UK universities are failing to teach cyber security skills and are churning out IT graduates who present a “risk to their own organisation”, warns senior NHS manager
UK universities are failing to teach enough computer security skills and are churning out IT graduates who present a “risk to their own organisation”, according to a senior NHS IT manager.
Derrick Bates, senior information security officer at North Cumbria University Hospitals NHS Trust, said: “Some of today’s graduates may have an abstract knowledge of info security, but how many of them could spot a dodgy attachment, run a penetration test or crack a code?
“What is the point in universities turning out great software developers and web designers if they have no idea how to design them securely? It is like building a house without locks.”
He warned that “under-skilled” IT staff can be a “gateway for hackers to get into the rest of the organisation”.
“For example, at the NHS, I have seen poor practices by junior staff in everything from handling memory sticks to data disposal,” he said.
Last year NHS Surrey was fined £200,000 after staff disposed of an old computer without checking the 2,900 patient records had been deleted. A member of the public bought the second-hand computer online and found the sensitive material still on the machine.
Six universities were last week accredited by Cheltenham-based spy agency GCHQ to train the next generation of “cyber spies” and security experts, but the shortfall of properly qualified workers will continue unless further steps are taken, warn experts.
The results of a survey carried out by computer security members’ body (ISC)2 reveals that only 0.6 per cent of the 7,635 students graduating each year from computer science courses go on to take security jobs.
Dr Adrian Davis, European managing director of the group, said that companies are increasingly reporting that UK computing graduates do not have any advantage over graduates from other subject areas. This is because computer science degrees can contain as little as one security-focused module – just five per cent of a degree.
“With the acknowledged and well-publicised growth in cyber attack on business systems, critical infrastructure and individuals PCs, the industry needs graduates equipped with knowledge of the threats and skills to overcome them,” he said.
“Computing courses need to have information security embedded within the core curriculum and the professional community has a responsibility to support academic development in this area. We all need to work harder at sharing insights from the workplace if we expect academia to meet our requirements.”