The impressive growth of the state-legal cannabis industry in the US over the past few years has not just been a boon for marijuana entrepreneurs, it’s also created new opportunities for cyber criminals looking to exploit the emerging industry’s weaknesses.
Most canna-businesses are newly-established, small-to-mid size enterprises. This means that many haven’t had the time or necessary capital to set up rigorous IT infrastructure to ward off cyberattacks.
This, coupled with the fact that marijuana retailers hold valuable credit card and personally identifiable information on its customers while many cultivators possess cannabis-related trade secrets, makes canna-businesses lucrative targets for cybercriminals.
The consequences for marijuana businesses can be fatal. According to the National Cybersecurity Alliance, 6 out of 10 small businesses who fell victim to a cyberattack went out of business within six months. This risk is likely even higher for new, small canna-businesses already burdened by unfavorable tax conditions due to marijuana’s federally illegal status.
With this in mind, here’s the four main cybersecurity threats that all marijuana businesses, especially small online retailers, should be aware of.
Phishing is perhaps the most common and effective form of cyberattack, accounting for almost 90 percent of data breaches.
Cybercriminals send an email pretending to be a trusted individual or entity with the aim of tricking the recipient into sharing confidential information or unknowingly downloading malicious software.
As cybersecurity defenses to phishing scams have become more sophisticated, so too have the phishing techniques employed by cybercriminals. Many now use Hypertext Transfer Protocol Secure (HTTPS) encryption to fool recipients into believing the link they click on is secure.
Cybercriminals also use other channels than email, such as social media platforms and messaging services like WhatsApp.
Protecting yourself against phishing attacks can be relatively straightforward though, so long as cannabis retailers never share personal, sensitive information over email or download attachments from unknown senders.
2. Public Wifi
Due to the COVID-19 pandemic, remote working has become the new normal and marijuana businesses are no exception to this.
This means staff now often do work over public WiFi networks, which can expose canna-businesses to all sorts of cyberattacks.
Cybercriminals can set up rogue WiFi networks designed to harvest business data, while even seemingly legitimate networks could lead to third-parties intercepting company data.
Unsecure WiFi networks also carry the risk of a malware infection, with hackers able to use sophisticated software to capture login credentials and view whatever remote staff are working on.
According to the insurance firm Beazley, ransomware attacks have increased by 300 percent compared to 2015 levels, and 71 percent of the victims are small businesses.
This form of cyberattack involves a hacker locking and encrypting a company’s data, then holding it hostage until a ransom demand is met.
Some ransomware cybercriminals threaten to publish sensitive data online unless the victim pays up. This is of particular concern to canna-businesses, as its customers may be especially concerned to have their marijuana use made public for various reasons owing to the plant’s federal prohibition.
There are different types of ransomware attacks, including cryptomalware, scareware and doxware, and the only way to mitigate against them is to have a robust cybersecurity system in place.
4. Internet of Things (IoT)
The Internet of Things (IoT) has opened up exciting opportunities for cannabis cultivators, such as fully automated indoor grow sites.
Cultivating marijuana indoors is typically a labor-intensive process due to the multitude of conditions to consider, like temperature, moisture content and lighting, in order to optimize plant growth.
Some marijuana retailers have also used IoT technology to allow customers to easily access information on cannabis products when their smartphone is in range.
These conveniences come with risks though. Most IoT devices come secured with default admin credentials that users don’t change and which are easily obtained by hackers.
Once a cybercriminal accesses the IoT device, they are then able to install malware and control the device.
How canna-businesses can mitigate against cybersecurity threats
The first line of defense against cyberattacks is computer protection. Marijuana businesses must ensure their network is protected by a reputable anti-virus system and that only trusted individuals have access to the computers and servers that host sensitive information.
Staff training is also key in order to recognize telltale signs of a cyberattack and respond appropriately.
Online marijuana retailers in particular should take steps to back up their data. A cyberattack could wipe out all this information instantly which would cripple the business entirely.
Having a cyber incident response plan in place that’s understood by all staff is also essential to effectively manage the threat and minimize business disruption.