Skip to content

Risk Ledger is securing the NHS Test and Trace programme from supply chain threats //14.07.21

Risk Ledger is a cyber startup that secures global supply chains. And having been through our fourth accelerator, it was chosen to be one of the six companies to go through LORCA Ignite: a scaleup programme aimed at turbocharging the growth of our graduates.

One of the startup’s most recent new clients is the NHS: after a successful pilot Risk Ledger is now securing the NHS Test and Trace programme from supply chain vulnerabilities.

We spoke to co-founder and CEO Haydn Brooks to learn more about how Risk Ledger converted a pilot into a contract, and how it segments the market to target certain sectors.

How did the opportunity with the NHS come about?

Covid-19 has made information security and procurement leaders even more aware of the need to more actively manage security risks in the supply chain. As health services become more tech-enabled, there’s a greater risk of both data protection incidents and cyber attacks. Sensitive patient data is an alluring prize for bad actors, who can leverage data for financial gain or even espionage purposes.

Risk Ledger has been reaching out to important organisations in the UK economy – including NHS organisations – to share our insights on the supply chain cyber risks (and how our solution can address the challenges). The chief information security officer at NHS Test and Trace reached out to us at Risk Ledger to trial the platform.

The contract started as a pilot. What are some of the lessons you’ve learned about successfully delivering pilots previously?

We’ve reduced the length of pilots and we now trial our solution to meet a very clear and pre-defined objective. I think it’s really important to keep pilots as simple as you can. In general, if you can keep it to around two weeks with two success criteria, it’s more likely to lead onto something bigger. Whatever your software is, figure out a way to trial it on a small scale or on a signle endpoint.

My team is very good at understanding what an organisation wants to achieve and building a pilot around the metrics the client cares about. It sounds straightforward but the client can often change their minds and move the goalposts, so it’s important to keep an eye on this.

Finally, make sure they actually have budget and would be in a position to buy if the pilot goes well. Otherwise you’re wasting your time, and the client’s time.

Is this the first time Risk Ledger is using its solution in a healthcare setting?

Yes this is our first deployment in the healthcare industry and we’re now in talks with several NHS Trusts who are very interested in cutting the resources required to run a comprehensive, third-party cyber risk management programme.

We were able to do this because the Risk Ledger solution can work in multiple sectors. Our clients include companies like BAE AI, Schroder’s Personal Wealth, ASOS and 20% of the UK water market. This demonstrates our broad use cases.

What we’ve become better at doing now is figuring out which sectors react best to our value proposition. For example, we know that in healthcare, telecoms and financial services there are a lot of organisations that rely on their supply chain heavily and also have to comply with certain legislation. So even though our tech is relevant to many sectors, we’ve segmented the market to prioritise a select few.


What are some of the most common supply chain threats you see?

We have nearly 1000 organisations on the Risk Ledger platform sharing risk data with their clients, so we have a unique view into the cybersecurity risk controls being implemented across supply chains.

We’ve found that there’s a 10-20% minority of organisations that seem to lack many of the must-have risk controls in place to protect themselves and their clients from cyber attacks. For example, when we looked at IT operations and their risk controls across the supply chain ecosystem, we found that 20% of organisations knowingly use applications or systems that are no longer supported and don’t receive security updates. We also found that 26% of organisations don’t encrypt client data shared with them.

To learn more about Risk Ledger, read its company profile on our LORCA Ignite page.