We all know that courts have become very reliant on technology, especially so as they have quickly expanded the use of video, e-filing, and other IT systems during the COVID-19 pandemic.  Cybersecurity is not a new problem,[i] but cyber-threats have greatly increased, at times even putting a court’s viability at risk.  Over and over again we hear about another cybersecurity breach (and those are only the ones that get publicized!).  This blog post highlights some things that are (or will be soon) available to effectively deal with the situation.

First, the National Center for State Courts has again published an excellent Trends in State Courts [Trends-2021_final.pdf (ncsc.org)]. There are articles across a wide variety of topics, but this one particularly caught my eye:  How to Mitigate Cybersecurity Risks When You Don’t Fully Control Your IT Environment, by Paul Embley (pp. 65-68).

The inclusion of this article in the NCSC’s Trends-2021 publication is very timely.  I encourage everyone to read the entire publication, but at least read the articles that, like me, catch your eye.  Meanwhile, what follows are the key points of Embley’s article.

  1. Catalog-Classify-Prioritize your IT environment.  You need to know and document what your technology assets (software, applications, data, and servers) are, and prioritize them.  For example, doing so allows you to define what data are public, sensitive, or secure, which in turn drives internal controls (see IV below).
  2. Ensure good communication and relations between the court and its IT provider.  This is essential to effective governance of the IT program, which should include an IT council or similar group.  You will need this if a cybersecurity incident ever occurs.
  3. Ensure that adequate IT expertise and skills are included in court-based staff.  Such expertise is important for the court to effectively collaborate with the IT provider.
  4. Establish controls and maintenance systems.  Controls include things like encryption, firewalls, multifactor authentication, network segmentation (e.g., having the court’s systems separated from other governmental entities), and physical security.  Systems must be maintained with the latest updates and patches, along with tested backups and restoration processes.
  5. Conduct periodic IT system audits. Like financial systems, a court’s IT systems will benefit from audits by outsiders.  A fresh look at what exists and what is needed will be very beneficial.
  6. Provide cybersecurity training to all judges and staff.   It is often noted that the weakest part of any cybersecurity program are the systems users.  Everyone needs to be aware of the threats and the role they play in ensuring a secure environment.

Here are some other upcoming resources to help us understand and respond to cybersecurity threats:

  • The September Court Leaders Advantage Podcast (Court Leader’s Advantage – Court Leader) will have a great discussion by several court administrators of the topic, focusing on cyberattacks.  I encourage everyone to listen or view this podcast next month (subscribe to Court Leader to be notified when it is published, along with all other content). Here is a preview of the what the discussion will cover:
    • What was the attack like?  What happened and what did you do? 
    • What type of attack was it? (e.g., ransomware, a virus, a worm, phishing, malware, etc.) 
    • What kind of questions should court administrators be asking their IT division to be assured that the court is properly protected? 
    • Is protection against cyberattack part of your court’s continuity of operations plan? 
    • What can a small court do to protect itself on a shoestring budget? 
    • Does employee teleworking make courts more vulnerable to cyberattack?  

That’s the latest on cybersecurity – comment below if you have any other suggested resources.  It is important that we all do our best to be as informed as possible about cybersecurity, applying that knowledge to minimize the inherent risks of court automated systems.

As always, comments and suggestions for future blog post topics are welcome.

[i] See previous CourtLeader posts related to cybersecurity:

Published by Norman Meyer (He-Him)

After 38 years as a trial court administrator in the state and federal courts in the U.S., Norman continues to write, teach, and otherwise participate in judicial administration activities world-wide. In particular, he is active in the International Association for Court Administration (IACA) as an Advisory Board member and past Regional Vice President, in the National Association for Court Management (NACM) as a Past President (having received NACM's Award of Merit), and as an Associate of the Justice Speakers Institute. Norman has extensive experience working on international Rule of Law projects, particularly in the Russian Federation, Serbia, Ukraine, Moldova, and Albania. Norman is a Phi Beta Kappa graduate of the University of New Mexico (Political Science and Russian Studies), and he received the Master of Science in Judicial Administration from the University of Denver College of Law.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s