The legal marijuana industry is expected to grow exponentially over the next few years. This is spurred not only by the legalization of recreational marijuana in many states in the US as well as in countries like Canada, but also the growing adoption of cannabis as a pharmaceutical product.
According to the State of the Legal Cannabis Markets report from BDS Analytics and Arcview Market Research, legal pot sales will hit $40.6 billion in 2024. This represents a 24.5 percent growth over the period 2018 to 2024.
The burgeoning cannabis retail industry is, therefore, a prime target for cybercriminals who look to steal valuable and sensitive information ranging from credit card information, trade secrets, and personally identifiable information (PII).
Aside from the consumer information they store and manage, online cannabis retailers are being targeted because many of them have yet to incorporate cybersecurity practices. Small to medium-sized online marijuana retailers are also highly vulnerable to cyberattacks because they normally don’t have the resources to hire an IT staff who can implement security measures to mitigate cybersecurity risks.
How Cyber Attacks Impact Cannabis Retailers
Financial losses due to cyberattacks can be devastating, especially for small cannabis retailers. In July 2018, IBM and Ponemon Institute published a study that showed the worldwide average cost of a data breach exceeding $3 million.
A perception of inadequate cybersecurity protocols can also affect consumer confidence and in turn, impact the future sales and growth of an online cannabis retailer or dispensary. Marijuana retailers will be hard-pressed to keep their customers’ trust if they fall prey to a data breach.
The negative effects of cyber attacks on the cannabis industry underline the need for online cannabis retailers to be aware of the various cybersecurity threats they are at risk of.
What are the Top Five Threats?
Cybersecurity threats can impede the growth of the budding cannabis industry particularly small online retailers. Among the cybersecurity risks that the weed sector should be wary of are:
Phishing is one of the oldest tricks in the book for cybercriminals. In this kind of cyber attack, cybercriminals impersonate an individual or entity by sending a fake email. The fake email is intended to dupe the recipient into sharing confidential information or downloading malicious software.
It’s also considered to be the most common form of a cyber attack. Various studies have shown that nearly 9 out of 10 data breaches are considered to be phishing attacks.
What’s more worrisome is that fraudsters who use phishing attacks get smarter every year by constantly modifying their techniques to become more sophisticated. According to Fraud Watch International, many phishing sites are now using Hypertext Transfer Protocol Secure (HTTPS) encryption. This tricks more individuals into believing that the site they are visiting is secure. Other trends in phishing attacks include mobile phishing and geographically accessible phishing.
Aside from those new techniques, fraudsters also continue to use established methods in their phishing attacks like fake advertisements on Facebook and other social media platforms. Even messaging platforms such as WhatsApp are being used for phishing attacks.
Online cannabis retailers and their staff can avoid being the victims of these cyber attacks by not sharing personal information such as payment card information, login, and passwords over email. Downloading of attachments from unknown senders should also be avoided.
2. Ransomware Attacks
The concept behind a ransomware attack is simple: lock and encrypt the computer data of a cannabis retailer and then demand a ransom for restoring access. Data may range from customer information to financial information. What’s worse is that there is no guarantee that the access will be restored even after the victim has paid the ransom.
The Federal Bureau of Investigation says that around 4,000 ransomware attacks happen every day. The agency estimates the costs of ransomware attacks to be at $1 billion a year. This is a significant 300 percent increase from 2015.
Small businesses like cannabis retailers are common targets of ransomware attacks. According to insurance firm Beazley, 71% of ransomware attacks reported in 2018 targeted small firms with the average ransom demand reaching pegged at $116,000.
There are several types of ransomware attacks that threaten the cannabis industry. These include:
- Crypto Malware – In this kind of ransomware attack, a harmful program scrambles file content making it unreadable.
- Lockers- In this ransomware attack, a program infects the operating system and completely locks out the user out of the computer. The user is then unable to access any of the files or applications in the device.
- Scareware- This is a fake program acting like a cleaning tool or antivirus. It usually claims to have found problems on a PC but demands money or ransom to resolve those issues. Some scareware types lock a computer while others flood the screen with annoying pop-up messages and alerts.
- Doxware- Also known as leakware, this type of ransomware attack threatens to publish the victim’s stolen information online unless the latter pays the ransom.
- Ransomware as a Service (RaaS)– This kind of malware is hosted anonymously by a hacker, who gets a cut of the ransom.
3. Cyber Extortion
Cyber extortion is related to ransomware. On the surface, cyber extortion and ransomware are one and the same. However, a closer look reveals that there is a distinct difference between the two cybersecurity threats. In cyber extortion, a hacker or cybercriminal simply demands payment to prevent leaking of valuable information online. Moreover, cyber extortionists usually demand that they are paid in cryptocurrency or virtual money not issued by any government. This is because the use of cryptocurrency can keep fraudsters anonymous.
Fraudsters can target data such as personal information of customers who have transacted or bought weed products from online cannabis retailers. This is particularly alarming if there are high-profile customers like athletes, entertainers, and business executives who may not want to be revealed to be marijuana users even if it’s already legal.
To minimize the risks of being victimized by fraudsters resorting to cyber extortion, online cannabis retailers should secure their accounts, devices, and computers with strong passwords. The use of robust security software can also go a long way towards securing their accounts and devices.
It’s also critical to report all cases of cyber extortion to proper authorities. Moreover, online cannabis retailers should refuse to cooperate and give in to the demands of cyber extortionists. This has been proven effective by big firms like Disney and Netflix which refused to play ball with digital extortionists.
4. Threats of Using Public wifi
It has become a common practice for businesses including online cannabis retailers to allow their employees to work from remote locations. These include working in public areas such as airports, cafes, and hotels.
According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public wifi networks. The same survey showed that 13 percent of employees work remotely when given the chance.
While there are advantages of letting employees work from remote locations, there are also risks involved. One is the risk of an employee to be tricked into using a rogue wifi network that has been set up by an attacker precisely to harvest valuable data of a business.
Connecting to free wifi can also bring business risks as third-parties can intercept company data. Called man-in-the-middle attacks, this type of cyber threat has hackers positioning themselves between employees using the wifi and the connection point.
An unsecured wifi network or connection can also be a platform for malware distribution. Many hackers use an unsecured wifi connection in distributing malware which can infect software on PCs and devices which may cripple a marijuana retail business.
There is also the risk of hackers utilizing special software for eavesdropping on wifi signals, enabling them to access everything that a remote worker is doing online. Cybercriminals can then capture login credentials or hijack accounts of remote workers of online cannabis retailers.
Hackers can also connect directly to devices of remote workers using public wifi. This is possible through ad-hoc or peer-to-peer networks connecting two computers. Related risks may follow such as the theft of passwords and usernames, as well as exposure to worm attacks.
5. Internet of Things (IoT) Leaks
The Internet of Things (IoT) has revolutionized many industries, including the booming cannabis industry. The IoT provides many practical and interesting applications in the cannabis industry including fully automated growing stations.
In the past, it was quite difficult for cannabis retailers to set up an indoor grow room. Many elements come into play such as temperature, space, lighting, humidity, and watering. Indoor grows also require daily monitoring for keeping track of growth and this is not feasible for most cannabis growers. But thanks to IoT, cannabis growers now have fully automated growing stations which can be monitored from anywhere in the world as long as there is Internet connectivity. The benefits of this technology include increased yield, energy efficiency, and crop resiliency.
The IoT has also benefited people who truly rely on medical marijuana to control ailments. There are smart devices that can connect to the Internet and allow doctors to remotely monitor the doses of their patients.
IoT also promotes consumer convenience. For example, using IoT applications, customers can benefit from smart labeling technology. This way, consumers can get information about cannabis products by simply placing their Internet-capable devices by them. This is similar to the use of barcode scanning from a mobile phone at the grocery store.
But while the IoT has improved several facets of the cannabis industry, it can also pose security risks. Most IoT devices don’t have built-in security making them easy targets for hackers. Fraudsters usually utilize automated programs in locating IoT devices. And once they have identified which device to attack, they can connect to the said piece of equipment using default admin credentials. And because most users don’t change passwords, cybercriminals usually succeed in remotely accessing IoT devices. They can then install malware and take the system under control.
How Cannabis Retailers Can Mitigate Cybersecurity Risks
With the many cybersecurity risks threatening cannabis dispensaries, it’s only reasonable for these businesses to seek ways to mitigate these threats.
One of the most basic steps toward reducing the likelihood of cybersecurity attacks is to protect computers. This can be achieved by installing robust anti-virus software and limiting physical access to computers or servers containing customer data.
Training employees is also equally important. Cannabis dispensaries should have clear security guidelines. Moreover, they should provide their employees with regular training so the staff will be aware of the importance of using strong passwords, avoiding phishing attacks, and other cybersecurity best practices.
Online cannabis retailers should also maintain their own data backups. This can be very helpful especially after a cyber-attack as they can restore their service quickly. The conduct of regular inventories of sensitive data is also ideal as it can minimize the risks of data breaches.
Finally, online cannabis dispensaries should have a cyber incident response plan. Since data breaches are always a possibility, it’s important for these businesses to have a response plan in the event of a cybersecurity breach. This can manage a cyber-attack quickly and efficiently while limiting damage and reducing recovery time.
Working with a reputable cybersecurity provider like RSI Security can benefit an online marijuana dispensary especially in mitigating the above-mentioned cybersecurity risks. RSI Security is one of the top compliance and cybersecurity firms that helps organizations achieve cybersecurity risk-management success. For more information, contact us today.