With the growing number of states that have legalized the sale of cannabis for both medicinal and recreational use, retailers have become targets of cyberattacks, according to a new whitepaper, “Growing Cyber Threats Against Cannabis Retailers,” authored by Matt Dunn, associate managing director in Kroll’s Cyber Risk practice.
The paper is an effort to heighten awareness of the cyberthreats that brick and mortar retailers—especially those in new industries—may not completely understand.
If going through the rigorous (and expensive) licensing process and instituting all the physical security protocols that come along with protecting their valuable products were not enough, once the shops get up and running, they then need to worry about the threats they can’t see.
The cannabis industry is brand new, with dozens of new businesses being established across multiple states. As is the case with many new startups, cannabis retailers may not have strong cybersecurity strategies.
“Cannabis retailers are particularly attractive targets not only for the coveted customer data they hold; cybercriminals are always on the lookout for businesses operating in a young and rapidly growing industry, like the cannabis sector, where many retailers have not incorporated mature cybersecurity practices into their business processes,” Dunn wrote.
Searching for More Than Mary Jane
The cybercriminals that are targeting this new industry aren’t looking to get high. Rather, they are financially motivated. They want the data, in large part because of the stigma that surrounds the recreational use of marijuana. As a result, Dunn said, “cannabis businesses face a compounded threat due to the commodity they sell.”
Any business of any size in any industry is susceptible to cyberattack, but new companies—particularly those with a relatively new workforce—are at greater risk, according to Dunn.
Malicious actors are banking on the likelihood that employees in the cannabis industry have yet to be educated on the tactics and techniques that criminals leverage to conduct cyberattacks. As a result, “employees of cannabis retailers are prime targets for cyberattacks aimed at stealing or compromising their credentials,” he said.
Another issue that presents a vulnerability to some of these new businesses is that the legalization of marijuana continues to be contentious, which creates privacy issues. “Customers may understandably be extremely reluctant to provide their personal information when purchasing marijuana from a retail dispensary,” Dunn noted.
If a retailer were to have its network compromised due to an immature cybersecurity strategy, that could devastate the business.
New Industry, Old Threats
As is the case with any network, if a cybercriminal is able to access a retailer’s network, they would begin with the reconnaissance phase and identify the databases that hold the most sensitive and valuable information.
Medicinal marijuana dispensaries need to be cautious of the protected health information (PHI) they collect and how they protect those types of records, which are much more valuable on dark web forums than common PII.
However, Dunn noted, “Medicinal marijuana dispensaries are not covered entities under the Health Insurance Portability and Accountability Act (HIPAA), which would restrict how they are able to utilize patient data,” Dunn said.
Given the known vulnerabilities in IoT, cannabis retailers also need to be investing in the security of video surveillance cameras. According to Dunn, “All states that have legalized marijuana sales require retailers to incorporate video surveillance in their facilities as a mandatory security feature. Having your image recorded and stored while you shop for marijuana raises major privacy issues, but the cybersecurity risks for potential extortion raises the stakes for cannabis retailers.”
People who are legally purchasing marijuana may not want the public to know that they are using it. If cybercriminals get access to a dispensary’s database, that opens the door for cybercriminals to extort their victims, particularly if they are “high-profile customers, like politicians, business executives, professional athletes, entertainers, clergy,” Dunn wrote.
Aim Higher With Cyber Strategies
Being cognizant of how this new and growing industry can be attractive to criminals will help retailers to identify the myriad vulnerabilities, so they know the risks specific to their business.
“You have to make sure you have implemented reasonable measures to protect the private and confidential information that is given to you as a trusted repository,” Dunn said.
While there are state regulations with which retailers in the industry need to comply, there are no audits ahead of time to make sure retailers are in compliance. Unfortunately, it’s usually after a breach that companies gain the clarity of hindsight.
“Cannabis dispensaries should implement measures to encrypt their customers’ data and segment their processing systems from their network wherever possible,” Dunn said.