The legal marijuana industry is called the Green Rush for a reason. It is expected to experience exponential growth in the next few years. According to a recently published study by New Frontier Data, we can expect the United States cannabis market from 2020 to 2025 to near double in size! This is because most states are moving to legalize medical and/or recreational use. 

However, with media attention, billions of dollars of cash, and a variety of unique circumstances and vulnerabilities has made cannabis an attractive cybercrime target. Cybercrime can include cybersecurity threats such as credit card theft, misuse of personally identifiable information, ransomware, or even trade secrets of cannabis retail, grows, and ancillary businesses. 

Why Cybercriminals Target Cannabis 

To understand if you’re at risk for a cyber threat, you must understand it from the viewpoint of the cybercriminal. They are motivated by higher payouts and more likelihood of vulnerabilities to exploit. Here’s why this makes the cannabis industry an ideal target:

• The cannabis industry is new – With a relatively new industry, there aren’t as many stories and examples for businesses to follow. This lack of information makes it far less likely that the company will have protections to prevent attacks compared to more mature industries.
• A significant portion of cannabis businesses are in the “startup phase” – Because the industry is new, it only follows that they’ll have lots of newer businesses. New businesses are ideal targets for cyberattacks due to them not being aware of potential threats and the fact it can take time before they realize they should put cybersecurity best practices in place.
• Privacy is much more valuable to cannabis patients – While many patients have found life-changing benefits using cannabis medicine, there would be significant harm if their personal information was exposed due to the stigma of cannabis use. Therefore, more is needed to gain to find a way to seize data, whether it’s from an outsider or an inside job done by an employee.
• Size of Business – Most cannabis businesses aren’t big enough to have an IT person or IT staff, therefore more likely that best practices aren’t in place to be able to handle a cybersecurity attack.

Impact of Cyber-crime for cannabis businesses

What would be the impact to your business if a cybercriminal was able to attack successfully?

A study by IBM and the Ponemon Institute determined that the average cost of a data breach exceeded $3 million. The $3 million includes all costs, such as remediation, notifying clients, and following all state laws for resolving the situation. The outcome, according to the national cybersecurity alliance, is that 60% of small businesses go out of business within six months after their security breach.

Even if one was able to handle the fallout financially, there is irreparable damage to one’s reputation and brand resulting in lost revenue for years to come. For example: Imagine you are a patient deciding between two dispensaries to get your medicine. Upon your research, you’ve discovered one has an excellent reputation, and the other has news stories about their patient data breach, which would you choose?

Nevertheless, here are some prime examples of how cybercriminals have exploited marijuana dispensaries, grow houses, and other businesses

• At the end of 2019, the customer data and personal health information of over 30,000 was reportedly exposed including names, address, email address, dob, phone, and medical ID numbers through a cannabis software. The cannabis dispensaries that used the software were also reported publicly in this fallout.
• A medical referral agency in Alberta was attacked by hackers who were able to access their clients’ health records in 2018 through the start of 2019.
• In 2017, a well-funded marijuana delivery service had a data breach in which hackers reportedly demanded 70 million dollars in ransom for the data. The theft was from a former employee of Don Davidson, MD. Don Davidson MD is a company that shared data with the delivery service company.
• In a well-known news story from 2017, MJ Freeway, a tracking system for the cannabis industry, was hacked twice within the same year.
• In 2018, the state of Washington’s database had a cyber incident leading to stolen sensitive data.
• Hackers breached information of almost 5,000 customers from an Ontario Cannabis Store in late 2018.

Cannabis Cybersecurity: How Can You Keep Your Cannabis Business Safe?

With various cybersecurity risks that threaten cannabis businesses, it only makes sense to set up security measures to mitigate these risks. There are a variety of solutions that can fit your specific business needs. This can include:

• Security Risk Assessments
• System Hardening
• Security Configuration
• Software & Hardware Security Updates
• Incident Response Plan
• Intrusion Detection Systems
• Malicious activity and Policy Violation Monitoring
• Access Management
• Firewalls
• Endpoint Detection & Response
• Data Loss Prevention
• Mobile Device Security Management
• Dark Web Monitoring
• Solutions to assess 3rd parties security such as partners & integrated vendors with access to your data