Cybercrime continues to be a global threat. Last year, hackers penetrated JP Morgan and other global institutions. Further revelations emerged this week. The authors of this article consider what lies ahead.

Paul Stokes, the chief operating officer of Wynyard Group, along with Andy France, the group's chief intelligence advisor, spoke to this publication about the cyber-security threats that many private banks must confront. Wynyard Group, a listed firm on the New Zealand stock market with offices worldwide, provides crime analytics and risk management software for governments and financial services firms. The issue of hackers attacking banks has already raised alarms for the wealth management industry, as this article, for example, demonstrates. New problems come to light on almost a daily basis, as revelations this week highlight. (See here.) Below, France and Stokes set out their views. As ever, this publication invites readers to respond with their own views.

More and more firms will realise that no company is immune to cyberattacks and that so-called perimeter security is no longer enough.

Organisations operate in a perimeter-less cyberworld and the idea that an organisation can throw a fence up at its edge to protect its inner parts is fiction. Sophisticated criminals have rendered traditional “perimeter defences” such as proxies, firewalls, virtual private networks, and antivirus and malware tools ineffective.

A few years ago, a traditional company would have an IT department and all the software would be on its own machines. Then the Internet came along, to which everybody wanted to be connected. This widened the threat horizon to take in all people who could be connected to each other by phone. People overseas were now connected to it in large numbers. The traditional company could keep locks on its old system but this did not make sense in a world where everybody was connected to everyone else. A wall, or a moat, does not work any more. Companies now need to detect and tackle threats inside the firewall and as they develop.

Attacks often remain undetected until it is too late. Many uninformed bystanders believe that all cyberattacks are over in a flash; this is a common misconception. The process of lifting data out of someone else's system also takes time, so a well-prepared firm might spot the symptoms before the deed is done.

Firms must invest more heavily than ever before in cyber-intelligence software that allows them to detect threats and respond to them rapidly.

According to Gartner, a firm tracking such trends, by 2020, 60 per cent of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10 per cent in 2012. Some governments are no longer relying on the implementation of information security policies or traditional perimeter cyber-security tools. They are now actively “building cyber-intelligence capability” to reduce the “unknown unknowns” that are likely to affect their operations or economies.

The role of the chief information security officer will become more important.

CISOs at financial firms are being “invited to the top table” more often as time goes on. This is an admission that in many cases a business's survival relies on the security of its technology. One tends to find that when security has been breached and things have gone spectacularly wrong, it is because a junior person has been given responsibility for cyber-security. This is one of the most pernicious problems of cyber-security. The only remedy is to have someone senior in charge of security who can argue with/contradict his peers on the board from a position of equal status.

Governments and private enterprises will collaborate more to tackle cyber-threats.

The cyber-threat landscape is changing rapidly and collaboration is vital. One problem that demands a coordinated approach is the huge black market that exists on the "dark web". Our research suggests that it costs $103 to buy a credit card number and code that will allow the purchaser to siphon money out of a bank account.

Cyber-risk management will become a priority for the boards of financial firms, if it is not one already.

One thing to note here is that some boards at financial firms are thinking of moving responsibility for network security from audit committees to risk committees. Board directors, moreover, must look at the attacks their companies have been experiencing over time rather than merely looking at trade press articles. This, too, represents a change - each firm must review everything that has happened to its own systems; there is no other good way to guard against attacks.

The average firm will spend more time scrutinising other firms that supply it with crucial ancillary services or hold sensitive information on its behalf.

Many organisations do not assess the security practices of supply chains and so-called “third-party partners” adequately. It is imperative for organisations to hold third-party partners to the same cyber-security standards that they set for themselves, if not higher standards.

Companies will react to “cyber-events” in a more mature manner as those threats become more commonplace. Companies will also come to believe that security and privacy is everyone's problem.

Companies are increasingly admitting that advanced “cyber-threats” are an insoluble problem, but they know that the benefits of being connected to the internet outweigh all the risks. Cyber-security is a responsibility shared and managed by all - the public sector, the private sector, and the general public. Some might think that this calls for a revamping of the Internet but, at the moment, nobody wants to give up on the present version.