Moore Together: Do Cyber Risks Exist in the Cannabis Industry?

Moore-Together-Graphic.jpgMoore Stephens North America is comprised of 42 member firms that provide key services across a wide variety of industries and niches. This month’s “Moore Together” is a collaboration between Karl Kispert with Grassi & Co. and Arnold Klein with Topel Forman.

It’s safe to say that there are cybersecurity risks involved in starting any business. Throw in the already controversial elements of the Cannabis industry and those risks multiply. Without a plan for defense, you could be an open target.

It’s important to consider the potential risks.

Consider this imaginary, yet, realistic scenario:

You stop by your indoor growing facility on a Saturday to “check on things” and you find the regulated temperature control is 25 degrees cooler than usual. You also find that water is flooding your facility. Further, you come to discover that you no longer have access to those control systems and have to re-initialize the entire heating and water control systems from scratch. Perhaps you open your tablet and learn the communication with your trusted vendor was breached, which means there is a likelihood that they can access your network without you knowing - unless you have the proper controls. You may even come to realize that you’ve been breached, and all of your customer data is now rolling around the dark web.

“If the past year has shown us anything, it’s that companies should no longer ask if they are going to be hacked and instead when.” John Chambers, Former CEO of Cisco, “Why Cybersecurity Leadership Must Start at the Top”

Cannabis is an industry that is growing throughout the US and those either involved or interested in being involved must be aware with the cyber-risks that come with it.

In the current state of cyber security, you can be easily fooled into believing your business is not a target. It is and all businesses on the internet are a target of some kind. To understand what that means to the business-owner means to understand the “bad actors” on the internet and the myriad of attack vectors that can be engaged in.

As a business owner anywhere in the seed-to-sale lifecycle, the need to be educated is stronger than ever. Who are the “bad actors*?” What motivates them? How can they be identified? And, most importantly, how can they be prevented?

There are quite a few groups and individuals that have a variety of different perspectives. They have a valid reason (in their world) to engage in nefarious activities. While the general nature is to attack anything and anyone for just about any reason to see where someone can get the jewels, it is reasonable to focus on three distinct likely combinations of these groups; Nation States/Military Personnel, Transnational organized crime groups/Thugs, Cyber warriors/Hacktivists.

Nation States/Military Personnel simply as a way of disrupting the economic well-being of the United States. These actors do not necessarily go after only the largest companies, in fact, they target many small companies. The primary drivers are if they target thousands of smaller companies, the likelihood of gaining access is much higher primarily because smaller companies lack the sophistication when it comes to cyber and information security. In addition, sometimes smaller companies are connected to larger entities and an attack can be launched through the smaller entity.

As Brian Krebs of Krebs on Security noted;

“Dec. 18, 2017 marked the fourth anniversary of this site breaking the news about a breach at Target involving some 40 million customer credit and debit cards. It has been fascinating in the years since that epic intrusion to see how organized cyber thieves have shifted from targeting big box retailers to hacking a broad swath of small to mid-sized merchants.”

In order for Transnational Organized Crime groups/Thugs to acquire product or steal physical monetary proceeds, one must consider an old saying. Why do bank robbers rob banks? Because that is where the money is. Years ago, that was the case. However, today someone half-a-world away can try and access your vault of data and sensitive information seemingly without having to wear a disguise and busting down the front door.

Today, not only does the interconnected nature of systems enable easy access to your IT environment, but it greatly increases the number of people attempting to hack your environment. The advent of open-source hacking software and YouTube videos enables the distribution and understanding of dangerous software easy to acquire and implement.

Disgruntled insiders/Industrial Spies pursue to extract revenge for perceived infractions or perhaps steal proprietary production methods. The insider continues to be the biggest threat to a company today. They have insider access and, if they feel betrayed, may wreak havoc on your crops, distribution channel, retail outlets or cash management. An industrial spy who may pose as a trusted employee can do as much damage and more by taking your secrets to a competitor.

What are the business procedures in actually bringing seed to market:
  1. Acquisition of CLEAN seeds/fertilizer/soil
  2. Automated control systems to manage/monitor temperature, humidity, watering
  3. Harvesting
  4. Packaging
  5. Distribution
  6. Patient and customer interactions
  7. Sale and collection of money
Inherent in each of these elements, a host of automated processes all with their own security protocols and vulnerabilities exists.
 
While those are the higher-level business elements, what is not stated are the various pieces of sensitive and regulated information collected along the way. These include names, addresses, social security numbers of staff, credit card or bank accounts of vendors and customers, legal agreements, etc.
 
The security and integrity of each of these processes and safely capturing and securing the data elements are all components where thought, procedure and practice can mean the difference between a secured company and one that is at risk.
 
Let’s take a few examples of security and data breaches from the recent past:
  1. MJ Freeway had two hacks occur that caused a service interruption and left more than 1,000 retail cannabis clients unable to track sales and inventories. Because of the state regulation to keep records, some closed—others went to pen and paper.
  2. The Nevada Div. of Public and Behavioral Health had a data security incident when a web portal was breached and nearly 12,000 dispensary applications were released.
  3. Don Davidson, MD, detected unauthorized access in their electronic medical records system. Patients who received medical consultations through DonDavidsonMD.com or EazeMD may have had limited medical information compromised; name, phone number and patient notes. EazeMD is medical marijuana delivery service.
Everything connected to the internet can be a potential vulnerability.
 
But, what’s reasonable? What provides the best return on your investment? What cyber and information security controls make sense for the size of your company?
 
Next Month’s article will review some of the actions that can be taken to mitigate common vulnerabilities and a high-level review of a possible value proposition.

To learn more about the cyber risks associated with the cannabis industry, please contact Karl Kispert with Grassi & Co. or Arnold Klein with Topel Forman.

We’re great alone, but we’re “Moore Together!” If you would like to collaborate with other members, or if you have a topic you would like to address, please contact Laura Ponath.

About the authors:
Karl Kispert is the Cyber and Information Security Principal at Grassi & Co., the 70th largest accounting firm in the US specializing in auditing, tax, technology, and business consulting services. Grassi & Co. has offices in New York City, Long Island, White Plains, NY, and Park Ridge, NJ as well as internationally through its association with Moore Stephens International. He can be reached directly at kkispert@grassicpas.com. www.grassicpas.com.

Arnold Klein is the Founding Partner/Member of Topel Forman Information Services, LLC. A Chicago based Information Technology Firm providing IT guidance, design, implementation and support for small and mid-sized businesses. He can be reached at arnold@tfisllc.com, www.tfisllc.com.
 
* Goodman, Marc. "Chapter 2-System Crash." In Future Crimes, 31. New York, By: First Anchor Books, 2016.