Retailers have long been favorite targets of cybercriminals, and today’s burgeoning cannabis retail industry in the United States and Canada is particularly ripe for cyberattacks. Cannabis retailers are attractive targets not only for the customer data they hold but also because they operate in a young and rapidly growing industry, where many have not yet incorporated mature cybersecurity practices into their businesses.
Cybercrimes Targeting the Cannabis Industry
– Email-based attacks: Most cyber compromises result from attacks targeting employees, contractors and third parties with access to a company’s network. Today’s phishing emails are extremely credible and often the product of a previous compromise of a co-worker, customer, vendor, business partner or another person the recipient trusts. All businesses are susceptible, but companies just starting out with a relatively new workforce, like many marijuana retailers, face a higher risk.
– Ransomware attacks: Ransomware attacks are more sophisticated than the cyber “smash and grabs” that I witnessed during my days as a special agent with the FBI. Ransomware has evolved to the point where it is usually delivered after cybercriminals have already infected corporate networks with a trojan, such as Emotet, Trickbot, Bokbot, Dridex, Qakbot, etc., by getting an end-user to click on a link or open a malicious attachment in an email.
– Cyber extortion: Because cannabis dispensaries deal in a controversial commodity, they should be especially aware of cyber extortion threats. Cyber extortionists are constantly seeking sensitive data they can use to threaten victims with exposure if a demand (usually paid in cryptocurrency) is not met.
– Video surveillance and the Internet of Things: All U.S. states that have legalized marijuana sales require retailers to incorporate video surveillance in their facilities. While internet-connected video surveillance equipment and data storage offer the convenience of remote access and monitoring, the cybersecurity risks associated with these devices are often overlooked.
Cannabis retailers that grow and cultivate plants face additional risks related to the Internet of Things. For example, a company able to access a competitor’s internet-connected environmental systems could create conditions to effectively cause a crop failure.
– Cash-based and nontraditional financial transactions: Marijuana is still classified as an illegal, Schedule I drug under the U.S. Controlled Substances Act; as such, federally regulated banks in the United States are prohibited from conducting transactions for cannabis businesses. Accordingly, cannabis retailers have been exploring alternatives to the pure cash transactions that dominate the industry. Some options include online payment systems that use payment cards connected to specific cannabis mobile apps, private banks (not federally regulated), marijuana-specific point-of-sales systems and cryptocurrencies. These all come with the risk of theft by cyber tactics.
Creating a Strong Cybersecurity Strategy
Developing a strategy based on the three pillars of cyber security — people, policies and technology — can help cannabis businesses reduce their vulnerabilities and mitigate the various threats targeting their networks.
First Pillar: People
End-users are the primary vector for cyberattacks; however, employees can also be your first line of defense if you:
– Educate employees on current attack trends;
– Implement a security awareness training program and deliver training to all levels of employees; and
– Build training programs that incorporate replications of phishing and social engineering frauds favored by cybercriminals.
Second Pillar: Policies/Processes
Cybercrimes are often successful because organizations do not have mature cybersecurity policies or security processes are not being followed.
Here are some policy/process suggestions:
– Password policy: Credential theft and password reuse are some of the most common avenues that cybercriminals leverage to get access to a victim’s network. Due to the sheer volume of data breaches over the years, there are now billions of stolen emails and passwords being traded on dark web forums.
– Multi-factor authentication (MFA): Access requests should be authenticated through methods such as SMS, push-notification or hard token.
– Acceptable use policy: Restrict employees’ access to freely surf the internet and visit suspicious websites, which can pose a risk to your network.
– Least privilege policy: Only provide employees with access to the platforms and databases on your network that they need to perform their responsibilities. Restrict administrative rights to only those who absolutely need it, which may reduce the level of exposure to sensitive data if an account with limited access is compromised.
– Encryption policy: Some states that have legalized cannabis for medicinal purposes require dispensaries to use encryption when reporting transactions to appropriate state health or cannabis commissions. Marijuana retailers should establish a policy that requires the encryption of any sensitive data maintained on their network or data stored in temporary memory files (susceptible to memory scraper malware).
– Bring-your-own-device (BYOD) policy: Either restrict the use of personal devices for business or enforce the use of a virtual private network (VPN) when connecting to a corporate network.
– Incident response plan: At a minimum, the incident response plan (IRP) should define what constitutes a cyber incident and identifies the members of the incident response team as well as their assigned roles and responsibilities. An annual table-top exercise, facilitated by independent cyber experts, will enable the incident response team to practice how they would respond to a cyber incident, in accordance with the plan.
Third Pillar: Technology
Many effective technical solutions exist that can help cannabis retailers protect their networks and alert responders to suspicious network/endpoint activity.
Some of these essential tools and best practices include, but are not limited to, the following:
– System hardening: Configures changes to enhance security by eliminating potential attack vectors.
– Patch management: Installs security updates for hardware and software assets in a timely way.
– Firewall: Manages access to an organization’s network.
– Intrusion detection system (IDS): Monitors a network for malicious activity or policy violations.
– Endpoint detection and response (EDR): Monitors processes on network computer endpoints for suspicious or malicious activity.
– Data loss prevention (DLP): Monitors, detects and blocks sensitive data in use, in transit or at rest in order to prevent data leakage.
– Mobile device management (MDM): Monitors, manages and secures employee mobile devices.
– Dark web monitoring: Searches the dark web for personal information, stolen credentials, intellectual property, etc.
– Third-party risk assessment: Assesses the security program maturity for third-party organizations that access or store data on an organization’s behalf.
Know Your Cyber Risks
To build an effective cybersecurity strategy, cannabis businesses must know the specific threats to their industry and what critical business data is being maintained on their network. A risk assessment conducted by independent cybersecurity experts can identify the various measures needed to be in place to satisfy the three pillars of cybersecurity and the pragmatic steps that can mitigate any identified vulnerabilities. Penetration tests and vulnerability scans can also provide valuable insight into network weaknesses just waiting to be exploited by cybercriminals.
Matthew Dunn is an associate managing director in Kroll’s Cyber Risk practice, based in Nashville, Tennessee. He serves Kroll’s clients with a combination of professional experiences garnered in his decades of service with the FBI, as well as in the practice of law, handling litigation matters in both federal agency and private practice contexts. While with the FBI, many of his assignments involved global investigations, which informs his perspective on cyber and other threats. The insights and best practices in this article are discussed in more detail in the author’s report, “Growing Cyber Threats Against Cannabis Retailers,” which can be downloaded via Kroll’s website.