This time, it was a former employee who sent a company scrambling. In June 2017, the cannabis delivery company Eaze reported that a former employee had accessed their patient data in their electronic medical system, compromising the privacy and security of the company's clients. According to TechCrunch, a source revealed that the hacker held the company’s data for ransom, demanding $70 million to hand it over.
But cybersecurity breaches can be ruinous for any company. This is especially true for a small cannabis company with no IT department or dedicated cybersecurity professionals on staff.
Easy money: ransomware attacks
In recent years, ransomware cyber-attacks have brought the city services of one municipality after another to their knees. In May 2019, a ransomware attack hit the city of Baltimore's government computer systems, shutting down all non-essential services. The city refused to pay the ransom and later said that repairing the damage cost $18 million.
It’s easy to imagine how a similar attack could kneecap a cannabis company, especially a smaller company that doesn’t have the IT infrastructure to counter such a threat.
There are many different types of ransomware attacks, and they are prevalent because they are so easy. Hackers typically launch such attacks by embedding a Trojan in an email disguised to appear like a genuine email. Once the recipient downloads the attachment or clicks on any included links, the gates are open, and the hacker can walk right in.
Ransomware infections can allow hackers to quickly shut down all of a company’s digital operations. These include points of sale, inventory management, and online order processing until a ransom is paid. They can also allow a hacker to access confidential customer data, which can deal a severe blow to the company’s reputation and leave them vulnerable to legal consequences from their customers.
IoT hacking can wreak havoc on cannabis cultivation
Automated systems allow cannabis cultivation companies to reduce workforce needs and grow marijuana with greater efficiency and precision than ever before.
But they can also be a serious point of weakness.
The automated systems that control lighting, irrigation, and feeding are often connected “smart” systems. Part of “the Internet of Things,” these devices are designed to be operated remotely and often hold a treasure trove of data. Unfortunately, operators don’t always install the cybersecurity measures needed to prevent attacks.
As the Federal Bureau of Investigation said in a December 2019 press release, IoT devices “can allow manufacturers, streaming services, and even hackers to open doors into your home.”
The FBI added that “hackers can use that innocent device to do a virtual drive-by of your digital life. Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure.”
A hacker doesn’t need to infiltrate the IoT feeding and lighting systems used by an indoor cultivator. They could simply hack the routers at the facility and use them as a stepping stone to the facility’s critical infrastructure. Pulling off such a hack is likely much easier than you may think.
After all, when’s the last time you changed the default factory password on the WiFi router at your home? There's a good chance you never did, and the average hacker knows this.
A data breach targeting medical marijuana patients
In 2021 alone, attackers compromised more than 40 million confidential medical records in the United States alone.
Personal information can then be posted to the Dark Web or sold to the highest bidder. These breaches can also make confidential personal health information available to the public, violating patients’ privacy and sense of security. For medical cannabis dispensaries, this could mean the health records of patients who not only value their privacy but may also fear the professional and personal stigma that cannabis patients can still face.
In recent years, these data breaches have led to costly lawsuits against healthcare providers and have posed a severe danger to public health systems. These include a $2.65 million lawsuit filed by employees of the University of Pittsburgh Medical Center following a 2014 data breach.
Large healthcare providers may have the insurance and legal departments to withstand such lawsuits. Small cannabis companies - and even larger ones - may not be so fortunate.
Hacking company secrets - a thriving industry
From state actors in Russia and China to non-state actors working for profit, cyberattacks on intellectual property and trade secrets are big businesses.
These attacks can be used to gain a competitive edge in a crowded marketplace (like cannabis) and can scuttle even the most well-planned business decisions.
The stakes are clear for multi-state operators looking to expand into a new market or a cannabis innovator developing a new, game-changing device or cannabis product.
Not just physical security - cybersecurity is also key
The Standard Operating Procedures (SOPs) for physical security in cannabis are pretty straightforward. Every dispensary, cultivation, or manufacturing facility must set up surveillance cameras and enforce a protocol for their placement and operation and the storing of footage.
The SOPs also clearly define how to manage visitor access at cannabis facilities and check identification at the dispensary door. In addition, these guidelines also detail how to respond to employee theft, a robbery, and even an active shooter situation.
But security protocols that only focus on physical weaknesses and ignore the attacker sitting on their computer hundreds or thousands of miles away only provide partial security.
How to practice cybersecurity in cannabis
If a company can afford it, bringing in an outside consultant to provide a cybersecurity assessment is wise.
Otherwise, your best bet is to instill a culture of cybersecurity at the workplace.
Make sure to change the default passwords on all points of sale, company emails, websites, and connected devices. Change passwords regularly and encrypt files and company communication as much as possible.
Software companies frequently put out updates after new vulnerabilities are discovered. Ensure that when you get a prompt to update your device or operating system, you install the update as soon as possible to ensure you are using the most recent version of your software.
Set up two-factor authentication throughout your company infrastructure and keep a tight rein on the number of people who have administrative access to your company processes.
It is also crucial to train your staff not to click on any suspicious links or attachments they receive by email, text message, or social media.
No connected system is secure, and even the most secure companies can fall victim to a cyberattack. But some basic security measures and a culture of cybersecurity in the workplace can go a long way towards safeguarding your dreams in legal cannabis.
The Rootwurks Learning Experience Platform (LXP) includes a host of educational resources and compliance solutions that can boost cybersecurity awareness among your staff and make sure that safe cyber practices are a part of your daily operations. To get early access to the Rootwurks LXP, contact us here.