Small to medium sized entities (SMEs) are under attack. The media attention on the cannabis industry and the large number of SMEs in cannabis make them an attractive target for cybercriminals and hackers. Current headlines show that this trend is picking up.

“Data Breach Exposes Data of Thousands of Medical Marijuana Patients“

Awareness without action is not helpful. Most security headlines and thought leadership do little more than serve to scare you. Lying in bed under a weighted blanket is not an option. Good news. Good cyber hygiene practices are relatively easy to implement, typically cost little more than time, and protect against the 80% – 90% of the currently known attack methods.

This blog series will focus on practical, immediate actions that you can take to secure your information, your business, and your personal finances.

1A. Business Email Compromise (BEC), i.e., Phishing – What and Why You Should Care:

• The easiest way to gain entry to your financials, systems, and information is by getting your userid and password.
• 81% of the reported breaches in 2018 involved stolen passwords. 95% of these came through phishing messages, e.g., email, LinkedIn, Slack, and What’sApp, and Facebook.
• Attackers send you messages directly or attempt to gain access through your coworkers, your accountant, your attorney, your bank, your suppliers, or other trusted connections in an attempt to get to your userid and password credentials.

1A. Business Email Compromise (BEC), i.e., Phishing – What and Why You Should Care:

• Start with awareness. Even as the tactics and tools of security change, awareness. Phishing messages are growing more sophisticated, making them harder to identify.
  • Were you expecting the interaction? Be suspicious if you receive an unsolicited resume or you did not initiate contact with your bank.
  • Are there any misspellings in the email reply address or website url? Attackers make subtle changes to the link or email address, e.g., YouTobe is not YouTube.
  • Have they requested your login data? Banks, telcos, and utilities may request other identifying information, but never your userid and password.
• Sheer volume is key to the success of phishing. Attackers “spray and pray”, hoping to catch one person in your organization or network off guard.
  • Filtering cuts down on the volume of phishing messages, making it easier for you and your team to focus on a few exceptions, rather than mass messages.
    • Google Suite, e.g., Gmail, Drive, Docs, etc., include attachment scanning without additional administrator actions or subscription costs.
    • Microsoft Office subscribers can add Advanced Threat Protection (ATP) anti-phishing to their Office 365 subscription for an additional fee.
  • Phishing via Microsoft Teams, Slack, Facebook, and LinkedIn messaged are becoming common. Attackers will look for new hunting grounds as email security improves.
    • Alphabet, the parent company of Google, has a free awareness test to help teach the basics of recognition. https://phishingquiz.withgoogle.com/
• Secure your devices by keeping them up to date and running anti-malware software. Think of system updates as the equivalent of a digital oil change. You can postpone them, but postponing them long enough will lead to problems down the line. Antivirus solutions work as vaccines, working with awareness and system updates for maximum effectiveness.
  • Phishing messages often include attachments or links that prompt the user to download malicious code. Malicious code may be disguised as a resume, sales contract, excel workbook, or link to a bogus website, e.g., Google Dive instead of Google Drive.
  • Antivirus and anti-malware software will scan attachments for malicious code. Freeware solutions are available, as well as paid subscriptions. Note that you only need one solution. Running two antivirus programs will cancel each other out. Most antivirus software includes anti-malware functionality.
  • Turn on automatic updates for your browsers, computers, and mobile devices. Older systems, e.g., Windows 7 or older, should be considered for replacement. Attackers share known exploits. They have simply had more time to experiment on older systems. If providers, e.g., Microsoft, Apple, Intuit, or Google are no longer issuing updates for the software or operating system, you should retire the older system.
  • Attackers often target older web browsers and connected software, e.g., Microsoft Office, Google Chrome, and Mozilla Firefox. Browser updates keep your software safe and running efficiently.

Protecting yourself from phishing and business email compromise combines people, process, and technology. Make sure that people are comfortable raising their hands if they see something questionable. Establish a culture where people pick up the phone to verify transactions and keep their systems up to date. Older devices may seem inexpensive in the moment, but in the long run, they could be the key that a thief uses to open your doors.

Over time, we will continue to expand on the subject of information security in the cannabis industry. We welcome your suggestions and feedback for future posts.