Cybercrime and Cannabis Businesses: The 101

To our surprise, many of our clients remain convinced that they are immune to cyberattacks. Yet, cannabis businesses house incredibly valuable information, making them exceedingly vulnerable to these attacks. This misplaced confidence has led numerous cannabis companies to operate without the necessary protective measures. Given the fact that more than 4,000 attacks occur daily, this post briefly discusses how cybercrime is affecting the cannabis industry and provides basic precautions companies should take to reduce the risk of falling prey to cyber hackers.

The most common type of cybercrime is known as ransomware. Ransomware is a form of malware that targets a business’s sensitive information for extortion purposes. This information may include customer lists, trade secrets, financial information and research and development information. Specifically, hackers block access to a database or system until the user agrees to pay a ransom. Not only does the temporary, and potentially permanent, loss of critical data disrupts a business’s regular operations, it also creates massive financial losses associated with restoring systems—assuming the business pays the ransom and that the hacker provides access back to the database—and severely damages the business’s reputation.

Bringing about awareness and training your team is a paramount preventative measure. Indeed, effective precautionary measures can significantly mitigate the risk of falling victim to a cyber infection. Here are a few simple precautions cannabis businesses should take:

1. Educate Your Personnel: Attackers often enter a business by deceiving an internal user to disclose a password or click on a virus-laden email attachment. You should therefore remind your employees to never click or open unsolicited email attachments. In addition, you should emphasize the importance of not sharing personal passwords to be able to determine how your system was compromised in the event of an attack.
2. Use Complex Passwords: You should use 12-character or longer passwords and change your passwords regularly.
3. Enable Strong Spam Filters: Strong spam filters will prevent phishing emails, which purport to be from reputable companies to induce individuals to reveal personal information, from reaching the end users and will authenticate incoming emails.
4. Set Anti-Virus and Anti-Malware Programs: Setting anti-virus and anti-malware programs will automatically and frequently scan your database and system to detect threats and filter files from reaching end users.
5. Shred Physical Documents Containing Sensitive Information: Avoid old fashioned dumpster diving by shredding all sensitive information you may have printed or written down.

Although ransomware is the most commonly known and used technique, it is no longer the sole method of attack used against cannabis businesses. You may recall the precarious situation in which MJ Freeway, the giant cannabis compliance software system, found itself in 2016 and again in 2017. The company’s databases were hacked, preventing MJ Freeway from processing transactions and precluding over 1,000 dispensaries from tracking sales and inventories for weeks. These cyberattacks against MJ Freeway revealed a new kind of cybercrime where no extortion demands are made, but rather are used by competitors to destroy valuable data to gain a competitive advantage.

The MJ Freeway case highlights the concerning fact that cybercrime variants are continually emerging, making companies, including cannabis businesses, increasingly more vulnerable to these attacks. Accordingly, cannabis businesses must stop underestimating the value of their data and must protect it by putting in place a comprehensive data security system that will minimize their risk of attack and ensure the continuation of their financial success in this high-risk cyber environment.