Cyber security is only as strong as its weakest link: What are the biggest security threats in the cannabis industry?

“As a former director of the FBI liked to say, there are only two kinds of companies—those who have been the victim of a cyber attack and those who don’t know that it’s already happened,” says security expert Kent Schramm, director of cyber risk for Deloitte Canada.

“Legal cannabis has become a prosperous, new commercial sector generating significant revenues for the provinces and territories,” Schramm says, “and, omigosh, cyber criminals know how to follow the money. They can inject themselves at many points along the distribution network as cannabis moves from seed to shelf.”

Beyond stealing the personal, financial and health data of customers, a hacker may be trying to take down a targeted organization’s website—a “distributed denial of service” hack, Schramm calls it. Or the hacker may be conducting commercial espionage to steal client lists or expansion plans, for example. Or planting malware that locks an organization’s system until it pays up.

“The insertion of ‘ransomware’ is probably the number one type of cyber attack we see today,” Schramm says.

There may even be an insider threat to the organization’s electronic data from a mole placed by organized crime on the staff of a licensed producer, distributor or retailer, he suggests. “They may want to disrupt legal sales, shut down websites, undercut prices or steal sensitive personal data,” he explains. Many consumers are particularly worried that a data breach could result in them being publicly outed as a so-called “drug user.”

What are the biggest security threats?

Clearly, keeping things secure can be a tall order. Based on survey data compiled by Deloitte Canada—which offers strategic, operational and cyber risk management consulting to private and public sector firms, including the cannabis sector—what consumers want most from their online cannabis retailers is privacy and data security.

“Cyber crime is—and will continue to be—the greatest threat to Canadian businesses of all sizes in 2019.”

“Mature, robust data management, privacy protection, and cyber security [is] a ‘must-have’ for 52 percent of current and 58 percent of likely consumers” who plan to buy their cannabis online, notes the firm’s 2018 Cannabis Report. For one in five consumers, cyber security is “the most important” factor, surpassing free shipping, user-friendly website design, quick delivery times, payment options and all other e-commerce considerations.

“Cyber crime is—and will continue to be—the greatest threat to Canadian businesses of all sizes in 2019. This [assessment] is applicable to all Canadian businesses, including the legal cannabis sector,” a spokesperson for the Canadian Centre for Cyber Security told The GrowthOp. The centre, part of the federal government’s Communications Security Establishment, was formally launched last October as Canada’s national authority on cyber security and cyber threat responses.

The centre reports that criminals tend to be opportunistic when looking for targets, exploiting both technical vulnerabilities and human error. “Cyber criminals target businesses for their valuable data about customers, partners and suppliers, their financial information and proprietary business information,” the spokesperson says. “This information can be held for ransom, it can be sold for profit or be exploited to gain a competitive advantage,” he notes.

Managed Service Providers (MSPs) can also be vulnerable to cyber crime. Many cannabis firms rely on MSPs and their software to process sales, track inventory, manage IT needs and handle other sensitive business operations. In January 2017, a cyber attack on MJ Freeway, a major MSP that served more than a thousand U.S. dispensaries and cannabis retailers, caused a lengthy service shutdown. A follow-up investigation discovered—almost a year later!—that a large amount of client information had also been stolen.

“A cyber criminal can attack a target through its MSP to disrupt services or steal customer data,” says Schramm. “Your cyber security is only as strong as its weakest link,” and an organization can’t escape legal liability for losing its customers’ personal data by saying it was the MSP that was hacked, not the organization.

Schramm recommends inserting clear language in all service contracts to ensure providers follow best industry practices and are certified to be in compliance with IT and information security standards, such as ISO 27001 and SOC 2. “You can reduce, but not eliminate entirely, these risks by taking your cyber security seriously,” Schramm says. The federal cyber centre also offers a series of security “Best Practices” for contracting with an MSP.

Do large databases make a tempting target?

Large databases can contain personal information—such as customers’ names, addresses, phone numbers, credit card numbers and other financial details, as well as health data, including diagnoses, prescriptions and order history. “Because of the highly sensitive personal information collected by many cannabis organizations, they are necessarily a target for cyber attacks and should prepare accordingly,” cautions Ruth Promislow, a commercial litigation lawyer and partner with Bennett Jones LLP, where her work is focused on privacy, data protection, cyber security and fraud.

The theft of personal and/or health-related data could leave dispensaries, cannabis producers and their directors and officers legally vulnerable.

In her online blog, Promislow writes that a cyber attack against a cannabis-related business could give rise to significant litigation exposure. “Aside from the reputational harm and immediate business consequences, including negative publicity and loss of customers, there is also a significant risk of litigation from victims of a data breach,” she says.

The theft of personal and/or health-related data could leave dispensaries, cannabis producers and their directors and officers legally vulnerable. “The landscape of exposure for a data breach can be substantial, potentially involving (among other things) individual or class claims for ‘intrusion upon seclusion’ and invasion of privacy,” Promislow notes.

Ontario courts could award individual damages of up to $20,000 in an invasion of privacy suit. A company could also be subject to substantial fines, ranging as high as $500,000, levied under federal or provincial privacy laws, for failing to report the loss of personal data.

“Legal cannabis has become a prosperous, new commercial sector generating significant revenues for the provinces and territories,” Schramm says, “and, omigosh, cyber criminals know how to follow the money.”

To reduce an organization’s vulnerability, Promislow suggests a number of key issues that cannabis-related companies should address in the world of cyber security, privacy and data protection:

• only collect the personal information needed to deliver the goods or services being offered;
• ensure the information is used only for those purposes for which meaningful consent has been obtained;
• ensure access to the personal information is limited to those individuals who need to know;
• implement physical, technological and organizational security measures to protect the integrity and confidentiality of the information; and
• ensure that such measures are appropriate to the sensitivity of the information in question.

Schramm also suggests bringing in cyber experts to assess current, in-house cyber security measures, develop policies and procedures to fill any gaps, educate the firm’s directors and officers about their corporate liability, educate and train staff, and even conduct penetration testing to identify vulnerabilities and see if it’s possible to hack into the computer system.

“It’s also important to develop a contingency plan so that everybody knows what to do in the event of a cyber intrusion,” he advises. “The goal is to safeguard a client’s CIA—the confidentiality of its business and customer data, the integrity of its data, electronic software and systems, and the availability of its online business portal and information systems,” he adds.