Cyber-Security: What is DLP? The Gregorio Salazar case.

Looking into the horizon, Gregorio Salazar mentally went over the last few stressful hours of the day. The sun was slowly turning red over the city of Madrid. The view was amazing from the window of his office on the 33rd floor of the Cuatro Torres. But Gregorio was in no mood for simple pleasures. He had other concerns. The next day he had to explain to the Board that they had just lost a contract for almost three billion euros to build a mega-infrastructure in the Middle East.

What had gone wrong? The tender had run its normal course and Gregorio’s company was a large multinational in the industry – a “key player”. Even though the technical issues were complex, they would not have been a problem for the technical department. So many years working for the Spanish Government had opened a lot of doors for their international expansion. He could still remember his fear in the good old days, when swimming amongst the “big fish” in the industry was a daunting experience. What was such a small fish doing amongst so many international sharks? He was surprised, not so much for the result, but rather how quickly it had all happened. The ability to efficiently and flexibly manage and ensure the highest levels of quality required was something that Gregorio was used to. Making a virtue out of a need, as they say. And from virtue came distinction. The little fish became a reference. They were no longer unknowns. The market knew that their bids set the limit between what was possible and profitable. A market benchmark. Maybe that had been the beginning of the end. They were no longer unknown. A lot of people were closely observing their decisions. Information that was worth its weight in gold and a valuable reward for the bounty hunters.

dataroom24_boardcommunicationEarly in the morning, according to the standard tender procedure, he had presented his bid. The technical issues had been resolved and qualified. The only thing missing was the financial bid. Hours and hours of internal discussions with the sales department, the CFO, the corporate strategy people, the banks that would fund the project, the consultants and the in-house and external lawyers.

The implications of each budget had to be studied. Every euro financed could mean the difference between earning a lot of money or not. The legal implications. The rumor had been spread in international circles that their bids were “dangerously low”. The critics said that they won tenders at impossible prices, but were able to make them profitable during the project using the famous re-designs, which increased the price and the margin. An adapted version of the well-known “While you’re at it” in the construction industry … let’s include two more taps here, knock this wall down and add a marble floor. It will look much better …” and the initial quote doubled. This was not the case on this occasion, but it was important to have everything covered. That’s where the lawyers came in.

In the end, everything depended on the content of the sealed envelope they sent that morning. The famous envelope with the “final price” was on the table. They were convinced it was the best.

First came the surprise and then the indignation. When the bid envelopes were opened, there was one that was only one hundred thousand dollars below theirs, which was second and therefore the first of the losing bids. What had happened? At these prices, such a small difference was absurd. In a project of almost two billion euros, a difference of 0.01% was surreal. Something smelt fishy, but it was more like a rat.

Gregorio feared the worst. He called Manuel Ruiz, the group’s security manager. Manuel had joined the company recently, after the company consultants had insisted on hiring him. They had to deal with the issue that everyone considered a need. The position was called CISO (Chief Information and Security Officer). To have the label covered was not enough. Manuel had earned a reputation as a “party pooper”. Everything was a risk and everything had to be checked. Snooping around the different departments asking questions, trying to understand the processes and showing people wherever they were vulnerable and the risks of unauthorized access to confidential information didn’t make you too many friends. Suggesting to Management that cyber-security was not just a question of firewalls and anti-viruses and the like, but an issue affecting everyone in their own environment didn’t help either. It was nice to talk about corporate culture, but it had to be developed and that involved many departments having to establish rules and procedures. From the legal department to human resources, as well as senior management support. Seminars, presentations, questionnaires to be completed, not exactly a recipe for making friends.

Manuel was a restless spirit, highly experienced on both sides of the fence. Part of his resume included his days as a good hacker. In the global environment, Manuel was already considered as a White Hat Hacker and, in international circuits, was well-known, with many contacts with people in the US and Israel, for different reasons considered as global benchmarks in Cyber-Security. That same day, he had held an extremely interesting meeting with colleagues from Israel on the latest developments in Cyber-Security. Manuel convinced the company CEO to join them. Gregorio was firmly convinced that the world was an increasingly more digital place, in which information is power and unauthorized access to it can have terrible consequences.

Smart Phone with Security Cameras

Manuel had just joined the company and, although he had made considerable progress, he was aware that there was still a lot to be done. But he never thought that meantime, the impact could be so great. They weren’t ready yet.  Manuel walked into the office and Gregorio brought him up to date. Manuel’s face slowly became grim. It was obvious. A clear-cut case of leaked information, in the industry known as DLP (Data Loss Prevention). The damage was done. What was left was to study it and try to find out who was involved and minimize the risk of it happening again. Gregorio nodded; he couldn’t let it happen again. A few more lost tenders would seriously affect the company and put its future viability at risk.

Manuel started to explain. DLPs are the most complex and vulnerable things that exist. They normally involve a large number of variables, especially human ones, which greatly increase the potential unwanted sources of data. A new data control process was required, as it was not enough to set up the famous “data rooms” for tender processes, in which all the information and the people with access to it are supposedly isolated. Tender processes that last days or weeks. Long days and long nights. The transfer of documents, remote access, taking work home, laptops connected to WIFI at home. All potential sources (easy to access) for intercepting data. Control could be intrusive; the more important the data, the more important the executive with access to it and the less willingness to be “forced” to use the systems proposed by security and not the latest model iPhone, which was much easier. However, Manuel knew that all these systems, the majority of which had already been implemented, were still not enough.

His mind wandered to the comment made by his Israel colleague on procedures. No software or hardware component is efficient without the necessary Cyber-Security culture, an essential part of how the people involved operated with the company. Even in the most advanced intelligence services, cell phones were left at the entrance. No electronic device was allowed at a meeting, if not previously checked. But, even that was not enough. Measures were introduced to monitor all possible communications and block all data transfer and video recording. They could even take measures against passive devices such as digital recorders. He was surprised to learn that it was more difficult to control an old analogic recorder than a modern digital one. The file would be sent from any available date network after leaving the “data room”.

He casually asked if the only way to control it was to force people to enter Data Rooms completely naked, well, it could probably be very challenging. After the smiles, he remembered the options that they put on the table. Now he would share them with Gregorio.


Ps: All names, references to companies, locations and events are fictitious and do not relate to any case in particular, simply being used to illustrate the possible impact of data leaks in corporate environments and Cyber-Security and any similarity to a real case is purely coincidental.

Francisco Canos

Translated by Jeff Callow

Article published on 12 November 2017 in: diario-abierto-logo


Leave a Reply