A cannabis leaf on top of a United States hundred-dollar currency bill.

When you think of the Cannabis industry, you probably think of a bunch of folks growing, harvesting, packaging, and selling the plant. Though have you thought about the technology needed to empower that?

Unlike a traditional retailer that could forgo technology to some extent, when it comes to Cannabis, whether you are a craft grower or a Multi-State Operator (MSO), regulatory requirements require electronic reporting and tracking of products from seed to sale. Most regulations are fragmented around the necessary Information Security for these operations, but the tide is changing fast. Plus, making efforts to secure your digital realm as well as you may protect your physical properties is just good business.

Information Security Threats Facing Cannabis

While there are a number of threats that face all businesses such as phishing and malware that you should work to mitigate and educate your teams on, the Cannabis industry has additional threats thanks to criminal enterprises and state-sponsored actors looking to steal funding or trade secrets. The uncertainty around Law Enforcement also affects reporting and responses to these threats, making it more lucrative for those targeting the industry. So what else should you be on the lookout for?

  • Business Email Compromise (BEC). Business Email Compromise is more frequent due to the lack of good Information Security practices and good user training. BEC’s can fuel other threats such as payment redirection scams as threat actors get access to emails or contact information for trade partners, customers, and regulators.
  • Payment redirection scams. These scams try to redirect payments between Cannabis companies. This aims to take advantage of the banking insecurity of the industry, and fund criminal activity. If you receive a request to change payments or paychecks, always check directly through a known contact method. Do not rely on the contact info in the email asking you to redirect.
  • Typosquats and Fake Domains. Threat actors will register fake domains similar to your own to attempt to phish your users, other companies, or to load fake dispensary sites. This is seen in a much higher amount than in typical businesses.
  • Job Scams. Given the industry is attractive to job seekers, there are plenty of scams that often misrepresent themselves as legitimate staff, even making duplicate profiles, aiming to defraud potential candidates to get them to send gift cards, computers, or personal information.
  • Fraudulent Dispensaries. Threat actors such as GanjaMask create fake dispensaries using your information or adjacent to your legitimate locations in an attempt to redirect and defraud customers.
  • Fake Social Media Listings. Those attempting to defraud customers often create fake social media listings that may mimic your own, similar to fake domains.
  • Insider Threats. A nascent industry often attracts those with an entrepreneurial spirit which is great, and many after a few years go off to start their own business or consultancy. This is great, but unfortunately, a small few may exploit their access to take confidential or proprietary information while working for you.

Protecting Your Cannabis Business

Depending on the size of your business and the capital available to you will largely impact how you would protect your Cannabis business. Working with your affiliated trade organization or an Information Security professional who is familiar with the industry will yield you the greatest benefits. Websites such as ours can help guide you and keep you informed.

If you choose to do business with a Managed Security Service Provider (MSSP), as may often be the choice with smaller companies, be sure they are monitoring for the threats mentioned above. While any MSSP can help you address the most common threats faced by businesses, they may miss the ones more frequent or unique to the industry if they are unfamiliar. Ensure they report on your Information Security posture monthly. Avoid signing multi-year agreements which could cause you to fall behind unless they have a clear termination clause that allows you to exit the agreement if their performance becomes sub-standard.

If you have a formal Information Security team in your business, be sure they are aware of these threats, and do what you can to provide them the budget to acquire tools to help them while maintaining a lean staff. Your team should be reviewing any vendors or tools in use to ensure they are still meeting the needs as threats evolve.

While the industry seems to see working together on certain matters as sacrilegious, sharing threat information should not be one of them. If you notice another company being targeted, reach out to let them know. Given the limited law enforcement support in this area, collaboration is critical to help protect the industry as we all face similar threats.

Lastly, be sure to sign up for our newsletter (at the footer of the page) or check the site frequently as we’ll share general advice and guidance that can help you enhance or develop your Information Security program.

Featured photo from Pexels by Kindel Media

Chris works as an Information Security professional in the Cannabis industry. They have over 20 years of experience in IT and work to share threat intel and mentor the next generation.

Multi-Factor Authentication (MFA)

Previous article

Maintaining Success in Information Security Through Soft Skills

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *