About the client

Our client is a central UK government department responsible for national security and business resilience. They engaged Hero to support a high-profile project focused on auditing the FTSE 250 in relation to cyber risk at a senior level.

The challenge

The department required a secure system to enable third parties to collect sensitive data from end users anonymously. The solution had to:

• Ensure anonymity of respondents, with only the designated third-party able to trace original submissions.
• Enable consistent benchmarking across multiple years, so that trends and improvements in cyber risk could be measured over time.
• Provide layered access so each third-party could only see data at the appropriate level.
• Deliver complex reporting that could inform government assessments of the FTSE 250’s resilience.

The solution

Hero designed and built a secure, bespoke platform to meet these unique requirements:

• Secure data hosting: ensuring that sensitive data is collected, stored and managed in compliance with strict government security protocols.
• Anonymised collection: processes have been implemented to guarantee that user submissions remain anonymous, visible only to the third-party responsible for their collection.
• Controlled access: permissions and data segregation mean that third-parties only access data at their authorised level.
• Advanced reporting: the system generates aggregated, anonymised reports, including year-on-year benchmarking, summaries and detailed conclusions about cyber risk improvements across the FTSE 250.

The impact

• Collection and analysis of highly sensitive cyber rich data has been enabled, without compromising anonymity.
• Multi-year benchmarking data has been provided, that has informed policy and strengthened the UK’s cyber resilience strategy.
• Reporting processes have been streamlined, delivering insights at both a granular and strategic level.
• Confidence has been built among FTSE 250 participants by ensuring anonymity and secure handling of their data.
• Independent verification: The system was formally tested and verified by government security teams, confirming it met the highest level of security acceptable and presented no cyber risks.