Do it right or don't do it at all.
Perhaps the Universities IT team should attend its own course - FdSc Computing Technologies (Networks and Cybersecurity). The woeful state of cyber security in the UK in both the private and public sector is akin to letting toddlers loose with flamethrowers. There should be independent penetration tests of any system with approved risk treatment plans before it is permitted to go live with mandatory criminal charges when problems like this arise and negligence is proven.
Biting the hand that feeds IT
