Ari Kaplan recently spoke with Ciprian Şaramet, managing director at Modular Services, a Romanian company focused on providing global law firms with technical support and business services.

They discussed how law firms can strengthen their cybersecurity posture, the influence of artificial intelligence on law firm security, vulnerability management, and the value of continuous education for safeguarding client data and firm operations.

Ari Kaplan: Tell us about your background and the genesis of Modular Services.

Ciprian Şaramet: I started as a systems engineer, moved on to project management and created a small outsourcing setup for a law firm in 2013. I was asked to manage and grow it, and over time, it developed into a massive business unit, which became Modular Services. We created a full delivery center based on that team and have been expanding it since 2021 with new and improved services in our portfolio. We opened our first office on April 1, 2021, during a pandemic when others were downsizing.

Ari Kaplan: What business services and technical support do you provide for global law firms?

Ciprian Şaramet: We started with 24/7 IT support, our bread and butter for the past 12 years. Since we assembled under the brand of Modular Services, we’ve added finance operations to our portfolio, which includes accounts payable, e-billing and matter administration. We perform some data entry and risk management tasks for each matter, including the client matter opening form. We provide specialized reporting, so that lawyers can consider WIP and KPIs in relation to the other teams and align them with the firm’s targets. We even handle core systems development around our various finance tools and have Elite 3E developers on our team. In 2019, we launched our cybersecurity services, and now, we serve nine clients with end-to-end cybersecurity services that range from assessments to conducting audits of cybersecurity controls, web penetration testing, application testing, 24/7 security operation center support and vulnerability management. Additionally, we offer niche services related to business development, including support for CRM systems. We provide full-stack application development and recently created a docketing system for one of our clients. Furthermore, we’ve begun developing AI solutions for our law firm clients, an area we see as having great potential for growth. We even design pitch templates. We say the sky is the limit, and because we have been serving global law firms for so long, our team has gained extensive experience in various niche areas that you will not find with large managed services suppliers.

Ari Kaplan: How can law firm leaders strengthen their cybersecurity efforts in the current climate?

Ciprian Şaramet is the managing director at Modular Services, a Romanian company focused on providing global law firms with technical support and business services.

Ciprian Şaramet: Continue strengthening proactive threat detection capabilities and invest as much in tools as in people skills. It’s vital to have CISOs familiar with the latest security threats and cybersecurity trends because they are changing rapidly on a global scale. Additionally, advancements in AI have accelerated the number of attack vectors and enhanced the creative ways hackers can exploit vulnerabilities in a law firm’s defenses. At the same time, AI has reduced the skill levels required to be a hacker because a couple of years ago, one needed to understand some scripting and a bit of programming. Now, one just needs to be very clever with a few prompts to create an attack payload, which can be deployed, scaled with various available cloud solutions and launched in an attack.

Ari Kaplan: How did the pandemic affect the way law firms leverage outsourced business and technical services?

Ciprian Şaramet: It opened up many possibilities and shifted attention to teams that were successfully supporting their infrastructure. More traditional law firms struggled to get their people working from home because they depended on the technology available in the office, such as telephony. We were one of the first groups to implement Microsoft Teams, allowing people to work from home seamlessly, without clients or lawyers noticing any difference.

Ari Kaplan: What effect does education have on a law firm’s security posture, and what recommendations do you have for those lessons?

Ciprian Şaramet: Your systems are only as secure as your weakest link, which is the user. You can have all the systems in place with endpoint detection, the latest anti-spam filtering and real-time detection tools for malicious activity within the network. You emphasize that the email could be potentially malicious and publish training programs on your LMS. However, it all comes down to a user clicking a link. It is up to the user to utilize the training and look for signs that an email is malicious. Now, with AI, the level of craftiness in a phishing email campaign is alarming. It is tailored to a specific department. The language in the email is carefully curated using AI tools, and hackers study the sender’s writing style to effectively impersonate them and email as if it were the actual person. Therefore, it’s very hard to tell now, but paying attention to the email headers makes it harder to fall for it.

Ari Kaplan: What is vulnerability management, and why should law firms prioritize it?

Ciprian Şaramet: Vulnerability management is a continuous assessment of your system’s weaknesses or unpatched issues that malicious actors could exploit to escalate their privileges and gain access to your data. Law firms should prioritize addressing vulnerabilities and conducting zero-day patching exercises to effectively protect their clients’ data. When vulnerability scans uncover critical issues, they should be repaired within the shortest time frame possible. Cyber Essentials Plus requires you to resolve critical issues in fewer than 10 days, but with the computing power available on the market, it is easy to test for and identify exploits, so the timing for addressing these issues should be minimal. Think of it as brushing your teeth. If you have a cavity and fail to brush your teeth every night, the cavity will only expand.

Ari Kaplan: What policies should law firm leaders implement to drive their firms into the future?

Ciprian Şaramet: There should be policies for conditional access, data classification, remote access governance, just-in-time access for administration, identity lifecycle management and bring your own device to achieve a zero-trust model, where you assume compromise and remove as much unnecessary hardware from your infrastructure as possible. Stay as lean as you can with your data. Maintain it with cryptographic keys, and minimize heavy on-premises infrastructure with servers that are vulnerable and can provide a pathway into your client’s data when they are breached. The firm should also align with standards like ISO 27001 and GDPR focused on data security.

Ari Kaplan: How do you see outsourced law firm support evolving?

Ciprian Şaramet: It is still at a break-fix level with some AI and automation supporting it, but it needs to evolve. Law firms should have support frameworks in place and must enhance their maturity in approaching information governance and IT. They need to shift toward defining a security framework with policies and controls that ensure, as much as possible, that their client data is protected. Insurers are driving a lot of the innovation in this area, so many firms are strengthening their security posture and reassessing their support models. Over the next few years, we will see increasing integration of automation and AI into most support processes. We will also see predictive analytics indicating when the next system is likely to break or when the next group of users is expected to call about a problem. Eventually, law firms will have self-healing systems that provide real-time fixes for significant issues.

Listen to the complete interview at Reinventing Professionals.

Ari Kaplan regularly interviews leaders in the legal industry and in the broader professional services community to share perspective, highlight transformative change and introduce new technology at his blog and on Apple Podcasts.

This column reflects the opinions of the author and not necessarily the views of the ABA Journal—or the American Bar Association.