If you’ve ever been to a local cannabis retail store—yes, some people still call them dispensaries—you know that you are asked to provide your driver’s license or other ID right after you enter. Much like a bar, the store is making sure you are 21 years or older, as required by the state of California.
If you decide to buy anything, you will again need to hand over your ID along with your cash. You may also be added to the store’s customer database. If you are a medical-cannabis patient, it’s possible your medical records are on file there as well.
Do you ever wonder if your personal information, as it is kept on file by the store, is safe? What if you purchase your cannabis online and use a home-delivery service? Is that risky? I decided to take a look into the subject to find out.
In October, I met Heather Cortez at MJBizcon, one of the largest cannabis conferences in the country, in Las Vegas. Cortez works as the director of marketing and sales for BrightCyber, a cybersecurity firm focused on small and mid-sized businesses. She came to Las Vegas to talk to cannabis businesses about keeping their customers’ data safe from cybercriminals.
Mostly, she received blank stares.
This is not a surprise. Remember, the recreational cannabis industry in California is only about 5 years old—a toddler. The industry as a whole is learning not only how to market and sell products, but also how to run businesses legally under a heavy set of both state and local regulations. Most cannabis-biz folks haven’t had much time to think about cybersecurity.
An August 2021 article in Rolling Stone confirms the notion that nascent cannabis companies have less-sophisticated tech systems—which make them easier to compromise. “POS tech is essential to cannabis retail operations, which also makes them vulnerable and ripe targets for ransomware or other cyberattacks,” wrote author Harrison Wise.
Cannabis companies further up the supply chain—businesses that grow and manufacture consumer products—are also vulnerable. Many use highly specialized automation to allow cultivators to water, light and humidify plants; others use tech to monitor consistent product and packaging. Threats to these systems can wreck production, ruin crops and shut down operations for days or weeks.
For proof of this, look no further than the attack on Aurora Cannabis, a Canadian-based company, which was hacked in late 2020. Employee data was put on sale online one month later in exchange for bitcoin.
On the supply-chain side, one can look to the beer industry for a cautionary tale: Molson Coors was forced to shut down brewery operations, production and shipping in March 2021 due to a cyberattack.
How do the bad guys get access? “Most cybercrime begins with a human error,” Cortez said.
Many attacks start with phishing—when a bad guy uses an email, text or website to get information by posing as a legitimate or trustworthy organization. In the case of cannabis businesses, an employee might click on a link in an email, believing it to be from a trusted vendor or even a supervisor. Something so simple can allow a cybercriminal access to the store’s point of sale or other internal computer systems that house employee and customer data.
Once a criminal is inside, they can use malware to shut down systems, and demand cash to return control to the company (called ransomware). Cortez said that the average amount of ransom demanded last year from small companies under attack was $55,000. Or the criminals can simply steal personal data—which can be worth quite a bit.
What can companies do to secure customer and employee information? Cortez and her team offered these solutions:
• Secure operating systems. Don’t link them all to one network.
• Use both virtual (cloud) and physical servers—and backup your data!
• Don’t forget to do all updates and patches.
• Protect the environment proactively. Don’t wait until there is an emergency.
• Train employees. Delegate system access only to people who need it. Separate systems, and limit access. Train folks to not click on links that seem too good to be true or that don’t make sense. Pick up the phone and confirm with supervisors before doing something that seems odd.
What can customers do? Get to know your local retailer(s), and ask them how secure your information is in their hands.