In 2018, there were 1,244 data breaches, exposing 446 million individual records within the United States, according to Statista. That’s nearly 3.5 data breaches a day. The onset of digitizing files and processes has likely contributed to the over 100 percent increase in data breaches in the last 10 years.
As an emerging industry, cannabis has a unique opportunity. Business owners can use technology to develop their business for the modern age – even the future. Since they are starting from scratch, they can build a base of technology, streamlining processes and bolstering cybersecurity in the face of data breaches. However, even with this opportunity, many are behind the ball when it comes to best cybersecurity practices.
“Most cannabis companies we’ve examined are lacking basic compliance measures such as individual login and passwords, firewalls, and basic measures to prevent ransomware and phishing scams,” explained 420 Cyber CEO Etien Alcantara. 420 Cyber works directly with cannabis companies to provide unique cybersecurity solutions, which has given Alcantara a thorough understanding as to why cybersecurity has been lacking in the industry. “This industry has been running under the radar for years,” she explained. “I believe they have so much on their plate (security, state regulations, etc.), they haven’t even considered the impact of a cyber breach.”
This is a clear problem, considering the number of breaches that happen every day, let alone every year. All levels of the cannabis business – dispensaries, cultivation and manufacturing facilities, laboratories, transportation companies – are at risk.
“I would say customer data is the primary [concern], followed by any proprietary info a business has that makes it unique,” Alcantara explained. Customer trust is vital to good business; thus, securing consumer information like phone numbers, social security numbers, and credit card numbers is of the utmost importance.
Not only do companies need to protect their customers, but themselves as well. As such a young industry, there is a lot of research to be done and innovation to be accomplished. That means any proprietary information, research and development, and all other company information is also at risk of being leaked or stolen. For those working to innovate and push their company forward, it’s that type of information that they likely want to keep private. Additionally, with automated systems being integrated into grow operations, that only adds further points of access for hackers to steal valuable information.
Across the industry, there are a variety of things to consider when establishing each company’s cybersecurity needs.
In 2017, MJ Freeway, one of the most prominent Point-of-Sale (POS) software companies in the cannabis space, experienced two data breaches within six months. The breaches resulted in temporary shutdowns of their systems across dispensaries and the leak of proprietary source code.
It revealed the potential vulnerabilities in POS systems – and the necessity for these systems to function properly. At the same time, it also gave MJ Freeway a better understanding of their vulnerabilities, allowing them to update their security to better protect their system. “Now we know the specific points of vulnerability,” MJ Freeway CEO Jessica Billingsley told Marijuana Business Daily. “They’ve been fortified, and we’ve added many additional layers of security.”
Thus, when choosing a POS system, one must consider the software company’s cybersecurity prowess and what protections they have in place.
Medical marijuana companies are in the unique situation of dealing with patients, rather than customers. With their clientele, then, comes the need to pay even more attention to cybersecurity concerns as they must protect patient information under HIPAA (Health Insurance Portability and Accountability Act of 1996). “The medical marijuana community is dealing with patient data that, regardless of how innocuous it seems, is still a major HIPAA violation if it’s leaked,” Alcantara pointed out.
HIPAA was enacted with the intention of maintaining the security of protected health information. Thus, medical cannabis dispensaries must demonstrate HIPAA compliance for any patient information they may collect.
Many companies have expanded vertically, growing their own cannabis to then sell in their dispensaries. While this could help streamline business, it can also open up further vulnerabilities.
In 2013, Target’s POS system was breached via a third party vendor – a refrigeration, heating, and air conditioning subcontractor. It was later revealed that that the attackers first broke into the retailer’s network by using credentials stolen from Fazio Mechanical Services, a provider of refrigeration and HVAC systems.
The hack showed just how skillful some hackers can be, and how cautious companies need to be. With vulnerable HVAC systems, whole crops could be ruined by remotely adjusting the temperature and changing the climate.
Modern hackers sometimes only need to find one point of entry in order to access data. With more and more technology being integrated into businesses, point of entries for hackers abound. From POS to Enterprise Resource Planning (ERP) software to HVAC equipment, cybersecurity is only as strong as its weakest link.
While many cannabis businesses may be small, they are no less vulnerable. “Much of the cannabis industry are small businesses which are just as vulnerable as large companies, however with smaller budgets and a belief they are too small to be targeted,” Alcantara explained. “The truth is that businesses aren’t targeted so much as found vulnerable with bot scans.”
For this reason, it is important to identify the vulnerabilities in one’s system. It’s best to start with the basics. As Alcantara highlighted, “Basic compliance policies, passwords, and an awareness of all devices on a business’ network (customer and employee cellular devices for example) can go a long way in reducing a business’ cyber carbon footprint.”