5 min read
A care group operating residential care homes and supported living services across Nottinghamshire. Security had always been handled reactively - problems were fixed when they were noticed, but there was no formal baseline, no certifications, and no structured approach to improvement. The group needed both Cyber Essentials certification and DSPT compliance to meet the growing expectations of commissioners, insurers, and NHS data-sharing partners.
Service: Managed IT Sector: Residential care, supported living
There was no visibility of the organisation's security posture. No baseline measurement, no regular review, and no framework for identifying what needed to improve or in what order. Individual security measures existed in pockets, but nobody had a consolidated view of where the organisation actually stood.
Microsoft Secure Score - a built-in tool that measures security configuration against best practice across identity, data, devices, and applications - had never been configured or reviewed. The organisation was paying for Microsoft 365 licensing that included advanced security tools, but many of those tools were either misconfigured or not turned on at all.
Cyber Essentials certification was increasingly required. Insurance providers were asking for it. Commissioners referenced it in tender requirements. Without it, the care group was at a disadvantage when competing for new placements and contracts.
The Data Security and Protection Toolkit (DSPT) was an even more pressing requirement. Any care provider that receives or shares data with NHS systems - referrals, discharge summaries, shared care records - must complete an annual DSPT submission demonstrating that they meet the NHS data security standards. The care group had never submitted one, which put existing data-sharing arrangements at risk and limited the organisation's ability to work with NHS partners.
Care workers were accessing sensitive resident data on mobile devices with no consistent security enforcement. Some devices had antivirus, some didn't. Some had encryption enabled, some didn't. There was no central visibility of which devices were compliant and which were not.
We started by establishing a security baseline using Microsoft Secure Score. The initial assessment revealed a score of 38%, with significant gaps in identity protection, device security, and data classification. This gave us a clear, measurable starting point and a prioritised list of improvements.
We built a remediation plan that tackled high-impact, low-effort items first: enabling endpoint detection and response in block mode, enforcing BitLocker encryption on all devices, deploying attack surface reduction rules, tightening Conditional Access policies, and verifying MFA coverage across every account. Each change was tested, documented, and communicated to care staff before it went live.
Identity security was a major focus. We eliminated shared accounts that multiple care workers had been using, enforced sensible password policies, and implemented Conditional Access rules designed for a care workforce - accounting for staff who log in from multiple homes, use shared workstations, and access systems from personal devices when on call.
For Cyber Essentials, we addressed the five technical controls systematically: boundary firewalls and internet gateways, secure configuration of devices and software, user access control, malware protection, and security update management. Each control was documented with evidence ready for the certification assessment.
For the DSPT, we mapped every security control to the NHS data security standards, documented evidence for each of the ten assertions, and identified gaps that needed addressing before submission. We worked through these with the care group's management team, explaining each requirement in plain language and building processes that could be maintained year on year - not just for the initial submission. The DSPT is an annual obligation, so we designed the evidence-gathering to be repeatable rather than a one-off scramble.
Microsoft Secure Score improved from 38% to 74%, reflecting genuine improvements in device security, identity protection, and data handling across the organisation. That score is now reviewed quarterly as part of ongoing governance, with a clear pipeline of further improvements prioritised by impact.
Cyber Essentials certification was achieved, satisfying the requirements of commissioners and insurance providers. The care group can now include the certification in tender responses and demonstrate a baseline level of security assurance that many competitors cannot.
The DSPT submission was completed successfully, confirming that the care group meets the NHS standards for handling health and care data. Existing data-sharing arrangements are now on a formal footing, and the group is positioned for future NHS partnerships without the compliance gap that had previously held it back.
Every device is now managed and encrypted. Security is measured, tracked, and reviewed quarterly. A clear remediation pipeline ensures that improvements continue rather than stalling after the initial push. The care group has gone from having no security visibility to a structured, governed approach that improves continuously.
Microsoft Secure Score: 38% to 74% · Cyber Essentials certification achieved · DSPT submission completed successfully · Prioritised remediation plan with ongoing governance · Device security, identity, and data protection all measured and tracked
Related service: Managed IT