Cybersecurity and cannabis may sound like two different worlds. In fact, cannabis operators might think no one would target an industry that does not even participate in the national banking system. Who's going to know our passwords? Who'd hack a weed company? These are common reactions to cybersecurity, in all sectors.
Cybersecurity expert Brian Haugli told Benzinga in an exclusive interview that we're all potential targets. Forget the evil nerd in a dark basement. That's Hollywood. Most likely, if you're in the cannabis industry, your hackers are part of global organizations that have turned hacking into a lean, mean money-making machine.
“Some people might say, who's going to hack me?,” said Haugli, who has worked for the US Defense Department and is the founder and CEO of Sidechannel, a cybersecurity firm that works with cannabis companies of all sizes to help them adopt security policies and technologies that are already a standard for other industries.
Cybercriminals are using a ‘shot-gun’ approach, meaning they are not hacking you because they dislike you, but rather, because you're an easy target. Through several ‘back-doors,’ they can infiltrate your WiFi, sweep your accounts, deviate payrolls, and stop an entire facility until you pay a ransom.
"Cybersecurity goes way beyond protecting yourself from hacking,” Haugli said.
Who Is Going To Hack Us?
Haugli explained that cannabis companies are facing similar issues that industrial agriculture dealt with several years ago. "Agricultural companies understood that their filtration and irrigation systems, machines, and greenhouses, are all controlled by a corporate network and connected to the Internet,” Haugli said, adding that companies like Monsanto and others began addressing this situation years ago and cannabis must catch up.
"I've met a lot of folks in cannabis who have told me, ‘we have an I.T. provider.’ But they don't have an I.T. team. And that's where security steps in," he said. “Cannabis operators are starting to purchase systems, front-end, back-end, irrigation, lighting, etc. When they say, why me? Who's going to hack us? They should ask themselves, ‘are we connected to the Internet?'"
“Everybody is taking orders, fulfilling requests, processing money online, making payments, and scheduling. Folks can worry about bad guys hacking them. But that's not everybody. Sometimes you have malicious groups with a ‘shotgun approach,’ they spray-and-pray. They're not targeting you, but they can hit you. They're targeting your exposure,” Haugli said. “They can target you to either extort them through ransomware, data leakage, steal information, or just shut things down.”
From Russia With Love: An Industry Of Hacking
Haugli noted many ransomware groups originated in the Eastern Bloc.
“Ex-KGB Stasi guys were able to hone in on kids coming out of great computer science colleges in Eastern Europe that couldn't get jobs. We started seeing this, 20 years ago. Now you’ve got criminal syndicates operating with the blessing of Moscow. As long as they get a kickback, they're allowed to operate."
He noted that a variety of skill sets come into play and recommends that cannabis companies and executives stop thinking of hackers as unique individuals, rather, as mundane employees of offshore shell companies.
"These groups are running like businesses, they have H.R. and payroll, benefits, holidays, and shell companies structured around them so that they can operate. There are even quotas to meet!
“A lot of the stuff you need to run an IT infrastructure is the type of skill set you need to work with these criminal groups. They're operating inside your Office 365 environment, and unless you understand very well how Microsoft works, you're not going to be very good at infiltrating an email server to fraudulently move wire transfers of money to offshore accounts.”
Haugli said that like traditional agriculture, cannabis is at risk. “When you look under the hood, the cannabis industry is using the same systems and has the same vulnerabilities. Shutting down a plant for who knows how long, what is the cost of that?”
Countermeasures? Start By Training Your Staff
We often imagine cyber security solutions are technological and expensive. A data server the size of an SUV, licensed software, tons of processing capacity, a slick algorithm, or an extended network of edgy sensors.
In fact, there is a human angle that doesn't necessarily require having the biggest gun in the room. Haugli says you need to work with your staff, which is why Sidechannel “focuses on the people who do the operations and are the largest attack surface.”
“There is standard employee training for every position, safety training, fire drills, CPR classes, and it makes a lot of sense to continue to do that around cybersecurity to protect your data and intellectual property, your brand, your reputation, and your company,” Haugli said, adding that training can take months but it's essential.
Ctrl + Alt + Shift: Cybersecurity And Corporate Culture
Companies spent millions building cannabis brands, streamlining their supply chains, and patenting solutions, to drive costs down and efficiency up. All of that could vanish with a click from a hacker who could steal knowledge that took companies years and billions to gain.
He noted the importance of understanding that cybersecurity operates on a logical plane. “You can't touch a database or intellectual property. It does not operate on a physical plane. But through training, you can get people to understand that.” Haugli added that hackers can cause more than a capital loss and can also hurt workers.
“The last thing you want for a manufacturing operation is for someone to get injured. A change in a computer system, a machine spinning too fast or too slow, could hurt a person,” Haugli said.
Haugli noted that corporate espionage is sometimes overlooked by security frameworks designed for physical spaces. The web should be thought a tangible space, requiring a change in corporate and security mindsets.
“Companies have unscrupulous competitors, who are willing to take a shortcut to their success and steal ideas. We've seen the Chinese government do this to US companies. We've seen corporations do this to other corporations inside the US,” Haugli said.
“Companies are fine locking the front doors and hiring a security guard at their building, but sometimes they won't patch or secure the computer systems or the cloud systems that hold their intellectual property. Nobody is going to physically steal the intellectual property of a cannabis company. It's a lot easier to go through the system than through a wall.” Haugli cautioned.
“People need to look at where they are in the cannabis supply chain, whether they're growing, distributing, manufacturing, or selling cannabis products, and take the steps to address different risks,” Haugli concluded.
Image Credits: Brian Haugli - lindsayfox on Pixabay and photo: Courtesy of Side Channel.
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Comments
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
Cannabis is evolving – don’t get left behind!
Curious about what’s next for the industry and how to leverage California’s unique market?
Join top executives, policymakers, and investors at the Benzinga Cannabis Market Spotlight in Anaheim, CA, at the House of Blues on November 12. Dive deep into the latest strategies, investment trends, and brand insights that are shaping the future of cannabis!
Get your tickets now to secure your spot and avoid last-minute price hikes.