Protecting student data is an incredible responsibility when it comes to cybersecurity and school districts working with an alternative transportation vendor. With that being said, ALC Schools takes cybersecurity very seriously, ensuring student data and its overarching technology are fully protected.
In this episode of our Focus on the One Series, Abi Studer interviews ALC’s Chief Technology Officer Bryan Glenn and Security Administrator Brian Kwiecinski on the topic of student data protection in light of Cybersecurity Awareness Month.
Abi Studer (AS): Hi, I’m Abi Studer with ALC. Today I have Bryan Glenn, ALC’s CTO, and Brian Kwiecinski, our security administrator. They’re joining me to talk about cybersecurity – especially as it relates to student data. Thank you Bryan and Brian for joining me today.
October is Cyber Security Awareness Month, but that’s such a broad topic. We wanted to bring a little bit more focus just to student data specifically.
Student Data Protection
AS: So, when talking about student data, what information actually needs to be protected?
Brian Kwiecinski (BK): Well, I think one of the kind of big buzzwords in cybersecurity is PII, which is personally identifiable information. And essentially, it’s anything that can either directly or through correlation with other bits of information be used to identify you find out personal information there. And I think that is one of the biggest things in terms of student data is if it can be identified to the student, anything like addresses, medical history, things like that, or anything to do with like sensitive educational information on there.
AS: So, when speaking about school districts, what are some of the challenges that they may have when trying to safeguard that information?
Bryan Glenn (BG): I think the challenge for school districts often is that there are a number of software platforms out there to help them do their jobs on a daily basis. And I think knowing where data is going, being able to track that data, understanding whether or not platforms integrate with other platforms, how that data is shared across, and other third party platforms. That’s a challenging task for school districts that they have to track this information and really do their due diligence around vendors that they use. It’s a challenging task.
AS: So, the information is the PII. As far as safeguarding it and keeping track of the vendors, double checking to make sure that your vendors are taking the same steps as the school district themselves in order to safeguard that PII, what are so what are some of the risks that school districts open themselves up to when they share maybe too much information? And are there are risks associated with maybe sharing too little information?
BK: I think one of the main risks of sharing too much information is where is this information going to go after me? So like, after you’ve already shared to the initial party. And I think a lot of it is knowing who should know, and if someone doesn’t have a need to know, it’s probably better to not share it. Information is very precious, especially in the common age. So it can be difficult once you let the toothpaste out of the tube, it is very hard to put it back in.
Risks to Sharing Information
AS: So to air on the side of too little information, are there risks associated with maybe offering too much too little information as well?
BK: I can’t think of any scenarios where it would be. One being, I think it might prompt for like, “Hey, would you mind providing more information?”, but I think that is also a necessary step when you want to assume that you are sharing as little information as you need to. And then if they need more, make sure there’s a reason for it, and then go from there. But I don’t think I can think of any scenarios where too little information is a risk.
What Districts Should Look for in a Vendor
AS: I think that’s pretty straightforward. So, let me just ask one more question. And we’ll start with Bryan Glenn. Bryan, what are maybe the top three to five things that districts should look for in a vendor to ensure that student data is going to be secure?
BG: Yeah, I think school districts should be asking their software partners, “Do you have policies around how you keep your information secure?” and the fact that you might have a policy around something means that you’ve put thought into what looks like it’s to protect this data. And it also means that you apply that policy throughout your organization so that when you are writing software that your engineering team understands the policy that they need to follow and it gives the school district comfort that you’re actually doing something to safeguard their data. You’ve thought about it, and you’ve implemented practices around it.
The next thing is are you doing ongoing security awareness training? Or, are you doing scans externally against your system to make sure that bad actors can’t access data externally. And – as we do here at ALC – we do plenty of security awareness training. We run plenty of trainings and tests against our own software internally and also against people. Maybe through email just to ensure that people have a security mindset. That’s very important.
BK: A bad person can beat a good system every time. Social engineering is one of the biggest problems and also one of the easiest ways into an organization. And it is a little scary sometimes the things that we see get through.
AS: Okay, so the information that we have is the PII, the student data, needs to be protected, there are risks associated with sharing too much information, and a bad person can beat a good system every time. What kind of advice would you give a school district?
Bryan Glen, you mentioned that just being aware of who your vendors are, what they’re using that information for, how they’re safeguarding it and making sure checking their policies. Brian Kwiecinski, would you have anything anything else that you wanted to add maybe to Bryan’s advice?
BK: I think that it’s very important to make sure that there is testing involved with whatever you’re doing. I think that a lot of times people think “Oh, it’s secure” like in it’s normal use case since there’s no exposure of data. While there are no issues there, working with cybersecurity computers unfortunately have a lot of weird issues and weird ways to exploit them. So, it’s important to run through penetration testing, tabletop exercises, all that just to make sure that when you are protecting your data, you know that you have verified the effectiveness of the controls.
AS: Awesome, thank you guys so much for joining us for this super short, but very helpful interview. I appreciate your insight very much and appreciate your time. Thank you.