The Challenge
The trust had been managing its annual Data Security and Protection Toolkit compliance obligations through a third-party training platform used by a large proportion of NHS organisations. Mandatory completion rates were high because mandatory completion rates had to be high. The DSPT requires documented evidence of staff training, and the trust's information governance team had the systems in place to enforce it.
What the DSPT completion rate did not measure was whether staff had retained any of the content, or whether the training was influencing their behaviour at the point where it mattered.
The answer became clear during a ransomware incident that encrypted a portion of the trust's administrative systems over a weekend in late autumn. The variant deployed was not novel. It had been circulating in the NHS supply chain for approximately eight weeks prior to the trust's compromise, and NCSC had published a sector-specific advisory fourteen days before the incident. The initial infection vector was a phishing email opened on a Friday afternoon.
The trust's incident response team contained the spread within twelve hours. Clinical systems were not affected. Elective scheduling was disrupted for three days. Administrative recovery took eleven days. No patient data was confirmed as exfiltrated, though the forensic review could not rule out data access during the initial dwell period.
The trust's information governance lead noted that several members of staff who had completed the annual DSPT training within the previous six months had difficulty recalling what the correct escalation procedure was when the incident was unfolding. The training said what to do. In the moment, with systems unavailable and clinical staff asking questions, the trained response was not accessible.
The trust had also monitored voluntary engagement with optional training content over the previous twelve months. Of the eleven optional security awareness modules made available to staff, average voluntary completion sat at 23%. The mandatory DSPT modules achieved the required completion rates because they were mandatory, tracked, and tied to the trust's CQC compliance documentation. The optional content was largely ignored.
The board-level review following the incident identified training engagement as one of three areas for improvement. The trust approached LimitedView two weeks after the incident was resolved.
The Approach
The engagement began with the trust's information governance team and the IT security manager who had led the incident response. The focus was on understanding what the trust needed that the DSPT framework was not providing, without compromising the compliance obligations the framework created.
The design principle was additive rather than replacement. The DSPT requirements remained in place and the trust continued to meet them through the existing platform. LimitedView's role was to build the engagement layer that sits alongside compliance documentation — the training that staff actually absorb rather than the training that produces certificates.
The first triggered module was deployed within forty-eight hours of the incident being formally closed. The timing was deliberate: the incident was still recent enough that every member of staff had a direct emotional connection to it, but the immediate crisis had resolved enough that attention was available for learning rather than recovery.
The module covered the specific attack pattern. The trust's IT team had reconstructed the infection chain from the forensic review: the initial phishing email, the characteristics that distinguished it from legitimate correspondence, the steps that followed the initial click, and the controls that had partially limited the spread. The module translated this into staff-accessible language, with the escalation procedure embedded directly in the relevant scenario rather than presented as a standalone list.
Deployment went through the trust's existing intranet and the communication channel used for mandatory DSPT reminders. Staff received a notification framing the module as a direct follow-up to the incident they had just experienced.
Completion within the first week reached 74% without a single manager chase. No completion incentives were offered. No consequences for non-completion were stated.
The information governance team had not seen a first-week voluntary completion rate above 23% in the previous eighteen months.
Over the following three months, LimitedView delivered two further triggered modules. One was reactive: a second phishing attempt was identified and blocked, and a lightweight recognition module was deployed to the affected department. The second was sector-triggered: NCSC issued a further alert regarding NHS-targeting ransomware variants, which activated a broader awareness prompt to the full staff population.
The trust also worked with LimitedView to integrate a simplified reporting pathway into the triggered content. Previous optional training had mentioned the reporting email address. The triggered modules made reporting a one-action step within the content flow.
The Results
Three months after the initial deployment, the trust's information governance team ran a completion and engagement analysis.
Voluntary module completion — the metric that had sat at 23% before the incident — reached 74% in the first quarter of the triggered programme. That is a 3.2 times increase on the baseline.
The 74% figure is notable in context. It was achieved for content that remained optional. No completion was mandatory. No completion was tracked against individual performance reviews. Staff chose to engage because the content was relevant, immediate, and clearly connected to something that had happened to them and their colleagues.
The trust also tracked the reporting pathway uptake embedded in the triggered modules. In the three months following deployment, the number of phishing reports submitted through the simplified pathway was four times the number received in the equivalent prior period. The quality of reports also improved: staff included more specific details about the sender characteristics and content patterns, which the IT security team found operationally useful.
A 30-day retention assessment, conducted as an optional follow-up to the initial triggered module, was completed by 61% of staff who had taken the original module. Assessed recall of the key escalation procedure reached 71%.
The trust submitted a revised DSPT assessment in the period following the engagement. The information governance lead noted that the supplementary evidence of staff engagement, reporting behaviour, and assessed retention was the strongest supporting documentation the trust had produced for its training obligations.
What Changed
The information governance lead described the change in terms of the questions staff were asking. Before the incident, security training generated questions about when the deadline for completion was and how to access the platform on mobile devices. After the triggered programme launched, staff were asking whether the phishing example in the module was the same email that had caused the incident, and whether they should report similar emails they had received in the past but not mentioned.
That shift in the nature of the questions is a reasonable proxy for genuine engagement versus compliance behaviour. Staff were connecting the training to their working environment rather than treating it as a box to tick before the deadline.
The IT security manager also noted a change in how incidents were discussed internally. The ransomware event had previously been treated with some defensiveness — something that happened to the trust, unfortunate, handled. The triggered training reframed it as a learning event in real time. Staff who completed the module understood what had happened, understood their role in the response, and understood what to do next time. That institutional knowledge had not existed in the period when annual DSPT training was the only mechanism for building it.
