Top Cyber Risks Threatening the Cannabis Industry
As cannabis evolves into a multi-billion dollar global industry, booming revenue, historic M&A deals, and eye-watering capital raises dominate business headlines. But as cannabis enterprises expand at a rapid pace and scale operations to meet growing demand, greater assets and a higher profile also increase the risk of targeted cyberattacks by threats inside and outside an organization. A number of breaches have already affected the industry, and the potential losses – due to compromised intellectual property, confidential customer and/or patient data, and other important information – can be catastrophic for both start-ups and established businesses.
MGO Technology Group has leveraged contacts from the dark web, conversations with federal authorities, and other proprietary research and insight to provide an overview of the leading cyber threats cannabis enterprises face.
Who is targeting cannabis and where are they attacking?
Information gathered by MGO Technology Group from underground assets and federal investigations indicates that, to date, there is no specific group actively targeting the cannabis industry. But there are hackers focusing on three areas within the seed-to-sale lifecycle:
- Research and extraction
- Cultivation
- Consumption and retail operations.
Investigations revealed two incidents where intellectual property was stolen by a former employee due to partial or ineffective security practices. In addition to potential malicious insiders, external threat actors are expected to attack the research portion of the industry in order to steal intellectual property. Potential targets of hackers include strains being developed, marketing strategies, and technology practices related to cultivation.
Potential impact on hacked cultivators
The loss or modification of proprietary information, such as strain development and cultivation methodology, could severely impact the production of future products, result in a tampered or inferior product, or the loss of competitive advantage within the industry. While an increased timeline for a future product or loss of IP to a competitor would result in a negative financial impact, the release of a tampered product could also cause a negative reputational impact as well.
Risks presented by cannabis payment systems
The search for payment solutions in the notoriously cash-heavy cannabis industry has led to the emergence of a number of payment systems. While they may be convenient, they are a high-risk target for hackers. Mobile applications that are not securely developed or have appropriate oversight are at risk and provide an attack vector for malicious actors. The success breaching of an application could provide access to customer financial information, leading to mistrust of the application author and discontinued usage.
Protecting medical and customer information
As the legalization of medical and adult-use cannabis spreads across North America, the customer base will continue to expand making retailers increasingly high-priority targets of malicious actors. Medical information and Protected Health Information (PHI) are already highly valued assets for cyber-criminals.
Similar to other small businesses and early stages of a new industry, the protection and security of computers and networks involved with customer information is minimal or inefficient. Specifically, this involves the Point-of-Sale system and supporting infrastructure, two of the most targeted assets, a breach of which would result in the theft of customer information. Once again, a breach of customer information, especially PHI, will not only have a negative impact to the reputation of the retailer and industry overall, but could result in HIPAA violations resulting in millions of dollars’ worth of fines.