The $265 Billion Threat to the Cannabis Industry

The $265 Billion Threat to the Cannabis Industry

Most people will remember 2020 as the year of COVID-19, but for many it was the year their business was held hostage.

The twisted and convoluted legal past of the cannabis industry has given cause for cannabis business owners to take their physical security very seriously.

But while the lucrative business of cyber-terrorism is growing, the imminent threat of an attack seems to be something most cannabis business owners are still unprepared for.

Cannabis isn’t the Only Thing Growing

Unless you’re living under a rock, the rise in cyber-attacks has likely been brought to your attention recently.

On May 12, 2021, President Biden signed an executive order to improve the nation’s cybersecurity after a series of major attacks on federal government organizations.

Just a few weeks later, the FBI is comparing the threats faced by ransomware attacks to 9/11 after two consecutive attacks that shook the oil and meat industries.

The east coast gasoline pipeline operator, Colonial Pipeline, claims to have paid almost $5 million to Russian cyber-criminals in exchange for the decryption key for the Darkside ransomware injected into their network, while meatfirm, JBS, says it paid out $11 million in Bitcoin after their system was infected with REvil ransomware.

Why are Ransomware Attacks Increasing?

The answer is actually quite simple: Because people continue to pay ransoms.

Ransomware attacks have become an incredibly lucrative business for cyber-criminals over recent years. The dawn of the anonymous exchange of value through cryptocurrencies has made it incredibly easy for cyber-attackers to receive ransoms without revealing their identity.

In 2020, cryptocurrency ransomware payments from victims surged by 311% to reach nearly $350 million, according to Chainalysis, a company that tracks digital transactions on the blockchain.

A graph from chainanalysis.com showing the startling growth of ransom payments made incryptocurrencies alone in 2020.

Even insurance companies have raised concern that they will not be able to cover the cost of ransoms as the attacks ontheir customers continue to grow.

Of course, the recent media attention brought to these alarming cyber-attacks makes it difficult for most people to question the threat posed to the nation and its larger corporations.

But what about small cannabis businesses? Surely, they’re too small for hackers to waste their time on?

Think again.

Small Cannabis Businesses Are Not Immune to the Threat

While cyber-attacks on big companies are well publicized by the media, each year there are thousands of attacks carried out on small companies that fall under the radar of the press.

The rapid growth of the $61 billion cannabis industry, which is mostly comprised of small companies (less than 100 employees), creates the perfect opportunity for hackers to exploit network vulnerabilities common to many companies within the space.

It’s not your specific cannabis dispensary or cannabis farm that the hacker decides to attack… It’s the industry as a whole.

In fact, most cyber-criminals understand that under-prepared smaller companies are easier targets since they don’t have sufficient resources to devote to security.

This can be seen by the ongoing cybersecurity research survey conducted annually since 2017 by the Ponemon Institute. The goal of the survey is to track how small and medium-size companies address the same threats faced by larger companies.

In 2019, the third consecutive annual study involved 2,176 individuals from small and medium-sized businesses inthe U.S. and the U.K and for the first time, DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxemburg), and Scandinavia (Denmark, Norway, and Sweden).

Here are some key findings from these annual reports:

  • Every year, more than 60% of respondents have been victims of a cyber-attack.
  • In 2018, 60% of survey respondents that had a data breach said the cause was a negligent employee or independent contractor.
  • The majority of companies are affected by exploits and malware that evaded their intrusion detection system or anti-virus solution.
  • Mobile devices are the most vulnerable entry points to companies’ enterprise systems.
  • The average cost of recovering from business disruption increased from $1.2 million in 2017 to $1.9 million in 2019.
Image taken from the Ponemon Institute’s ‘2019 Global State of Cybersecurity in Small and Medium-Sized Businesses’

A quick look at some of this data makes it clear any organization that isn’t prioritizing cyber-security might as well be playing with fire.

After all, it’s not a question of IF you will get attacked, but WHEN you will get attacked.

How Easy is it to Hack Your Cannabis Business?

You might be thinking, “We use reliable software providers and we have virus protection on our own systems, how can someone possibly hack me?”

While there are many cyber-attacks that look for software vulnerabilities, the majority understand that it’s much easier to prey on human vulnerabilities. And whether you like it or not, most businesses aren’t run by robots… yet.

Here’s how easy it is to get hacked as a result of human error:

  • 1 visit to the wrong site
  • 1 click on the wrong email
  • 1 employee using the same password for their professional accounts as their personal accounts
  • 1 connection to the wrong charging station at the airport
  • 1 company you work with sends you a corrupt file without even knowing it

At Gigabit Systems we’ve had to deal with all kinds of cases. Most recently, a client of ours who works in cannabis cultivation had an employee (let’s call him James) who decided to leave the company. After finalizing the handover of his email and various other professional accounts, his boss (we’ll call him Chris) had forgotten that James had the password to his professional email account.

James continued to monitor Chris’s email for months after leaving the company, until one day he noticed a transaction was being organized with a customer in the order of $15,000. Right before the customer was due to make the transaction, James changed the password on Chris’s email account, locking him out, and emailed the customer to ask him to wire the funds to his own account. Since the email appeared to be coming from Chris, the customer didn’t think twice and wired the funds straight to Chris’s old employee, James.

Though day for Chris.

This problem could have easily been avoided if the client had implemented basic security protocols such as routine password changes and multi-factor authentication.

How a Cyber-Attack Could Damage Your Company

When people think of cyber-attacks, they mostly think of their files being stolen and their screens being taken over with a message from some kind of virus or ransomware.

Unfortunately, hackers aren’t all that concerned about how they attack your company, they just want to find a way in.

This could mean that they take over your email accounts, hijacking your conversations with customers and suppliers. Or perhaps they manage to take control of your DNS records, blocking you from the domain name that you’ve spent years building your brand around.

The fact of the matter is, there are countless ways for a cyber-gang to cripple your business. Unless you have the correct security measures in place, as well as performing regular maintenance, an attack is just waiting to happen.

And the consequences can be disastrous:

  • Data breach
  • Financial loss
  • Client disruption
  • Lost contracts
  • Business interruption
  • 3rd party liability
  • Physical damage
  • Reputation damage
  • Regulatory violations

In many cases, any one of these can be enough to put you out of business.

Compliance Regulations

Regulations are mostly put in place to protect your employees and your customers. They’ve got nothing against your business, but if you don’t meet certain standards, you could be facing serious fines or worse, having your license revoked.

Sadly, this is all the more important for cannabis businesses, where owners are under intense scrutiny from regulators due to the confusing criminal past of the cannabis industry.

While most compliance violations aren’t shared with the public (perhaps since this would provide an added risk to the company and its customers) an attorney from a law firm in New Carolina recently submitted various Open Records Act requests to the Colorado Marijuana Enforcement Division (MED) for all compliance enforcement resolutions in 2015.

One of the cases sent back to them detailed the compliance violations of the company in question. These included:

  • Licensee did not maintain employee records, transport manifests, or diagrams of their facility.
  • Licensee did not maintain a secure surveillance recording area.
  • Licensee did not have proper camera coverage in growing, harvesting, or point of sale areas.

These simple IT issues would have been easy to avoid, but this case of negligence came at a costly price to thiscannabis farm owner: a $50,000 fine and license revocation for 8 years.

In other words, this put an end to the business.

Now consider a scenario where a ransomware attack not only cripples your business financially but also puts you under the microscope of the authorities due to a violation of similar compliance regulations.

The Triple Extorsion Attack

So what would you do if your IT system had been taken hostage and a ransom was being demanded in order to get back control?

Would you pay it?

According to a new survey of C-level executives at SMBs, 73% of companies that fall victim to ransomware attacks end up paying the ransom. Unfortunately, for some companies, this isn’t enough to free them from the grip of cyber-criminals.

Alarmingly, many of these organized cyber-crime gangs have now begun to implement a multi-pronged approach to their attacks.

In many cases, ransomware is designed to work silently inside the system for months before the attack is carried out. This is known as lateral movement and it gives them the time to not only encrypt your data but also make their own copies so that they can subsequently threaten to release it to the public, rendering backups ineffective.

And then there’s the “triple-extorsion” approach, whereby the perpetrators then contact the suppliers and customers of the hacked company and threaten to publish their data if they too don’t pay a ransom. This can even happen months or years after the ransom from the original attack has been paid.

You see, poor cyber-security protocols don’t just jeopardize your company. You’re putting your suppliers and your customers at risk as well!

What You Can Do to Prepare

Cybersecurity doesn’t have to be overly complicated. Ransomware attacks can usually be prevented with a pretty short list of hygiene protocols. Even with a large company like Colonial Pipeline, the attack was far from sophisticatedand could have easily been avoided with a few simple security measures.

Hire a Cyber-Security Expert/Team

This is a valid option for larger organizations that prefer to keep things in-house. But hiring just one IT expert could cost you in excess of $100,000 per year, making this option difficult to justify for smaller companies. If you can afford to build out your own cyber-security team then this is by far the best approach. No one will know your business better than the people who work in it.

Outsource to Experts

By outsourcing to a fully-managed IT service provider you get a team of experts trained in cyber-security for just a fraction of the price. These solutions are usually the most cost-effective way for small to medium-size businesses to make sure that they’re protected from the thousands of threats they face on a daily basis.

At Gigabit Systems, we understand the needs of the cannabis industry and the challenges our clients face. Working with us is like having your own IT department. We take care of everything from staff training and next-gen firewall defense systems, to advanced threat detection and our unique Ransomware Rapid Response Team (3RT).

We also understand that even with the greatest protection in the world, the dynamic nature of cyber-crime and the inevitability of human error can still cause you to fall victim to an attack. Should this happen, your dedicated Crisis Manager will be there to support your every step throughout an attack to make sure that you make the best decisions for your business.

Bury Your Head in the Sand

Doing nothing is always the easiest approach, but the data makes it clear that it’s only a question of time until you fall victim to a cyber-attack. Not doing anything is a choice that will undoubtedly have devastating consequences foryou and your business.

Get Protected or Risk Losing Everything

Cyber-attacks are growing at an alarming rate and your decision to postpone facing the facts is likely to cause the death of your business.

It’s a hard pill to swallow, but we are all currently facing one of the largest threats of the 21st century and not even our government, police, NSA, Homeland Security, or the FBI are there to protect us. The responsibility is yours and yours only.

Pick up the phone and call us now on 877 636 3957, or fill out our contact form to get your free network assessment and begin securing the future of your business today.

How Can Sapphire Risk Help?

Tony Gallo and the team at Sapphire Risk Advisory Group have written hundreds of cybersecurity plans for cannabis business applications. Follow us on social media to stay up to date with cannabis industry updates!

Author

Mendy Kupfer is the CEO/ of Gigabit Systems one of North Americas leading IT services providers. His company helps all businesses including dispensaries, distributors, manufacturers, and cultivators throughout the US and Canada to Design, Implement, Support, Protect and Scale their IT. Mendy is a firm believer in giving back to his community and holds executive board memberships to several community nonprofit organizations. 

Outside of work, Mendy enjoys spending time with his family, traveling including renting airbnb’s in random places, absorbing the local cultureand reading about ,space, technology, and business.