Craig McDonald 13 April 2021 09:31:14 AEST 11 MIN READ

The dreaded 3am phone call: Lessons from the cyber-attack on Nine Entertainment Co.

It’s been called the “largest cyber-attack on a media company in Australia's history," something that has never been seen before in the country. 

Ever since news of the cyber-attack on Nine Entertainment Co. broke, it continues to dominate and sharpen local narratives on cybersecurity, fueled by unconfirmed speculation about the identity and motives of Nine’s attackers. Some reports claim a foreign regime is indicating its displeasure with Nine’s coverage of its actions, while others suggest that because media environments are typically not that mature in cyber, this “major cyber event could potentially have been triggered by something as clumsy as an employee clicking on an infected phishing email”. 

Source: The Conversation 

But beyond the drama and enticing headlines, the Nine hack contains valuable lessons and reminders for navigating today’s complex cyber threat landscape. It’s critical to recognise these, because the cyber risks facing Australian organisations today have never been higher. In the first few months of 2021 alone, reports have been rife of local cyber-attacks, including those on Parliament House in CanberraMelbourne-based Eastern Health,  RMIT universityTaylors Wines and Australian National University. The scope and nature of each of these attacks is different, but they all point to one fundamental message – that cybercrime is becoming even more opportunistic, targeted and sophisticated.    

Here are a few reminders and lessons from the Nine hack that can help us keep our businesses protected in this period of heightened cybercrime: 

1. A timely reminder that we “cannot be complacent about cyber-attacks” 

Many politicians, experts and leaders have identified that the cyber-attack on Nine reflects the new reality facing corporations today, warning us that we need to be prepared to mitigate the cyber risks facing our companies, customers, employees and data. Assistant Minister for Defence Andrew Hastie said he was “not surprised” about the attack, adding that it was a warning to all businesses that they need to be aware of potential cyber threats: “This is a timely reminder that Australians cannot be complacent about their cyber security. Cyber security is a team effort and a shared responsibility. It is vital that Australian businesses and organisations are alert to threats and take the necessary steps to ensure our digital sovereignty.” 

Similarly, Rachael Falk, Chief Executive of the Cyber Security Cooperative Research Centre, said that the attack is “a timely reminder for everyone…that you cannot be complacent about cyber-attacks. If it can happen to Channel Nine, it can happen anywhere, because we all run on connected systems." 

Admittedly, every cyber-attack is a crucial reminder that the war on cybercrime is far from over. But this unprecedented attack against one of Australia’s mainstream media organisations is particularly painful because it hits so close to home. The esoteric idea of a looming cyber threat suddenly gets very real when it impacts the weekend shows we are watching on TV, or the news we access online. It shows us how vulnerable and fragile systems are, even the critical systems we rely on daily, making it even more imperative that we recognise the severity of the cyber threats facing our businesses and do everything we can to protect them.  

2. Dealing with the dreaded 3am phone call 

It’s any CEO’s worst nightmare – being woken up around 3am by a phone call on a weekend and being informed of a “sophisticated and complex” cyber-attack that was impacting multiple key operations across the nation. But the situation was decidedly worse for Nine’s incoming chief executive Mike Sneesby, who received the call even before he had officially taken over the role. The disruptions that he and his team had to deal with were massive.  

Reports state the computers at Channel Nine in Sydney began “acting strangely on Saturday”, the 27th of March. “By Sunday morning, as the Today show was gearing up to go to air, many of them didn’t work at all. A sweeping attack had hit the corporate network, paralysing its systems,” the Sydney Morning Herald reported. The assault not only disrupted Nine’s ability to broadcast programs in Sydney, it also “threw the print production of its newspapers - The Age, The Sydney Morning Herald and the Australian Financial Review - into disarray…Every part of the business was affected, including payroll, and staff were told not to open suspicious emails or messages on social media platforms such as LinkedIn.” 

A spokesperson for the company said that following the attack, Nine took “many of its publishing, broadcasting and corporate systems offline, including systems not known to be directly affected by the attack, and forensically going through them looking for signs of intrusion, as well as for back doors that could let attackers back into those systems once the initial attack was resolved.” Making the best of a bad situation, Nine producers and teams reportedly resorted to “whiteboards and textas” to plan bulletins when the technical broadcast tools they usually relied on failed. 

Nine’s director of people and culture Vanessa Morley warned that the company’s systems may not be fully restored for some time and instructed staff to work from home indefinitely. Producers were flown to Melbourne for the week and an NRL commentary panel was told to drive to Newcastle to broadcast the football as part of a series of contingencies. At the time of writing, Financial Review editor-in-chief Michael Stutchbury said staff are now able to work in the newspaper’s Sydney office, but offices in other cities are still without Internet access and have to work from personal hotspots. It was also reported that while “technology staff at Nine worked through the Easter weekend to bring the company back online after a serious cyber-attack…it will still be weeks before computer systems are fully restored.”  

These operational and business disruptions to Nine’s operations are examples of the widespread consequences of cybercrime, resulting in ripple effects that are likely to extend far beyond immediate financial costs. Time will tell whether the company’s leaders handled these disruptions effectively, but it’s key to recognise them as urgent reminders of the need to have strong incident response and contingency plans in place in case of a crippling cyber-attack. Being hit by a cyber-attack is no longer a question of ‘if’, but ‘when’, making it vital that businesses have set processes in place that ensure business continuity, enabling them to recover with minimal loss and to set a process in place to save mission-critical data from being stolen and/or destroyed.  

Describing the days following the attack and how her company scrambled to keep operations running, Gay Alcorn, editor of The Age said that: “Who organised this attack is not yet clear, but it is a wake-up call for businesses and governments that this kind of disruption is likely to become more common. This was a sophisticated attack, which seriously affected one of Australia’s biggest media organisations.” 


3. Bolstering our defenses 

Details are yet to emerge about the exact nature of the attack and whether it was, like experts speculate, indeed a ransomware attack, but what is clear is that it has renewed conversations around the country’s cybersecurity posture. From experts commenting on the need for organisations like Nine to be more transparent around the cyber-attacks that impacted their systems, to reports circulating that Australia is proving to be a softer cyber target than expected, the Nine attack has led to increased enthusiasm around cybersecurity and the need to be cyber resilient across all industries.  

For example, in an “unusually forthright assessment” of the cyber challenge facing organisations during the Financial Review’s Banking Summit (which took place shortly after the Nine hack), leaders described “cyber-attacks as the biggest single threat facing banks today”. Westpac CEO Peter King said the company had seen a “massive increase in scams”, adding that his bank was educating staff and customers about ways to reduce cyber risks and was extending monitoring to its myriad third-party suppliers.  

“Organised crime does try and get people into companies, so you have got to look at who you hire often. One of your weaknesses is your people clicking on emails. We call it phishing of [staff] or, if you’re a high-profile target, they talk about it as whaling,” he said.  

It has been speculated that malicious emails were, in fact, a potential attack vector in the Nine hack. A Financial Review article written shortly after the cyber-attack stated that “based on past experience at other companies, there is a high probability this attack started with a phishing email,” adding that “the cyber disruption at Nine comes in the midst of a wave of criminal and nation-state attacks that take advantage of employee ignorance of phishing emails.”   

Cybersecurity is increasingly being recognised as a priority among boardrooms, but the cyber-attack on Nine has pushed it higher on the executive agenda. It’s critical we leverage this enhanced focus on cybersecurity to continue proactively reviewing and enhancing our own cyber resilience plans, including bolstering our email security posture. The cyber-attack on Nine may or may not have been an email-borne one, but ample evidence exists that malicious emails are one of the top cyber threats facing organisations today. 

Nine out of 10 cyber-attacks start with an email, even when most businesses have an email security solution in place. Precisely because email is a critical tool and arguably the most important means of communication among many businesses, it is imperative for businesses to consistently review their email security strategies to ensure they’re doing all that they can to stay safe. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to my team at     

As a CEO, I shudder to think of what Nine and the people at the centre of it all, went through during this time. Having personally gone through a vicious cyber-attack in my previous company, my heart goes out to them. But it’s also why I urge all business leaders to not let the high-profile nature of this attack dilute the gravity of its underlying messages and lessons. If the disruptions caused by the pandemic in 2020 reminded us how fundamental cybersecurity is to business continuity, the disruptions caused by the many cyber-attacks in 2021, including the Nine hack, are warnings that we need to up our cybersecurity game and continue bolstering our defenses.  

Or risk being the next CEO to be woken up at 3 am by the dreaded phone call.  

What other lessons do you think business leaders can learn from the recent cyber-attack on Nine Entertainment Co.? Share your comments below.