Ransomware Attacks Spur Concern Among Cannabis Companies

Published on

Imagine logging on to your business’ computer systems, only to find your most critical information and tools locked and inaccessible. A message demands a ransom, often to be paid in cryptocurrency, or the data will be locked forever or even possibly leaked online.

Get The Full Henry Singleton Series in PDF

Get the entire 4-part series on Henry Singleton in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues

Q3 2021 hedge fund letters, conferences and more

Ransomware attacks have spiked since the start of the pandemic, increasing 150% over 2019, part of a larger international trend going back ten years. This trend has caught many businesses off-guard and unprepared, opening them up to lost data, interrupted operations, and high financial expense. I chatted with cannabis executives from Regrow and Confia to discuss the risk posed by ransomware and the steps businesses need to take to be protected.

What Is Ransomware?

Ransomware is a type of malicious computer software that blocks access to computer systems and data until a ransom is paid. Sometimes, ransomware threatens to publish sensitive data online as well. Basic ransomware simply blocks a user from accessing their computer and can be reversed by someone with the skill to do it. More advanced software encrypts the computer’s data, more effectively locking the computer. Payment of the ransom is typically made using cryptocurrency, so it is untraceable.

Why Are Cannabis Companies Especially At Risk?

As an emerging industry, some cannabis companies may believe that they are too small to be a target. Others simply don’t understand the extraordinary risk involved. You don’t need to be a large company to be targeted by ransomware. It is estimated that between 50 and 75 percent of all ransomware attacks are on small businesses simply because they are the least protected and the least prepared.

According to a report from MJBiz Daily, 41% of cannabis businesses aren’t taking the necessary steps to protect themselves online. This lack of security makes it easier for ransomware attacks, even passive ones, to take hold of your systems. For cannabis businesses, many of which are startups, larger concerns like compliance are often prioritized over cybersecurity, leading to vulnerability.

The Fallout From Ransomware Attacks

The financial cost to your business from a ransomware attack can be significant. The average ransom demand in 2020 was over $300,000. The ransom paid or tech services hired to end a ransomware attack is just one the impacts your business might feel.

If you are a retail business, stolen consumer information that is leaked online can damage your reputation and sow distrust among your customers. The same is true of employee personal information. Your employees trust you to keep their information safe. Failure to do so can erode their faith in your company.

Cultivators hit by ransomware can also experience secondary effects. Many cannabis cultivators rely on automated systems and data analysis when running their operations. Removing access to a cultivator’s systems can derail current operations and halt attempts to restart.

How Can I Keep My Business Safe?

A good first step in cybersecurity is antivirus software equipped for the latest online threats. However, strong antivirus protection is just the beginning when defending against ransomware attacks.

“To protect themselves and their customers before they get hit, cannabis organizations are going to need to adopt the same security procedures and protocols that those big Fortune 500 companies are employing,” says Rob Woodbyrne, CEO of Regrow, creators of dynamic operations software for the cannabis industry . “This would include implementing mobile workforce management systems to ensure that anyone interacting with company data, like email, files, etc., has adequate protection on their devices as defined by the business.”

Training employees in best cybersecurity practices can help identify phishing attempts before they become big problems. “The primary attack vector for ransomware is email. Having proper email/spam filtering, as well as end user awareness through repeated training, will help mitigate potential threats,” Woodbyrne adds.

A VPN (virtual private network) for remote workers ensures that your confidential information is secure at all times, even when conditions aren’t ideal. Adding a layer of security to your data, a VPN encrypts your data when both sent and received, making it harder to access.

“But the ultimate way to safeguard against potential ransomware and security breaches is by housing data in cloud based services that have passed stringent certifications like ISO 27001 and ISO 27017, as well as built-in email, integration, and database encryptions. Regrow maintains every regulatory and industry compliance Information Security Management certification for all its data centers,” says Woodbyrne.

Additionally, it’s critical to work with trusted partners that also take important measures to secure data. “Cannabis companies need to give great consideration to who they procure for software and banking providers,” says Mark Lozzi, CEO of Confia, which offers comprehensive financial systems to cannabis retailers.

“The richest data is in banking/POS systems, where consumer and Personal Identifiable Information (PII) resides. Ransomware outfits look to capitalize on fiat or digital assets or marketable information - like PII. So when assessing your software and service providers, you need to ensure they have adequate security audits completed, as well as proof of penetration testing,” continues Lozzi.

Ransomware can cost a business thousands of dollars and cripple operations, making it a frightening proposition for any company. Even as ransomware attacks surge, you can keep your business safe from online threats by taking steps to secure it internally, while also carefully choosing external partners that hold cybersecurity as a top priority.