Tag Archives: personal

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org 

What Cannabis Businesses Need to Do to Adapt to COVID-19

By Arthur Gulumian
No Comments

How COVID-19 Impacted Cannabis Businesses

Before jumping into what cannabis businesses can do amid this pandemic, it is crucial to explore the specifics behind how the virus impacted the industry as a whole. From a surface level, it seems obvious what happened: dispensaries had to implement social distancing protocols, require both customers and employees to wear masks and limited the number of customers that can be present on the point-of-sale floor room. But COVID-19 did not merely make shopping experiences a tab bit inconvenient.

Cannabis producers, and especially those involved in manufacturing cannabis goods, experienced an apparent disruption in their production schedules. If the metals and plastics were sourced from Wuhan, Shenzhen or any other dense industrial area in China, supplies suddenly stopped coming, and producers were left with limited production options. Businesses did not consider the value of having various vendors and instead put all their stock in one source. A disruption in production inherently impacts dispensaries.

COVID-19 impacted more than just supply chains, however. For instance, investors are now less likely than before the pandemic to invest in early-stage cannabis companies. Competition for capital now far outweighs the supply for cannabis companies, and we have seen (and will continue to see) a drop in company valuations. Indeed, COVID-19 is affecting more than just currently existing operators but those yet struggling to create cannabis businesses of their own.

Vendors & Supplies

A broad survey conducted by the Institute for Supply Management (ISM) between February 22, 2020 and March 5, 2020 found that 75% of U.S. companies had experienced supply chain disruption as a result of the COVID-19 outbreak. An estimated 90-95% of all components utilized in cannabis vaporizer pens were sourced from manufacturers in Shenzhen, China. In contrast, very few companies used domestic manufacturers. While this is just one example, it is equally important to note that cannabis-specific equipment and supply shortages were not the only factors that disrupted cannabis businesses. Shortages of personal protective equipment (PPE) presented challenges for cannabis dispensaries, producers and manufacturers that continued to operate during the “shelter in place” orders.

Operators must establish a resilient supply chain. Do not simply limit your options to one specific region, as this can be a costly mistake. Operators must cultivate an in-depth understanding of their supply chain beyond critical suppliers and their stress points; they need to develop and follow a systematic supply process that takes potential disruptions and stress points into account. When vetting potential vendors, always ask detailed questions that elicit evidence-backed responses. Ask vendors where they source their materials from, whether they have any history of experiencing disruptions in their supply chain and what kind of setbacks they have suffered as a result of COVID-19.

Investing in Your Core Business

In light of COVID-19, operators must invest in solutions that increase efficiency and improve the customer’s experience. This entails ensuring your customer safely enters and leaves your dispensary with a product they are satisfied with—the essence of any retail operation. Your operation should focus on enhancing customer flow as opposed to encouraging aimless roaming. Having an open-space, Apple store style dispensaries might have been a popular option before, but times have changed, and dispensaries must adapt.

Guided purchases offer not just more efficient transactions, but also serve to ensure that your waiting room isn’t backed up with an endless stream of unmanageable customers. Depending on your locally-mandated COVID-19 protocols, your dispensary will likely not be permitted to hold a high number of customers in the store, nor should it during this pandemic. Each customer service representative must be active as opposed to passive, directly asking customers what they are interested in, offering product or strain choices when customers seem unsure and answering questions as thoroughly as possible to avoid confusion and inherently delays. Be sure to emphasize the value of guided purchases to your employees and how they can promote the safety of both themselves and their customers.

Maintaining Urgency

The uncertainty of COVID-19 and its impact on the general economy has left many individuals “clocked out.” Simply put, many people feel that they should wait until things go back to normal before making any critical decisions. As essential businesses, cannabis operators cannot afford to make this same mistake. Now is not the time to sit back, reflect and wait for the vaccine. Instead, operators must work to precisely assess how COVID-19 impacted their business and execute a clear plan of action to address foreseeable problems.

Execution is far more important than perfection; you’ll need to make changes on a dime and avoid spending excessive hours obsessing over debating specific actions rather than taking them. It is far more essential to get tasks done versus ensuring they are perfect. If something is not working in your business, it must be readdressed or removed entirely from the protocol. It is far better to make necessary changes now amid the pandemic as opposed to reactively waiting and seeing what may come next following it.

Stay nimble by cutting out any factors that may be slowing down your company’s efficiency. Is your point-of-sale system causing issues? Can you use a better payment processing tool? Are any employees underperforming? Are there any internal policies that may be hindering your employees’ ability to work as optimally as possible? These are some of the many factors that must be considered to ensure your business stays agile and adaptable. Determine what is working against you and execute a plan of action to address. Do not wait and do not take shortcuts around regulations.

Understanding the Shift in Purchasing Behavior

Regardless of whether or not a vaccine for COVID-19 is completed anytime soon, operators must know that there is no “returning to normal.” People’s habits and behaviors have changed due to this virus, whereas slow browsing of items might have been preferable for some individuals before COVID-19; this is likely not the case today. Furthermore, research groups like Accenture have found that most customers expect their shopping habits to change permanently.

Source: Accenture COVID-19 Consumer Research, conducted April 2–6. Proportion of consumers that agree or significantly agree.

In the study mentioned above, shopping more consciously is one of the two top priorities for customers during this pandemic. According to Accenture, “[c]onsumers are more mindful of what they’re buying. They are striving to limit food waste, shop more cost consciously and buy more sustainable options. Brands will need to make this a key part of their offer (e.g., by exploring new business models).” Furthermore, customers are now more likely to shop locally; this is why community engagement would be especially important to ensure you develop transparency and trust between your brand and your customers. Understanding this shift in purchasing behavior will remain one of the more crucial tasks of any cannabis operator.

Expanding Sales Avenues

More and more customers are now relying on online and curbside purchases than ever before. Dispensaries must look to their current sales avenues and determine where key focuses should be made. Use your sales data to determine where customers are making their purchases the most, be it through third-party delivery services such as Eaze, standard home delivery, online ordering or curbside pickup. Focus on identifying friction and streamlining the user experience on all customer-facing platforms and services. Equally, consider which platform your customers are using the most to make purchases; are they making more online purchases, or do most still prefer direct shopping at the store? Remember that having more products doesn’t necessarily mean more revenue. You must also identify which products are performing well and which have low margins.

These considerations can help strengthen your highest performing platform while working to fix any more inferior performing platforms. As stated before, stay nimble; if something is not working out, cut it out from your business model, and move forward. Do not be afraid to cut poor-performing platforms to hone your focus on the successful ones. Since post-COVID-19 shopping behavior is likely to stay permanent, these changes may still be applicable following a slowdown or cessation of the virus.

Delighting Your Customers

Virus or not, customer satisfaction remains one of the most crucially defining points for the future of your business. Your customers must be safe and must be happy with their purchase. To ensure this outcome, you need to maintain adequate safety policies while equally promoting streamlined purchases. Although a limited number of individuals may be annoyed with over-the-top safety precautions, most customers will enjoy the heightened security that comes alongside these types of measures.

Contactless service, such as having customers scan their identification upon entry or encouraging more credit card versus cash transactions, can increase customer satisfaction, as they will feel a stronger sense of security when shopping at your dispensary. Focus on streamlining curbside pickup. Things such as requiring vehicle descriptions (e.g., license plate numbers, color, make) for curbside pickup purchases can go a long way in helping employees quickly identify customers.

Equally, be sure there is hand sanitizer available near the entrance of your dispensary. This adds a further sense of security for your shoppers. Delivery should be consistent; delays and setbacks must be minimal to win the confidence of your customers. Take the extra steps to ensure your dispensary is clean and products hygienic. All these factors work to increase customer satisfaction while maintaining their safety, and more importantly, impact the level of trust your customers have in association with your brand.

Scaling Operations Taking Advantage of Limited Competition in Emerging Markets

As stated before, several individuals—including existing and emerging cannabis businesses—are clocked out following COVID-19. This mindset is not only detrimental for operations but can also impact how you scale your business. New markets are coming online and will continue to do so as regulators are increasingly incentivized to replenish government coffers. Riverside County in California, for instance, is now allowing for capless licenses for all cannabis business types. However, what remains the key focus for regulators is expanding the number of delivery and distribution operators. In Massachusetts, delivery endorsements for dispensaries are available without a set deadline to social equity applicants and do not have a defined cap. In Illinois, the cap for transporters was equally removed, and each applicant who scores above 75% will receive a license.

These types of licenses are now more valuable than ever before for two reasons. The first reason is that regulators are keener to award delivery and transporter licenses than other types. Secondly, customers now prefer home delivery over shopping in stores due to COVID-19. With more people clocked out during these times, you have far more opportunities and far fewer competitors during application processes. Use this time to truly develop a strategy for expansion, as the chance might not come so quickly again.

Conclusion

As a final point, be sure to expand your online presence during this time. Although you may not have the capacity to reflect your company’s personality and value through quick in-store transactions, you can use social media to encourage product reviews, social interactions, and recommendations. Invest in marketing through social media platforms. Platforms such as TikTok have helped form communities of like-minded individuals. Use platforms such as that to highlight your company’s personality and values, avoid being “salesy” and focus more on being funny, entertaining and just alive. Character adds value to your business.

People want to laugh, to feel safe and they want to live. Create social interactions and immersion and always prioritize being honest and transparent with your customers. This final point stands as equally as important as the rest of the considerations highlighted throughout this article. Stay nimble, stay active and stay alert! Do not view the chaos behind this pandemic as a pit, and instead see it as a ladder. Track down opportunities, do not be afraid of change, and, more importantly, do not wait for an answer to COVID-19, be the answer.