Cannabis Buyers Are Uniquely Vulnerable To Cyber Attacks

Experts in the field of cyber security say North America’s emerging cannabis industry, and its customers, could be especially vulnerable to hacks and extortion. 
 
Cities like Baltimore, as well as the state of Georgia’s court system, and Lake City, Florida, have been the recent targets of sophisticated ransom ware infections, with attackers demanding payment to stop their disruption of crucial municipal data systems. 
 
Officials in Lake City, facing the potential loss of the entire city’s information systems, paid a $460,000 ransom. Baltimore refused to pay a $75,000 ransom and is now dealing with an $18 million cleanup job. Cyber security experts say the legal cannabis sector offers a tempting target for online criminals.
 
“Any type of new business or new industry is definitely going to be vulnerable,” says Matthew Dunn, associate managing director of the cyber risk practice at Kroll, a corporate investigations and risk consulting firm based in New York.
 
Speaking to the cannabis industry journal Leafly he said Bad guys always seem to be a step ahead of us when it comes to technology..... Legitimate businesses and legislators are playing catch-up on how to go ahead and build defenses to combat those techniques that are being used against them.”
 
Everything Online, Everything Vulnerable
As more cannabis businesses come online and use state cannabis tracking systems, accounting apps, and point-of-sale software, they also present themselves as targets for cyber criminals.
 
Recent Cannabis Attacks
That vulnerability isn’t merely theoretical. These are just a few of the break-ins made public over the past few years:
  •  In Calgary, Alberta, hackers accessed the personal health records of a medical cannabis referral agency in late 2018.
  • In November 2018, hackers breached the privacy of 4,500 Ontario Cannabis Store customers through a weakness in Canada Post’s tracking website.
  • In 2017, the California cannabis delivery service Eaze confirmed that a former employee of a medical cannabis clinic broke into the patient database of both the clinic and Eaze.
  • Also in 2017, the cannabis tracking system MJ Freeway suffered two cybersecurity breaches within a period of six months.
  • In early 2018, Washington State’s cannabis traceability database was hacked; the intruder stole product transfer and manifest data.
Cyber Extortion Thrives on Stigma
The cannabis industry is also vulnerable to some unique forms of cyber extortion.
“Let’s say bad guys are able to get a hold of a database of cannabis customers at some type of retail dispensary,” said Dunn. “Some of these customers may not want the public to know that they are utilising cannabis, even if it’s legal. If they’re in the public limelight, if it’s something with their employment, whatever it may be.... Criminals know this, and if they can…utilise this information to try to extort money from them to keep their silence, then they’re going to do it,” he added. “It’s similar to the things we’ve seen in the past with ‘sextortion’ kinds of cases.”
 
The Cost of a Hack
Even without extortion, the cost of cyber-crime can be tremendous. Research done last year by IBM and the Ponemon Institute found that, on average, a data breach costs a business close to $4 million, with a nearly 30% likelihood that an affected business will experience another data breach within two years.
 
A Cash-Driven Business
Dunn believes cyber-attacks can be even especially devastating for legal cannabis companies, many of which are cash-driven and don’t have access to insurance, bank loans and the other safeguards that can keep a besieged mainstream business financially afloat during a crisis.
 
For a cannabis business, Dunn  says, “If you are suffering some compromise to your network, and if you have to spend a fair amount of money to go ahead to contain it and remediate it, there may not be enough revenue left for you to continue to operate that business.”
 
Three Pillars of Security
Many firms, according to Dunn, view cyber security as a purely IT problem. But they fail to realise that most cyber-attacks are “end user-based,” meaning they go after individuals within a company. As a result, cannabis retailers need to educate their work force about what Dunn calls the Three Pillars of Cyber Security:
 
People: Training company staff to understand that they’re the first line of defense against cyber-attacks. Cannabis businesses, Dunn says, “have got to educate their employees that they are being targeted every single day. You’ve got to educate them not to click on every link that comes in, or open attachments without absolutely confirming that it’s coming from a trusted individual.” That includes executive-level staff.
 
Policies/Processes: One of the most common ways for cybercriminals to hack into a victim’s network is by stealing passwords and credentials. Cannabis businesses should also think about developing so-called acceptable use policies on company computers. Employees freely surfing the internet from a corporate network, Dunn said, can unknowingly download malware and other programs that can disrupt trade or compromise sensitive information.
 
Technology: Hardening a network from cyber-attack via firewalls, anti-virus software, security updates for hardware, as well as monitoring malicious activity or policy violations, is a must, Dunn says.
 
Leafly
 
You Might Also Read:
 
Dark Web Dealers Voluntarily Ban Deadly Fentanyl:
 
 
 
« Cyber Criminals Are Targeting Latin America
Business Is Starting To Believe That AI Is The Best Defence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

NCX Group

NCX Group

NCX Group is committed to helping customers identify and mitigate the risks inherent in today’s interconnected environments and business processes.

Riverbed Technology

Riverbed Technology

The Riverbed Network and Application Performance Platform enables organizations to visualize, optimize, accelerate and remediate the performance of any network for any application.

Institute for National Security and Counterterrorism (INSCT)

Institute for National Security and Counterterrorism (INSCT)

INSCT is a center for the study of national security, international security, and counterterrorism. Research programs include New Frontiers in Science, Cyber, & Technology

ENVEIL

ENVEIL

ENVEIL’s technology is the first scalable commercial solution to cryptographically secure Data in Use.

Future of Cyber Security Europe

Future of Cyber Security Europe

Future of Cyber Security Europe is a European wide event examining the latest cyber security strategies and technologies.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

Lifespan Technology

Lifespan Technology

Lifespan Technology provides the full range of IT Asset Disposition services. This includes hardware recycling and disposal, data destruction, and hardware resale.

Braintrace

Braintrace

Braintrace’s services include Managed Detection and Response (MDR), Managed SIEM, SIEM-as-a-Service, SOC-as-a-Service, Advisory Services, and Incident Response.

Verificient Technologies

Verificient Technologies

Verificient Technologies specializes in biometrics, computer vision, and machine learning to deliver world-class solutions in continuous identity verification and remote monitoring.

Global Cyber Risk (GCR)

Global Cyber Risk (GCR)

Global Cyber Risk is a technology and advisory services firm that provides first tier cybersecurity services to both large corporations and small and mid-sized businesses.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

SHe CISO Exec

SHe CISO Exec

SHe CISO Exec is a sustainable global training and mentoring platform in information security and leadership.

Raxis

Raxis

Raxis is a cybersecurity company that hacks into computer networks and physical structures to perform penetration tests, assessing corporate vulnerability to real-world threats.

eaziSecurity

eaziSecurity

eaziSecurity has built an eco-system of technology and services that bring enterprise scale security solutions to the SME marketplace.

DART Consulting & Training

DART Consulting & Training

DART is a leading cyber training and consultancy company. We enhance our clients’ cyber capabilities by growing and strengthening their frontline defense – the cyber teams.