Security and data handling were at the top of the IT agenda
New Jersey Courts’ IT security team have shared how they switched to secure remote working with just three days’ notice as the Covid-19 pandemic took hold last year.
Speaking at the RSA Conference 2021 this week, Jack McCarthy and Sajed Naseem, respectively CIO and CISO of the US state court system, explained to delegates how they enabled thousands of colleagues to work from home almost overnight.
While they were not the only workforce to face this problem, as industries around the world shut down their sites to halt the spread, they did face a uniquely difficult task.
For example, not only did they have to be able to communicate efficiently, they also had to ensure justice was served fairly with no interruptions from unwelcome visitors.
“Clearly the hackers were using Covid-19 to remain active and to get even more active in terms of that moment,” Naseem said, explaining that they were facing everything from an increase in coronavirus-related phishing campaigns, to the threat of outsiders jumping in on video calls.
McCarthy explained that New Jersey Courts is different to most other US states in that it handles both courts of law and equity – meaning that it oversees all cases from parking ticket violations to serious crimes.
In March 2020, at the outset of the coronavirus pandemic, the judiciary had more than 13,000 staff members using 50,000 IT devices.
The IT team was given just three days’ notice to enable staff to work from home, given the escalating crisis in New York and New Jersey at the time.
Luckily, explained McCarthy, they already had security practices in place such as the use of site-to-site VPNs and the mandatory use of two-factor authentication.
However, with only 2,500 staff devices capable of being used remotely, these measures alone didn’t solve their dilemma.
McCarthy recounted how he was playing golf one Sunday evening when he got the call to say they were moving to a work-from-home model the very next day.
Overnight, 95% of workers had been told to stay at home – a stark contrast to pre-pandemic, when 99% were in-house.
Originally, court sessions were still taking place on the premises, though by the Wednesday it was clear that these too had to take place remotely.
Firstly, the team had to scale up by quadrupling their current VPN package, which was formatted to process 2,500 devices, but in reality could “only handle 500 or 600”, said McCarthy.
Next, developers had to expand the online case management system to ensure that all documents and payments could be submitted securely. McCarthy said a “crude” version was completed in just three days, but has since been finessed and will now become their primary software.
Due to the lack of laptops, employees were told to move their desktops to their homes. Luckily the IT department had already fully encrypted each device, meaning they “were in a good, secure place to allow that to happen”, said McCarthy.
Finally, the department migrated to Microsoft Teams in just one day.
Looking forward, McCarthy said the days of court sessions taking place fully in-house are “over” as New Jersey Courts continues to adopt a “security first” approach to protect citizens and preserve a fair justice system.
“We’re instituting zero trust so that we know how to deal in the future with SolarWinds and other attacks,” said McCarthy.
“And just making sure that we’re pushing the envelope as much as we can to ensure that whatever we’re doing, we’re doing securely because we have the public’s trust and confidence in our data processes and procedures.”