Eoin Darcy, Director of ICT at Ireland's National Treatment Purchase Fund, stopped blaming users for security incidents and started building them into his strongest line of defence. Here is what happened next.
The National Treatment Purchase Fund holds sensitive personal health data for patients across every public hospital in Ireland. For an organisation like that, a single security incident is not a reputational problem. It is an existential one. So when Eoin Darcy, Director of ICT, looked honestly at what the NTPF had in place to defend against it, the picture was not comfortable.
"It's an existential threat to our organisation. We have a lot of very personal data, we need to be very, very careful about it."— Eoin Darcy, Director of ICT, NTPF
Watch Eoin's story:
The challenge
Like most IT teams, the NTPF's default was to treat users as the weak link. When incidents happened, it was because someone clicked something. The culture was not empowering staff to act as defenders. It was positioning them as suspects.
Training did little to change that. Security awareness meant one session a year: an hour-long talk from the IT director, usually folded into induction. It covered the basics, ticked the compliance box, and then disappeared from people's minds for another twelve months.
Then the stakes got real. The 2021 HSE cyberattack, one phishing click, one user, a national health system brought to its knees, made the risk impossible to ignore. "You can only be unlucky once," Eoin says. The NTPF could not afford to wait for its unlucky moment.
The solution
Eoin did not just deploy a training platform. He changed the philosophy first, then built a culture around it.
"We flipped it totally on its head. They're actually the last line of defence and the best line of defence. They are our human firewall."— Eoin Darcy, Director of ICT, NTPF
The engine behind that shift is automated, bite-sized training with uLearn, delivered on a chosen cadence with no manual triggers and no admin overhead. For a 22-person ICT team covering operations, development, testing, and data processing, removing that admin burden mattered.
Alongside the training, phishing simulations with uPhish run on Eoin's schedule, timed deliberately for Friday evenings, wet Monday mornings, before Black Friday, and around Christmas, and made progressively harder over time. When someone is caught, the response is coaching, not blame. "We don't want a situation where someone who's caught doesn't report it."
Reporting and governance keep the whole thing accountable. Every director receives a Friday morning compliance report showing who is behind on their training. The board's Audit and Risk Committee receives a quarterly KPI. The CEO completes training on exactly the same schedule as everyone else. Accountability is distributed, not centralised in the IT team.
Finally, the NTPF built culture around the platform. usecure character posters rotate through the office, branded mouse mats sit on every desk, and a Teams channel shares plain-language security news. A no-blame culture encourages people to report. As Eoin puts it:
"If it's just another training course, it loses its effect. It needs to be front and centre and in people's minds all the time."— Eoin Darcy, Director of ICT, NTPF
The results
From once-a-year sessions with no formal tracking, the NTPF now sees 99.4% completion of all assigned courses, consistently holding at 98% to 99% or higher since implementation.
That number is not just an internal metric. It is a board-level KPI.
"It's actually a KPI that I report to the Audit and Risk Committee of the board. My target is 95%, but we're well above 99% at the moment."— Eoin Darcy, Director of ICT, NTPF
Most importantly, the change is organisation-wide. From the CEO to frontline staff, everyone is on the same schedule. Cyberto, usecure's animated villain, has become a genuine fixture of office culture. Security awareness is now simply how things are done at the NTPF.
At a glance
- 99.4% training participation rate
- 95% board KPI target, consistently exceeded
- Around 105 employees trained
- Zero manual admin tasks per training cycle
- Every staff member on the same schedule, from the CEO down
- Management and board buy-in requirement for NIS 2 met
Ready to build your human firewall?
usecure gives your organisation the training, simulations, reporting, and governance to turn every employee into a line of defence, without adding admin overhead to your team.
Newsletter abonnieren
Erfahren Sie, wie Unternehmen im Bereich Professional Services mit usecure menschliche Risiken reduzieren
Erfahren Sie, wie IT-Teams in Professional-Services-Unternehmen usecure nutzen, um sensible Kundendaten zu schützen, Compliance-Anforderungen zu erfüllen und ihre Reputation zu wahren — ohne abrechenbare Arbeit zu beeinträchtigen.
Ähnliche Beiträge
Entdecken Sie weitere Einblicke, Neuigkeiten und Ressourcen von usecure.

.png)


.avif)
.avif)