Lloyds Banking Group: People can bank with confidence through a network security tested by BT

Contact us


Newly merged bank strengthens risk management and network security with the help of independent experts from BT

When Lloyds TSB and HBOS joined forces to create the biggest UK retail bank, it presented Gerard Hearn with a giant technology challenge.

He had to work out how best to merge two networks and two different approaches to risk and security. And fast. So he called in independent experts from BT to audit and test everything, including network security at around 200,000 end points.

The findings and recommendations from BT gave Gerard all he needed to set up the new bank’s risk management and security measures. That means peace of mind for him, and for millions of account holders.

The combined team of BT and Lloyds Banking Group had a major planning success in correctly identifying the level of risk involved in vulnerability scanning. The accurate assessment and responsible reporting and mitigation planning of this risk were key to the project’s success.”
- Gerard Hearn, Programme Manager, Lloyds Banking Group


Lloyds TSB Group plc was renamed Lloyds Banking Group plc (LBG) on 19 January 2009, following the acquisition of HBOS plc. Now the largest retail bank in the UK, one in three people use LBG. The bank has over 140,000 staff, with more than 3,000 branches and presence in 30 countries. It operates nearly 30 million current accounts, and one in four SMEs bank with LBG. The bank’s product set ranges from current accounts and savings to credit cards, personal lending, life assurance and pensions.

Following the acquisition of HBOS, one of the major challenges was the need to understand how the convergence and consolidation of the two banks’ pre-existing networks would impact the risk profile of the new organisation. The merger, one of the biggest in UK corporate history, created a huge new combined network, comprising approximately 200,000 end points. In addition to the scale of this challenge, the two heritage organisations, LTSB and HBOS, had different approaches and strategies for managing the security and risks of their legacy networks, and different levels of understanding around possible threats and vulnerabilities.

The board of the new bank needed proper due diligence carried out on the plans for the merger of the two legacy networks, and given the complexity and scale of the task, needed this to be carried out by an independent, trusted third party with the necessary professional credentials and expertise. Specifically, the due diligence task needed to report, in very short time scales, on a number of critical points:

  • Does the convergence of the two networks introduce new risks?
  • Does the convergence of the two networks change any existing (known) risks?
  • Where are the network perimeters and are they secured?
  • Identify any residual vulnerabilities on the combined network and a remediation plan to deal with these.


LBG invited BT to implement an agreed solution. This comprised:

  • Discovery – Establishing the perimeter of the newly combined network, as well as the various hosts/endpoint devices (defined broadly as anything other than a router or switch). This task was accomplished by people from Lloyds, HBOS and BT, by interrogating routers, switches and firewalls for configuration information and router tables.
  • Analysis – Deploying McAfee Foundstone/Foundscan port scanning capabilities to identify vulnerabilities on the host devices on the network. These capabilities were chosen because they integrated with existing systems in HBOS.
  • Modelling – Using the Skybox Secure automated risk modelling software to examine and rate the risks presented by the identified vulnerabilities. The Skybox software quantifies risk exposure using attack simulation algorithms that compute network access and business asset classifications with the vulnerability data.
  • Systems integration and project management – The BT team produced a final report summarising all the findings and recommendations. The short term remediation recommended in this was acted upon before the networks were merged, whilst long term recommendations for processes and procedures to be modified are now being followed up.


The BT Security Consulting services enabled:

  • Independent audit of critical infrastructure – Due diligence on one of the UK’s largest network infrastructures completed by skilled expertise of BT as a highly respected third party organisation.
  • Effective management of operational risk – Discovery process of risks and vulnerabilities of networked IT infrastructure enabled client to create the right risk management and security frameworks for future evolution of the network.
  • Assurance and peace of mind for key stakeholders – Merger of two heritage networks able to proceed in agreed timeframes and within a control framework.

Core BT services

  • BT Security Consulting services, systems integration, and project management
  • Skybox Risk Modelling Capability
  • McAfee Foundstone Port Scanning


Case study