The cannabis industry holds a treasure trove of customers’ private information and business intelligence. This makes your business a prime target for cyber-attacks and/or surveillance, as both hackers and other entities are clamoring to acquire this treasure.
Turn on the news, pick up a newspaper or read your social media feed—and you are certain to learn of the latest cyberattack. Hackers who previously targeted corporations now set their sights on the SMB (Small to Mid-Size Business). We’ll explore the problems (and the process) needed to become secure, and the importance of allocating resources to protect customer and business data. By the end of the article, you’ll understand why it is so important to take cybersecurity seriously.
The proverbial ‘SMB Mistake’
Whenever I speak to SMBs about the importance of cybersecurity, the question I’m often asked is: “Why would a hacker want to break into my system?” At which point I think to myself, “The same reason a bank robber would want to break into a bank… because there is value inside.”
Unfortunately, all too often the first mistake many SMBs make is underestimating the value of their data. When a bank considers securing their facility, they hire experts to assess their weaknesses and apply the necessary measures to mitigate risk, protect assets, and respond to robberies. Risk mitigation measures may include security cameras and guards (and not the Barney Fife-Type guard from Mayberry, who carried one bullet in his holster; but real, 45-caliber-carrying, scary-looking, 250-pound, muscle-bound, crossfit-looking, former Navy SEAL-type guards), while protection devices could be locking mechanisms and vaults, and response procedures could include triggering a lockdown.
Today I will cover four reasons why (and how) hackers target the cannabis industry, and methods used to exploit the vectors mentioned.
Sit back and relax as we delve into the underworld of cyberspace.
As detailed in the video below, in January of 2017 it was reported that MJ Freeway, a Denver company (whose “seed-to-sale” tracking software is used by hundreds of cannabis companies to comply with state regulations) was compromised by a cyberattack.
Hackers will often target less secure applications to gain access into a company’s network. It is imperative that software/application developers keep their applications updated and develop with the latest security measures in mind. Failure to do this will result in more compromised networks. This will put both your business and customer data at risk. Keep this in mind when looking to purchase third-party software to run your business.
#1 Valuable Information
Remember the first mistake, that SMBs underestimate the value of their data? Well, this statement rings true throughout the entire SMB market and is not relegated only to the cannabis industry. You do not have to be a large corporation to house valuable data. And just because you are a large corporation doesn’t mean your data is more valuable than small business data.
As acceptance of the cannabis industry becomes more mainstream, the amount of data on the systems used to run the business will grow exponentially. Consider the abundance of information stored on your systems at any given time:
- Patient Information
- Order History
- Intellectual Property
- Research & Development
- Customer/Patient Names
- Dates of Birth
- Phone Numbers
- Driver’s License Numbers
- Social Security Numbers
- Medical Information
- Credit Card Numbers
- Transportation & Route Information
- VIN Numbers
- License Plate Numbers
- …and more
“The first mistake made by SMBs is that they underestimate the value of their data.”
Personal Identifiable Information (PII) is defined by the U.S. Government as any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data. Think names, SSNs, Birth Dates, Addresses, etc.
Protected Health Information (PHI) is defined by the U.S. Government as any information about health status, provision of healthcare, or payment for healthcare that is created or collected by a covered entity (or a business associate of covered entity) and can be linked to a specific individual. Think patient name, address, certification/license numbers, medical record numbers, health related information, account numbers, SSNs, etc.
Government mandates have been enacted to ensure that both PII and PHI of consumers is protected, secured and kept private. The two most prevalent of those mandates being the Payment Card Industry Data Security Standards, or PCI-DSS (which states that any business responsible for accepting, processing, transmitting, or storing credit card information must adhere to the PCI-DSS for data security) and the other being the Health Insurance Portability and Accountability Act, or HIPAA (which ensures the security of protected health information and electronic health records).
And we must not forget Business Intelligence. This is information related to the operation of the business that, if compromised, could cause irreparable damage. Think research and development, inventory, potency, homogeneity, terpene profile, solvent analysis, microbial and pesticide data, software applications used in the business, payouts, manifests, equipment, sales, etc.
As you can see, the cannabis industry stores a lot of valuable information that could prove very profitable to an attacker.
#2 Multiple Points of Entry
Just as a bank may have multiple doors from which customers enter, or even a ventilation system that could be used to gain access (like Tom Cruise in Mission Impossible), your network has multiple points of entry from which a hacker could gain access. In the cybersecurity field, we refer to these as attack vectors, and there are many. I’m listing the more popular ones below to give you an idea of how a hacker may compromise your system:
- Email: The #1 entry point into your network is also often difficult to discern between real and fake. They may contain a malicious attachment, a link to a malicious website, or an attachment that contains a malicious link embedded within it.
- Web: Hackers will routinely compromise websites that, upon being visited, will download malicious files to the victim’s computer. One of the more popular techniques is what is called a drive-by
- USB Devices: Be cognizant and ensure external devices are scanned for viruses regularly. Inserting an infected device into your computer can compromise your entire network.
- Mobile Devices: Staff who connect personal laptops to the company’s network or who use company laptops on their home network put the security of your data at risk. Also consider your policy on mobile devices (phones, iDevices, etc.) as the new BYOD (Bring Your Own Device) workplace has become a hotbed for hackers.
These are but a few of the more popular methods by which a system can be compromised. Implementing mature countermeasures to thwart these types of attacks will mitigate your risk and thereby enable an effective and efficient response.
In February of 2018, Washington State’s marijuana traceability application was hacked. The intruders were able to access and steal route information, manifests and vehicle transport information such as license plate and VIN numbers.
Besides theft of customer information, hackers will compromise networks to steal business intelligence. Whether to sell on the Darkweb, to sell to your competitor, or for their own personal gain, there are numerous reasons to steal this information. Having a mature security posture in place that can detect these attacks is a key element in keeping your data secure and free of prying eyes.
#3 Immature Security Posture
Unfortunately, when it comes to cybersecurity, companies fail to invest the necessary capital needed to ensure the security of their digital assets. From fortune 100 companies to the SMB, this problem transcends the size of the company. Now, consider the cannabis market: an industry in its infancy with regards to mainstream acceptance and an established IT Security infrastructure. If large corporations face resource challenges, it’s fair to say that the cannabis industry will experience similar challenges.
#4 Untrained, Underfunded or Understaffed Security Team
The cybersecurity industry is currently challenged with a shortage of qualified individuals to combat, defend and respond to the number of threats. Therefore, supply and demand logic dictates that where there is a low supply within a high-demand economy, prices of that product or service will increase. As such, security professionals command high (six-figure) salaries, constant training to keep skills relevant, and resources/tools to do their jobs. This is a huge expense for a company.
What to do
So what can you do? First and foremost, I hope that you have a better understanding of why the cannabis industry makes for a good target. Secondly, I hope that you take action. Here are some recommendations for establishing a solid cybersecurity posture:
- Keep systems and applications patched and updated
This is one of the most overlooked areas of data security. Hackers exploit vulnerabilities. Vulnerabilities are fixed by patches/updates.
- Install a good anti-virus (AV) program
Although it should be augmented with other solutions, having a good AV solution is considered one of the first steps in securing your data.
- Implement User & Entity Behavior Analytics (UEBA)
Many of today’s threats can bypass the best anti-virus solutions. Having a mature UEBA capability will enable your staff to be alerted on those threats that get past your AV and/or those zero-day threats that AVs do not yet know about.
- Integrate a Security and Information Event Management (SIEM) Platform
A SIEM is an application/platform that will ingest all your security logs from each of your devices and applications, apply sophisticated algorithms, and make intelligent decisions to alert your security staff as to the state of your network, and if you have been compromised.
- Monitor your network 24x7x365 via a Security Operations Center or other means
In my 30 years in Information Technology and security, I have YET to hear a hacker say, “Okay guys—pack it up. Everyone is gone for the day. Let’s pick it up tomorrow where we left off.” The reality is, attacks are happening throughout the day and into the night, every day, every night, all year, every year. Therefore, the state of your network must be monitored accordingly.
- If you do not have the resources to hire in-house staff to manage the above recommendations, outsource it to a reputable MSSP.
Businesses must understand that investing in cybersecurity is no longer an option. It is a necessity, and as such, needs to be included when making financial and resource allocation decisions. Failure to invest securing your data will result in not only a compromise of your network, but loss of data, customer trust, revenue, fines, etc. MSSPs provide an affordable way for businesses to address this problem.
The cannabis industry stores tons of valuable information that is very lucrative to attackers. Hackers will steal this information through various means, utilizing multiple attack vectors as entry points. They will use everything at their disposal to take advantage of the immature security posture of the industry by exploiting vulnerable systems.
Unfortunately (and by no fault of the owner or staff), many of these systems are being monitored by untrained staff, or not being monitored at all. And while data security is not a focal point of business owners within the industry, certain aspects and stages of the supply chain are subject to government security compliance standards. For example, if you accept credit cards, you are required to follow the PCI-DSS. If you store patient/medical information, you are subject to follow the standards set forth by the HIPAA.
We envision a more secure industry through education and implementation, as well as the protection and privacy of data belonging to both the consumer and the business. BLAZE™ is a Managed Security Service Provider (MSSP), providing affordable cybersecurity solutions to the cannabis industry. We manage all data security and government compliance requirements, as we ensure the security and compliance of customer’s private information as well as your business intelligence.
About the Author
MITCH HARRIS is a former government cyber-intelligence and counter-surveillance expert. He has worked matters of national security for almost every three-letter agency within the federal government. In 2003 his family was delivered devastating news as a loved one was diagnosed with Lymphoma/Cancer. For two years he watched her suffer before succumbing to the disease in 2005. Compelled to research alternative methods, Mr. Harris discovered the healing properties of cannabis. In 2013 his family was once again blindsided with life-altering news as another loved one was diagnosed with the disease. Determined not to have history repeat itself, he suggested cannabis as a supplemental treatment and pain reliever. That loved one is not only managing their pain, but has lived cancer-free for the past five years. Wanting to give back to the industry that had given him so much, Mitch subsequently left the federal government – leveraged his training, expertise & knowledge and started BLAZE™ Cybersecurity. As president of BLAZE™, his mission is to help foster the growth of the industry through securing the integrity and privacy of the data, intellectual property, and business intelligence needed for cannabis businesses to be successful.
For more information on BLAZE™, visit our website at blazecybersecurity.com or drop us a line at (866) 249-6373. And be sure to follow us on social media.