Barclays Hacks Its Own Systems to Find Holes Before Criminals Do

China Marks WWII Defeat and Barclays Hacks Its Systems
  • Cyber attacks viewed as a growing risk by U.K. banks
  • Criminals are improving their methods `all the time'

Barclays Plc is hacking its own computer systems to stay a step ahead of the criminals.

Troels Oerting, who joined as chief information security officer in February, set up a so-called red team in recent weeks to attack the digital defenses of the London-based bank. His goal is to find any flaws and fix them before thieves, vandals or terrorists can exploit them.

“We emulate how criminals will try to get into the bank,” said Oerting, the former head of Europol’s European Cybercrime Center. “Then the red unit will do the same work, testing our ability to detect, to prevent, to resist.”

Oerting, a 35-year law-enforcement veteran, is part of a corps of former policemen and spies entering private industry to fend off a barrage of cyberattacks on businesses. More banks are building in-house teams that “operate and think like cybercriminals” as hackers become increasingly sophisticated, said Sergey Lozhkin, a security researcher at Moscow-based Kaspersky Lab, which has worked on investigations with Interpol and Europol.

The consequences of failure can be painful, as in the release last month of user accounts stolen from AshleyMadison.com, a website that urges clients to commit adultery. Hackers reached deep into the infrastructure of JPMorgan Chase & Co. last year, stealing names, addresses and e-mail addresses of 83 million people and small businesses, just months after the New York-based bank pledged to spend a quarter-billion dollars a year on cyber security.

Staying ahead of the bad guys requires resources, expertise and vigilance, and even that isn’t always enough.

“They improve the ways to get in all the time,” said Oerting, 58. “The reality is that there are actually more cases than you read in the press.”

Barclays is boosting spending by about 20 percent as part of its new cyber-defense strategy, Oerting said, declining to elaborate. 

Cyber risk is viewed as a key concern by almost a third of banks in the U.K., a survey by the Bank of England found in July. Two years ago, only 1 percent of those surveyed considered cyber attack a major risk. HSBC Holdings Plc, Lloyds Banking Group Plc and Royal Bank of Scotland Group Plc declined to discuss their efforts to fight computer crime.

Oerting’s new team of internal hackers, which will number as many as eight, joins the bank’s staff of 800 information technology security personnel. 

Its efforts coincide with a Bank of England push to spot vulnerabilities at the 35 financial firms deemed critical to the U.K. economy. In that program, dubbed CBEST, security specialists monitor hackers’ tactics and use them to mimic real attacks. Five firms had concluded the program as of July, including Barclays and Lloyds.

“Cyber criminals are now looking for the responsible individuals inside banks who control many millions of pounds,” said James Chappell, co-founder and chief technology officer of Digital Shadows, a cyber-security company working with the BOE. “Then a single high-value fraud is committed.”

As hackers become more sophisticated, banks are seeking ways to lessen the impact of attacks, said Paul Hampton, a payments security expert at Amsterdam-based Gemalto NV.

“Banks accept that breaches are going to happen and rather than reinforcing the perimeter security they’re making sure data stolen won’t be usable,” he said.

Like Barclays, competitors are tapping top law enforcement and counter-terrorism officials to bolster digital security and compliance. In April, Standard Chartered Plc hired Iain Lobban, the former director of GCHQ, the surveillance arm of Britain’s intelligence agencies, as a senior adviser to the financial crime risk committee of the bank’s board.

JPMorgan hired former U.S. Army Chief of Staff Ray Odierno to advise the bank on issues including international risks and cyber security. Patrick Burton, a London-based spokesman for JPMorgan, declined to comment on its cyber-security operation.

“We want to keep our employees and our customers safe,” said Oerting. “This is why it’s so important that we assess the threats, the controls and see if we have any gaps.”