“There are many different ways bad people can get to your data. You should be concerned about it and you should do something about it.”

That’s the assessment of Nicholas Barone, Director, Consulting Services Group, Eisner Amper LLP, speaking on a cybersecurity panel at the 15th annual Law Firm COO & CFO Forum in New York this week presented by the Legal Executive Institute.

Barone has seen and investigated many cyberattacks against law firms, and explained three common methods hackers use to gain access to law firms data:

  1. Steal login credentials
  2. Exploit a system configuration on firm servers
  3. Gain access through a vendor account

Once hackers get into the network, they can then build and grow their privileges to access the entire network, including troves of sensitive firm and client data.

Barone warned that antivirus, antimalware and other software are having a difficult time keeping up with fast-morphing viruses and malware. At the same time, he warned that moving to Cloud storage does not automatically equate to stronger security. While vendors such as Microsoft and Amazon deploy some of the best maintained and most sophisticated cyber defenses, all it takes is for a hacker to employ social engineering techniques to obtain someone’s login credentials. And when they do that, “the bad guys can get into your Cloud account just as easily as they can get into your network.”

In addition, many Cloud users misconfigure how their servers interface with the Cloud providers, which can lead vulnerabilities.

The panel cautioned that multi-level security technology and procedures are needed to protect firm against vulnerabilities in their technology, people and processes.