As the cultural discourse surrounding cannabis begins to shift in the favor of dispensaries and growers, it is only natural that the industry’s advertising and overall services become more digitized. This, of course, gives sellers the opportunity to reach consumers across the globe, but this exposure doesn’t necessarily point to exclusively positive outcomes as experienced through social engineering. The Symantec Corporation defines social engineering as the act of tricking someone into divulging information or taking action, usually through technology. Given the inconspicuous nature of social engineering, cannabis dispensaries and growers need to play a particularly keen eye on this form of cyber attack when promoting their business on online platforms.
When designing an attack, social engineers tend to conduct a great deal of background research on their intended victim. The attacker will gather necessary background information to determine a point of entry. In most cases, this involves identifying a point of vulnerability that will increase the likelihood of gaining an intended victim’s trust and legitimacy. Often social engineers will introduce themselves as a wholesaler, distributor, fellow grower and/or even compliance consultant.
Since the cannabis industry is not federally legal, social engineering poses a very unique and broad-based threat. Take the following, for example: from the supplier’s perspective, social engineering gives hackers a unique opportunity to disguise themselves as an inquisitive, eager consumer. These same “consumers” could have criminal intent to open a parallel service within their own state, where cannabis is not yet legal. Should these “consumers” be extradited, the dispensary and/or grower that they were networking with may be held accountable in the legal proceedings. Thus, a friendly encounter online always has the potential to go sour, especially when a business’s operations are not universally welcomed, accepted, or tolerated.
While a worst case scenario, this example highlights the particular danger of why the cannabis dispensaries and growers need to proceed with caution. Being that the World Wide Web connects individuals from across the globe, from nations, states, and cities with wide varieties of jurisdictions and laws on cannabis, dispensaries and growers need to worry about more than compliance. In a field where liability and legality is so geographically specific, suppliers must go the extra mile to know exactly who they are working with at all times, and what their intentions are. They need to ensure they are not being hacked through the use of social engineering. Hence it is imperative that cannabis dispensaries and growers implement a strong cybersecurity system to keep them out.
It is only natural for dispensaries and growers to use the Internet to influence their sales, advertising, and services, especially with the cultural discourse beginning to shift in the industry’s favor. Cannabis dispensaries and growers must form strategies that recognize and address the growing social engineering threat. One strategy includes paying close attention to what a grower shares on social media. Growers and dispensaries should acknowledge their compliance with local, state, and federal cannabis laws, as well as what specific services they are willing to provide and not provide. Maintaining a reasonable amount of transparency with the viewer will increase your business’s likelihood to identify what requests seem like a sham, and which seem legitimate.
Another tactic for growers and dispensaries to implement in order to prevent the threat of social engineering in the form of phishing, include best password practices. Some experts explain that 6 letters passwords with only lowercase letters can be obtained by hackers within 10 minutes. Optimal password security should involve a mix of uppercase letters, lowercase letters, numbers, and symbols, as well as incorporating MFA (multiple factor authorization; confirming users identity through multiple forms of evidence). When password security is weak, social engineers have an opportunity to gain your information and craft a thoughtful attempt at making your business vulnerable. Thus, upholding strong password security through the use of longer passwords and MFA in the form of a pin code, authorization code sent to your phone, and/or secret questions will help your business maintain the autonomy of your sensitive information.
Other tactics that social engineers include quid pro quo which involves the promise of a service in exchange for information. Hence, social engineers can pretend to be an IT company, a fellow customer support specialist, and/or someone from the web department that needs to make an update. This type of attack enables social engineers to obtain sensitive information such as passwords and other credentials that can greatly impact the business.
Pretexting is also a major concern for cannabis dispensaries and growers as the hackers prey on the company’s desire to trust. A social engineer can contact an employee at the dispensary and claim to be a doctor or a pharmacist. The doctor or pharmacist will insist that they need sensitive data like a patient’s information including their address, social security number, and/or credit card information, etc. Once handed over, the social engineers have won and the dispensary and/or grower will be held accountable for a HIPAA compliance breach.
Baiting is also a widely used tactic by social engineers. All they need to do is send a specific type of pop-up that insists it is imperative to update the POS (point of sale system) or OS (operating system) due to a vulnerability. However, the update instead will steal sensitive data.
As the cannabis dispensaries and growers either begin or continue to use the World Wide Web for their business, suppliers must fully acknowledge the advantage that social engineering poses in keeping cybercriminals in disguise. The cannabis industry is particularly vulnerable to legal investigations given its specific laws from one location to another and must keep a keen eye at placing their information under safe control at all times. Therefore, given the mysterious and thoughtful nature of social engineering, cannabis suppliers require all-encompassing strategies to address this particular form of cyber hacking by implementing a strong cybersecurity system.
Want to learn more about how Gigabit Systems can help your business? Click here to learn more.
Want to stay updated on the latest tech, entrepreneurs and innovative companies in the cannabis industry, click here.