Story Cameron Cooper
Photos Graham Jepson

As children, siblings Anu Kukar CA and Sumeet Kukar CA had free rein to explore their curiosity. A LEGO aficionado, a young Anu would often disregard instructions and create her own designs, while Sumeet could be found pulling apart computers and putting them back together.

“For me, it’s always been about learning by doing and building skill sets and capabilities,” says Sumeet. He is now a Certified Ethical Hacker and founder and chief executive of Arascina, which he set up to deliver cyber learning programs for people who may or may not have a technology bent.

He and Anu, who works at IBM as an associate partner for cybersecurity strategy, risk and compliance, along with being an Arascina director, have tapped into their childhood inquisitiveness to forge impressive careers in cybersecurity at a time when ransomware and other cyber threats have put a premium on their skills.

Their goal? To protect businesses, large and small, from insidious cyber threats and convince other talented professionals, including chartered accountants, to embrace cybersecurity learning and job roles.

Pictured: Anu Kukar CA (left) and Sumeet Kukar CA

A high price to pay

A World Economic Forum (WEF) report highlights the scale of the cybersecurity threat, stating that the number of ransomware incidents alone increased by 151% globally in the first half of 2021 with an attack predicted to occur every 11 seconds.

The WEF’s Global Cybersecurity Outlook 2022 notes that cyber leaders are most concerned about three forms of cyber attacks: ransomware, social engineering incidents trying to trick people into handing over valuable data or money, and malicious insider activity involving current or former employees.

The report suggests SMEs are especially vulnerable as hackers tend to believe smaller organisations have fewer resources to protect themselves.

The severity of cyber breaches is also significant, with each successful breach costing organisations an average of US$3.6 million. Alarmingly, companies need about 280 days on average to identify and respond to a cyber attack.

Closer to home, the 2021 Australian Cyber Security Centre Threat Report points to 67,500 cybercrime incidents in the 2020–21 financial year, costing the nation A$33 billion in self reported losses. In the same period, New Zealand’s National Cyber Security Centre recorded 404 incidents affecting nationally significant organisations. Of those, 28% had suspected links to state-sponsored actors and 27% were likely criminal or financially motivated.

Common cyber threats include:

• Ransomware – cyber criminals seize and lock up computers and data and demand payment for their release
• Business email compromise – cyber hackers infiltrate email networks and initiate crimes such as fraudulent money transfers
• Phishing – bogus emails trick people into clicking on links or attachments that are infected with malware
• Denial of service – crucial systems and IT servers are flooded with traffic to shut them down.

While many professionals believe hackers are primarily motivated by financial reasons, Sumeet says most threats come down to one thing – value: “The value that you or your information or asset is perceived as by another, regardless of whether there is financial gain or not,” he says.

“Most threats come down to one thing – the value that you or your information or asset is perceived as by another.”

Some common motivations behind cyber attacks, he adds, include stealing information, seeking revenge, circulating certain beliefs (e.g. political), tarnishing the reputation or brand of a target or competitor, disrupting business processes, changing data for personal gain and creating fear.

For CAs trying to determine if they are a possible target for hackers, Sumeet says four questions hold the key. Do you operate or work on a process that is absolutely critical for your company? Do you possess passwords or data for the business or customers? Are there any data records that you have or process which could benefit another if manipulated? Is there any asset or data that you access?

“If you answered ‘yes’ to any of these, there is likely a perceived value for somebody else. That means there is a hack motive,” he says.

Cyber switch

US cybersecurity agencies have warned that cyber threats for all organisations and businesses could worsen amid increased risks from Russian state-sponsored attacks in the wake of the war in Ukraine.

Anu says large and small companies alike face a dilemma in the face of increased digital transformations in the industry – more and more attacks are occurring, but there are not enough cyber specialists to stop them.

“We just don’t have enough people. So how are chartered accounting firms or other businesses around the world going to respond to these attacks?” International figures reinforce that concern. In the US, for example, in May 2022 there were 1.05 million people employed in cybersecurity, but nearly 600,000 cybersecurity job vacancies, according to the CyberSeek project.

Anu, who has been dubbed the Cyber Untangler because of her ability to tackle cyber ‘knots’, suggests two potential solutions to the skills shortage. First, she encourages talented CAs to complement their financial skills with cyber training and consider switching to a career in cyber. Alternatively, they could engage in training and become a trusted cyber adviser within their organisation while remaining in their current role. “Let’s upskill CAs and grow their careers,” she says.

Second, Anu has started a global not-for-profit campaign called Switch2Cyber to improve awareness of cybersecurity career opportunities and ignite passion for the discipline among professionals. Rather than being seen as just a task for IT specialists, she is calling on more employees from diverse skills backgrounds to play their part in cyber activities.

Anu, recognised on the 2022 Security Industry Association (SIA) Women in Security Forum Power 100 list and awarded Security Champion at the 2021 Australian Women in Security Awards, started her career doing basic tax work, then progressed through consulting and industry roles across areas such as enterprise risk, emerging technologies, assurance, governance, innovation, supply chain, data and strategy.

“We all have some kind of superpower,” she says. “If you had told me two decades ago when I was sitting in a tax agency with a shoebox processing receipts that I would be in cybersecurity, I couldn’t have imagined it.”

Future-proofing your business

A recent CA ANZ tech survey suggests only a third of enterprise-level organisations intend investing more in cybersecurity in the near future. That potentially opens the door to cyber hackers and has led to calls for more employee training to identify and respond to threats.

Sumeet believes one of the priorities for accounting firms should be to maximise the impact of internal CA and cyber skills and ensure they can be used in a real-world setting.

Through Arascina, he offers a wide range of immersive cyber learning courses “for non-techies” to help professionals upskill, including in areas such as cyber governance, threat management and information risk management. “The focus is on making you work ready, by enabling you do the activities you need to do on a day-to-day basis,” he says. “Being able to do that kind of work in your job and deliver outcomes is what gets you paid a salary, so bridging the gap between knowledge and application is crucial.”

A love of learning

Certainly, the common thread with Sumeet and Anu’s entrepreneurial initiatives is a desire to promote learning and connect people in a way that helps individuals and businesses. Anu says her parents always made education a strong pillar of their childhood. “There’s no way I would have gone through this 20-year career that I’ve had if that curiosity and lifelong learning element hadn’t been there,” she says.

Sumeet sees his career as something that can be plotted on a compass – on the east side he is a chartered accountant; on the west he is an ethical hacker; on the north side he has focused on building cyber functions and resilience in financial services environments; and on the south side he is a teacher and educator.

“There’s no way I would have gone through this 20-year career that I’ve had if that curiosity and lifelong learning element hadn’t been there.”

Staying ahead of the curve

Amid all the career switches and entrepreneurial moves, one thing has been a constant – Sumeet and Anu have over the years drawn strength from the professional grounding that their CA training has given them, including the commercial mindset to pursue new ideas. Anu helps others transform their operations as they pursue goals in areas such as emerging technology, artificial intelligence and machine learning.

“I’m still a CA today and I’m really proud to be because it’s given me the foundational knowledge I need,” she says. “Of course, I’ve had to keep continuously upskilling during my career because it’s a core part of who I am as a person – it’s about lifelong learning.”

For Sumeet, staying true to his childhoodinspired curiosity gives him confidence that he can continue to thrive and succeed. “That curiosity has always kept me one step ahead of the field,” he says.

For organisations and businesses, that message is important as they combat cyber threats in an era when technologies such as AI, robotics, cloud computing and remote working create new cyber vulnerabilities. The World Economic Forum report concludes that business leaders need to shift their emphasis from cybersecurity (protecting systems from attack) to cyber resilience (anticipating, responding to and recovering from attack).

That could entail getting business leaders to engage in mock cyber-response drills, achieving better visibility of their digital ecosystems and acknowledging the importance of greater sharing of cybersecurity information.

It is a sentiment Anu shares. As the pandemic runs its course, she says people have grown accustomed to living in a world of entertainment streaming, internet shopping, online gym classes and social catch-ups, as well as a work-from-home trend that means Zoom and Teams meetings are part of our everyday lives. “We’re living in a digital world and we need to protect that,” she says.

Pictured: Anu Kukar CA has been dubbed the Cyber Untangler because of her ability to tackle cyber ‘knots’. Sumeet Kukar CA is a Certified Ethical Hacker.

---

Four steps to safety for SMEs

Sumeet Kukar CA shares his key tips for businesses to prevent or respond to cyber attacks.

1. Nominate a cyber champion: In the absence of a team of cyber professionals, smaller firms need to upskill an enthusiastic cybersecurity advocate who can inform management and staff about best-practice cyber strategies, detect threats and activate response plans in the event of an attack. “Because it’s not a matter of if a business will get hit, but when they will get hit,” Sumeet says.

2. Have a cyber incident response plan: Such a blueprint should complement a business continuity plan and outline practical measures to take in the event of a cyber attack, including how to retrieve back-up files, nominating who should have access to any systems and accounts, communicating with clients and stakeholders, and determining who can delegate and make decisions during the crisis phase.

3. Focus on cybersecurity hygiene: Using safe passwords, implementing multiple-factor authentication (MFA) as proof of identity to protect against unauthorised access to your systems, and backing up files and data to the cloud provide a level of cyber safety for firms.

4. Change default configurations: For ease of user set-up, software manufacturers often use default settings, including set passwords, that can be easily accessed by hackers on the internet. “It’s one of the biggest mistakes SMEs make,” Sumeet says. “It’s kind of like leaving the door key under the mat, but then putting a sign on the mat saying the key is under the mat.” Customising configurations with the support of an IT specialist can make a big difference.

---

To pay or not to pay?

When it comes to ransomware attacks, government agencies such as the Australian Cyber Security Centre favour a no-pay policy. Paying money does not guarantee you’ll regain access to systems and data, and known ‘payers’ are often the subject of repeat attacks.

Sumeet and Anu Kukar, both CAs, support that approach. But they also warn that a lack of planning – including not backing data up to the cloud – can put targeted businesses in an invidious position.

Without access to data, operations can stall or collapse.

Another point for businesses to consider if they do pay ransomware perpetrators, says Anu, is the criminal activities that such payments can fund. She warns that ransomware payments have been linked to financial crime or human trafficking – which could lead to reputational damage.

The better option is to plan ahead. Three key questions organisations should ask themselves in preparation for potential ransomware attacks are:

1. Have we defined and agreed our decision-making process when a ransomware attack occurs?

2. Have we considered the local and global regulatory implications and reporting notification requirements for paying ransomware?

3. What is our average number of days to detect and respond to bring our business back up and running?

---

Find out more:

Hear more from Anu at the upcoming Future Focused Accounting Conference 2022

Join us online, 9 and 10 June to hear how new technologies, methods and processes are redefining the finance function. Anu’s session will focus on responsible AI – innovation, trust and ethics.