As ransomware attacks have skyrocketed around the world, cannabis firms are increasingly being seen as soft targets, according to cybersecurity experts and at least one cannabis executive. And to avoid these attacks, cannabis businesses need to be proactive.
The most public breach came in November, as the California producer Stiiizy came under attack from the Everest ransomware group, compromising the personal data and identities of more than 422,000 clients. A second attack also infiltrated the back end of one of Stiiizy’s clients, a SaaS vendor.
Ben Taylor, executive director of the Virginia-based Cannabis Information Sharing & Analysis Organization, told Cannabis Business Times that in the past two years, he has tracked six cannabis firms that have been reportedly struck by ransomware attacks, a type of hack that steals data and/or freezes data assets unless a ransom, usually a Bitcoin or two, is paid. Often, employee data is stolen to extort companies into paying fees lest that information be released into the Dark Web for criminals to buy.
“In the cannabis industry, it’s often hard to appreciate how big of a threat cybersecurity can be,” Taylor said. “With physical threats made against, say, dispensary owners, that’s something we can see and hear about. Online threats can be more invisible. And that’s why we constantly preach to organizational leaders to adopt a security culture because so many of these attacks come from employees clicking a link in an innocuous email.”
As he explained, these types of phishing attacks—still one of the most popular avenues for hackers to gain access to company data—come in the form of emails that may look routine but are filled with links that, when clicked on, give hackers a back door to an enterprise’s data.
An October 2024 report found that ransomware insurance claims, across all sectors, spiked by 68 precent to an average loss of $353,000 in the first half of 2024 compared to the same time period a year earlier. 2023 was an especially dire year for ransomware attacks, as these digital extorters launched 4,506 penetrations compared to 2,593 in 2022, officials said during a briefing before the fourth annual International Counter Ransomware Initiative summit.
The cannabis industry isn’t immune to these attacks despite health care and the financial sector bearing the brunt of headlines about these breaches. David Wheeler, chief information officer at vertically integrated North American cannabis company TerrAscend, said the cannabis industry is a young and fast-moving area, and it may often feel like “we’re upgrading the rocket while it’s already in flight. Despite the rapid pace of change, ransomware attackers don’t hold back because you’re the ‘new guy.’ In fact, they often see younger industries as prime targets, assuming vulnerabilities due to rapid scaling and growing pains.”
David Wheeler, CIO, TerrAscendCourtesy TerrAscend
Kay Yut Chen, Ph.D., a researcher who studies ransomware responses, echoed Wheeler. When a new market emerges, hackers will try to infiltrate it because it’s in a nascent stage and doesn’t have preestablished cybersecurity teams, said Chen, who is a professor of Information Systems and Operations Management at the College of Business at the University of Texas at Arlington. “Additionally, executives at cannabis firms may have their attention focused on their core competencies, getting the production line going, economies of scale, and protecting against cybersecurity attacks might not be a top priority,” he said.
Another cybersecurity expert recognizes how business pressures may stave off protecting data assets as a top-burner mission. “These are businesses who are supposed to earn as much revenue as possible, but the CISO [chief information security officer] teams are competing with IT, sales and marketing teams for funds to strengthen their controls and resources, and it can be a lot for a cannabis business to try to protect against every security incident,” said Ed Rojas, founder of the Ransomware Defense Initiative—a consultancy group that offers free and paid services, and software to enterprises seeking to protect themselves against ransomware attacks.
So, what can cannabis firms do if they want to take this challenge seriously? Rojas urges businesses to focus on the foundational controls that are critical, such as vulnerability scanning, software patch management and two-factor authentication, a security approach that requires two different forms of identification to access a resource or system.
“Build a security culture that reminds employees about the vulnerabilities inherent in phishing attacks,” Taylor said, “and training regularly about cybersec protocols is a great idea. After all, all it takes is one employee to click on the wrong link to give hackers access to everything.”
TerrAscend’s Wheeler said, “Recognize that you’re only as strong as your weakest link. Start by building a strong foundation: Invest in endpoint and network protection, implement continuous monitoring and detection capabilities, and establish a clear incident response plan. Ensure that everyone in the organization understands their role in protecting company assets.”
The more training exercises you can run with your cybersecurity team, the better, says Rojas. “Businesses have a plan in place in case of flood or fire, and ransomware attacks should also be simulated so everyone knows what they are supposed to do in case it truly happens. You can’t have your team meeting about these breaches for the first time when it occurs in real life.”
If a cannabis firm is struck with a ransomware attack, experts suggest avoiding caving in to demands. Chen, who authored several papers on digital extortion consequences, said affected firms should follow the FBI maxim of refusing to negotiate with terrorists. “The more you pay the ransom, the more the hacker believes it’s a strong business model they have going,” he said.
That approach might sound advisable on paper, but when it comes to the actual costs of doing business, negotiating for a lower ransom fee might be a step worth taking. “A company has to compare how much business they are losing with their data frozen, with their sites not working, compared to what they will pay, and it’s not always an easy decision,” Thun said.
Paying the ransom still holds a considerable amount of risk, warned Taylor, who recalled reading about a Japanese manufacturer that paid the ransom to hackers, but they still published the employee data on the Dark Web anyway. “But if you have regular backups of your data, and you have strong security protocols in place, that makes the argument to not pay the criminals even stronger,” he said.
David Silverberg is a freelance journalist who writes about cannabis and the cannabis industry.
Source link
#Cannabiss #Cybersecurity #Threat #Cannabis #Business #Times