Cannabis is becoming a flashpoint for investment as the U.S. stands on the brink of legalization. Ohio alone is set to open dozens of new medical dispensaries in the coming months, thanks to the release in May of 70 new provisional licenses by state regulators.
The rapid growth of a relatively new industry also makes it a focus for tech-savvy criminals, say Cleveland-area experts interviewed by Crain’s. With a market projected to reach $200 billion by 2028 — per a report from Fortune Business Insights — the bad guys are salivating for a piece of the action.
“When asked why he robbed banks, John Dillinger said, ‘Because that’s where the money is,”‘ said James Ickes, a Stow-based attorney whose practice guides medical marijuana startups along the path of company formation, application and licensure. “Cannabis companies are doing very well at the present time, which makes them a target.”
Retail operations like dispensaries face unique threat vectors due to the predominance of protected health information in their systems, noted Ickes. In the criminal’s mind, threatening release of personal identification data that people want kept private could result in an easy payout.
Seeing as the majority of the cannabis industry operates in cash, cyber attackers may attempt to disable a dispensary’s security system or cameras for a quick smash-and-grab robbery, said Nathan Sterrett, a certified information systems security professional (CISSP) based in Kent.
“These businesses have money on-site, and a product that people want to steal,” Sterrett said. “It’s hard for (dispensaries) to report the theft to the police because of the nature of the business.”
Whereas ransomware attacks and phishing scams make headlines, it’s not difficult for hackers to breach an internet-accessible door control system, Sterrett added. All it may take is copying an employee security badge via an RFID (Radio-Frequency Identification)-reading device purchased from Amazon.
“Ransomware won’t impact cannabis the same way as other industries, because those businesses are not taking credit cards,” Sterrett said. “It’s a space where you’re talking about the Internet of Things (IoT) and other cybersecurity challenges that people may not notice. Like cameras or wireless devices where you don’t have to be on-premise to orchestrate an attack.”
IoT’s prevalence in cannabis operations extends to HVAC systems controlling the temperature and humidity in a greenhouse. For any such device, going the low-cost route may leave you open to attack.
“Don’t just buy the cheapest thing you find on Amazon,” Sterrett said. “Look at reviews and buy from a company you trust. Change the default password on devices immediately so people can’t log on to an access point and take over your point-of-sale system.”
Sterrett also suggested using vendor emails for information about potential security issues or software updates. While vendors are better about acknowledging cybersecurity than they were a decade ago, cannabis entrepreneurs still must demonstrate due diligence around the issue.
Industry-agnostic problems like phishing are not uncommon in cannabis, said Ickes, the attorney. Troublemakers often use social media to gather information, then social engineer intricately detailed emails that contain faulty links. Companies across industries are smart to send test phishing emails to staff, with anyone failing the test receiving additional training around common online dangers.
Although new cannabis enterprises are busy handling their day-to-day operations, savvy entrepreneurs also have the ability to bake security into their organizations from the ground up. Developing a cyber-aware culture should start with security awareness training.
“If top management takes cybersecurity seriously, everyone will take it seriously,” Ickes said. “Dealing with security in the onboarding process is also very important, because many breaches result from insider threats. Avoiding potentially problematic employees on the front end can help you avoid breaches.”
Cannabis employees should feel free to voice concerns over security and privacy, even with something as seemingly innocuous as a strangely worded email. Embedding security into organizational culture will become paramount upon potential passage of the American Data Privacy and Protection Act (ADPPA), a bill regulating how organizations collect, process and store personal information.
The federal privacy bill, which has bipartisan support in Congress, would put the onus on companies to protect customer information. Failure to do so would open businesses to possible liability and exposure — not to mention a reputational hit that could cost them clients.
Ickes said, “It’s hard to claim you can’t expect getting breached when it’s happening across all industries. The bad guys are out there and trying to find new targets all the time. It only makes sense that they’d go after cannabis, because it’s well known how the industry is doing financially.”
Marijuana proprietors layering cybersecurity into their workaday procedures will be ready for the expected market explosion that comes with legalization, Ickes said.
“This is an opportunity to build a culture around security — a mindset you need to protect people’s privacy,” he said. “Building that culture is going to make the organization better, because the legal risk (of cyberattacks) isn’t going anywhere.”
Recent Comments