewhere and strengthened their relationship with the supplier.
The supplier now has significantly improved security defences, reducing the risk of a serious incident for NHS Test and Trace, the supplier and all of their other clients.
Critical dependencies uncovered
Through supply chain visualisation on the Risk Ledger platform, NHS Test and Trace identified that one of their critical suppliers worked closely with two of their other suppliers. If one suffered an incident, the knock-on effect would mean all three suppliers being unable to provide their essential services. Having visibility of their supplier connections beyond just the first tier, they were alerted to the need for assessing the suppliers’ risk exposure in tandem.
To manage this risk, NHS Test and Trace increased the policy requirements on all three suppliers, helping them to improve their controls and meet the higher standards, providing better protection against loss of availability.
Now all three suppliers have improved their resilience; not only a win for them but also a huge benefit for NHS Test and Trace and the suppliers’ other clients.
“Risk Ledger provides us with a more holistic, real time view of our complex supply chain, helping to identify and remediate potential vulnerabilities and issues early. The direct chat function helps forge better relationships with suppliers and provides a seamless way to discuss security and remediation activities with relevant stakeholders in a timely and efficient manner. The ability to extract valuable management information and metrics helps to ensure continuous improvement of supply chain management, adding value for both the client and our suppliers. Having confidence in the management of supply chain risk through Risk Ledger allowed us to achieve a better security posture but with less demand and resource.”
David Malkin, Divisional Information Security Officer (DISO) for UKHSA.