CURE8 BLOG

Know Thy Enemy: How & Why Hackers Target Cannabis Businesses

Security

As a cannabis business, especially if you’re a smaller business and don’t handle medical records, you might be wondering why a hacker would target you. You don’t have a ton of IT to target, and if you’re in the US you likely don’t process or store any credit card info.

The truth is is that a lot of hacking is automated these days, or it’s focused on going after soft targets/low-hanging fruit including small businesses. So even if you’re just a single dispensary or grow house in the middle of the country with limited IT (just a computer or two, a POS or ERP, some tablets, a router, and the surveillance system), you’re going to be targeted the same as much larger cannabis companies.

Who Are They Exactly? Why Can’t They Be Stopped?

Many hackers are criminal gangs operating out of Eastern Europe. Their governments don’t take them down for various reasons, including the fact when they’re not hacking their governments use them for cyber attacks on enemy states.

Main Methods They’ll Use

Email is a common source of security threats.

Phishing

This is when someone tries to trick you into downloading and opening malware, providing credentials, or transferring money by pretending to be someone else, usually via email. A common method is to pretend to be a shipping notification from FedEx or UPS. Here’s a good guide on how to identify and protect yourself from phishing emails: https://www.xoverture.com/email-security-best-practices/

You may also be targeted for phishing attacks on social media as well.

Malware

Malware is sometimes included in phishing attempts. They’ll include a virus as an email attachment or provide a link that automatically downloads malware to your machine. Another way to get malware is by visiting sketchy sites like gambling, pirated content, and adult content websites, and torrent sites, which can automatically download malware to your machine or trick you into downloading malware disguised as something else.

Vulnerability Scanning & Hacking

Hackers will scan IP addresses en masse automatically, looking for internet-facing vulernabilities they can expolit. They can then exploit these vulnerabilities automatically or manually. Vulnerabilities include routers, PCs, and servers that aren’t protected by a firewall and have open ports or that haven’t had their OS, firmware, or software updated in a while.

Guessing

If you didn’t put strong passwords on your internet-facing assets including your router/firewall and your web-based software hackers can access them just by guessing. They can do this manually or with brute force attacks.

Supply Chain Attacks

Supply chain attacks seem to be getting more common. This is where hackers are able to insert malicious code directly into products. A big example was the recent discovery of hidden malware in the IT management software SolarWinds. There’s not much you can do to protect yourself against incidents like these other than picking products from reliable companies that take security seriously.

What They’re After (Mainly)

What else? Moolah.

It’s possible your edible recipes are just that good that a competitor would want to hack you to get their hands on the recipe. But for the most part thieves are mainly after money – either stealing it from you directly or getting it by selling your data on the dark web.

Banking Info

Self-explanatory, either to steal the money themselves or sell the data to other thieves.

Ransoms

Once they encrypt your files they’ll ask for a ransom to restore your access.

Sensitive Data

Including customer contact data and patient medical records. These can be sold on the dark web to spammers or for people to use in identity fraud scams.

Botnets

Hackers may try to use your computer to do things like send spam, distribute malware, and mine cryptocurrency. You may not even notice these processes occurring in the background. Botnets seem less common now that many cybercriminals have shifted to ransomware as their main attack method of choice.

Preventing These Attacks

We’ve covered the top ways to protect your cannabis business in other blog posts. Here’s a quick review of our advice.

Firewalls

Firewalls act as your network’s bouncer, keeping out suspcious traffic. Buy a hardware firewall from a reputable company like Sophos, keep your licensing and software updated, and manage your firewall on an ongoing basis as threats evolve.

MDM

Mobile device management lets you manage all your tablets and smartphones in an easy and centralized way. Microsoft Endpoint Manager (formerly Intune) and Jamf are examples. They let you install updates, lock down devices (preventing users from installing apps, accessing certain sites, etc.) and wipe stolen and lost tablets remotely.

Secure Email

Email is a common source of hacking and phishing. You can take measures to make it more secure, including setting up aggressive spam filtering, blocking file attachments, setting up multi-factor authentication, and marking external emails. Some platforms like Microsoft 365 and Gmail have this tech built-in.

Data Backups

Data backups protect you from ransomware, giving you a clean setup of backups to restore from in the event of a malware infection. You want to make sure your managers’ PCs and the devices at your HQ are backed up, or use a service that’s automatically backed up or easy to back up.

Managed IT Services

Security is an ongoing responsibility as threats are constantly evolving. If you’re like many cannabis businesses and can’t really afford your own in-house IT security specialist, outsourcing to a managed IT services provider is a cost-efficient way of bringing in 24/7 security monitoring and management and enterprise-level security expertise.

Employee Training

A lot of responsibility for maintaining data security falls to your employees. They should be trained to recognize phishing emails, keep their devices secure, use multi-factor authentication, and other things. This should be included in your standard onboarding training. Our partners at Sapphire Risk can help you develop and implement your security training.

A Note On the Employee Threat

We’re focusing on the external threat in this article, but you should also be focused on the internal security threat, too. Disgruntled employees can cause damage by, for example, deleting critical data and locking other people out of their accounts. Even if you’re careful in vetting your employees, you can still get people that steal from you, and not just your cannabis – they can get their hands on company credit cards and bank account info, and steal and sell data on the dark web.

To avoid situations like these, be sure to follow the IT principle of least privilege, which means all users are given only as much access as they need to do their jobs. Also, make sure your systems are auditable and everyone has a unique login and account; that way you can see things like people exporting and downloading data or accessing sensitive data and narrow it down to a single person.