Canada legalized recreational cannabis in 2018, giving rise to a new industry that has been growing steadily. With total sales touching $7 billion in 2020, the cannabis industry in Canada is a lucrative business. As in every other new vertical, several players—large and small—have set up shop to capitalize on this sector. 

But just like every other new industry, retail dispensaries, medical clinics, and licensed producers are still figuring out the economic landscape, clientele and growth opportunities in this segment. Organizations are also coming to terms with the threats that are in play. The biggest cyber threat comes from cybercriminals looking to make a quick buck. With little experience to fall back on, most companies have yet to understand the cybersecurity threat landscape involved. Malicious actors know this very well. The lack of awareness of looming threats has left the industry vulnerable to large-scale cyberattacks by hackers looking to pillage data, loot money and shut down operations. 

Why are cannabis industry cyberattacks on the rise? 

The legalized recreational cannabis industry in Canada was born just three years ago. Before 2018, most of the trade happened in the black market. Upon legalization, many entities jumped on the opportunity to market different types of recreational cannabis to an eager clientele. While large companies consolidated their operations, many small mom-and-pop shops also came up, and mergers and acquisitions in this space are still quite common. With all the business growth, adaption and changes, problems with cybersecurity occurs.

  • Many small-sized companies 

According to Statistics Canada, 18% of small businesses were affected by cybersecurity incidents in 2019. Unfortunately, almost half of those affected ended up shutting shop, pointing to a dangerous trend that most hackers leverage. Small businesses do not have the technical support to protect themselves in case of an attack. Vulnerable businesses end up shuttered after a cyber attack. The cannabis industry suffers the same weakness. The small mom-and-pop shops are attractive targets for cybercriminals. 

  • Cash strapped businesses

Just like most startups, new entrants in the Cannabis industry are solely focused on growth and profitability. With little money to splurge on a robust cybersecurity setup, they’re also primary targets on every hacker’s radar. Many companies view cybersecurity as a luxury investment that can wait a few more years. They couldn’t be more wrong. 

  • Tons of data to steal

Data is the commodity that threat actors try to steal. As long as data is deemed valuable, they’ll continue to hack organizations. Incidentally, Cannabis companies store tons of sensitive customer data. From medical and insurance records to social security and contact information, Cannabis companies are practically treasure troves for opportunistic cybercriminals. 

  • Merger and Acquisitions

Many larger cannabis companies are buying out other smaller organizations to expand their footprint as a strategic play to grow their company and increase profits. When an M & A takes place, the buyer may purchase a company that already has threat actors within their IT infrastructure, which poses a great threat to the buyer’s current networks and infrastructure when both networks and systems are merged.

What happened to Aurora Cannabis? 

On Christmas day, 2020, Aurora Cannabis, one of the biggest cannabis companies in the country, discovered a major data breach in their networks. While Aurora’s spokesperson asserted that operations and patient systems weren’t affected by the breach, reports say the leaked data is available for sale on the dark web for one bitcoin. Advertisements showing screenshots of the leaked data have surfaced, giving rise to speculation concerning the scale of the breach. 

About 50 GB worth of data was stolen, affecting both current and former employees. Stolen data included information, such as medical diagnoses, credit card info, government ids, residential addresses, banking details, passport images, cheques, driver’s licenses and confidential business documents. 

There have also been other incidents in the cannabis industry. Natural Health Services, the Calgary-based health center and the operator of Canada’s largest medical cannabis referral network suffered a breach between December 2018 and January 2019 that exposed private patient information. 

What steps can be taken to curb cannabis industry cyberattacks

The cannabis industry needs to take concrete steps to reduce its exposure to cybercrime. Here are some steps that can help. 

  • Penetration testing

Conducting a pen test will help officials identify weaknesses, entry points, attack vectors and exposure levels. Once documented, the company can shore up its defences, set up security protocols and prepare response plans in case of attack. 

  • Compromise Assessments

A Compromise Assessment is a penetration test that focuses on answering the question: Have my company been breached? The Assessment will provide insight into any unknown security breaches, malware, or signs of unauthorized access. This service is especially helpful to conduct before a Merger and Acquisition takes place.

  • Purple Teaming

Purple teaming is a more collaborative testing exercise where your internal security operations team would work with a 3rd party penetration testing company to bridge the gap between offensive techniques and response efforts. This penetration exercise will provide real-life attack scenarios so that your team can close the gaps, strengthen your company’s security posture, and prevent data theft. 

  • Apply the principle of least privilege 

The principle of least privilege dictates that employees only be given the lowest level of necessary system access and permissions. So, privileged information remains relatively safe because fewer people are involved in its handling. 

  • Spreading cybersecurity awareness

Most data breaches are the result of human errors. They happen when employees click on malicious emails, become targets of phishing campaigns, or forget to follow basic hygiene. Building a cyber awareness program that outlines its importance, basic hygiene tips, and other practices will ensure employees remain vigilant at all times. 

Even though the cannabis industry is relatively new, it’s not free from threats. If anything, it’s even more vulnerable to threats. Companies need to take accountability for the patient and customer data they hold, including taking the steps necessary to safeguard it.