Education, audits and standard operating procedures provide the best defense against cybercriminals
In the world of cybersecurity, it often seems the only people who really have a deep understanding of it are either trying to rob you or protect you — and it’s not always easy to tell who’s who.
And as technology has grown in complexity, so too have cybercriminals, with schemes much more duplicitous than a Nigerian prince offering to share a fortune if you’ll send your bank account information.
“A really high percentage of attacks that work right now are based on social engineering, whether it’s a phone call that comes in or a phishing email,” says David Drake, the director of engineering at Flourish Software. “Criminals that are trying to breach networks are going to be looking for things like phone numbers or email addresses to be valid, because they want to increase the size of their attack surface.”
Then there are the new internet-connected devices that seem to be replacing traditional, analog technology at cultivation facilities, manufacturing operations and retail stores, controlling everything from black-out curtains to kitchen appliances to cash registers, each with its own IP address — a potential back door for thieves to hold a business hostage.
But as daunting as these digital threats may seem, almost none of the schemes would work without help from someone on the inside. Whether that person is an employee who has been duped into revealing sensitive data to criminals or even management complacent enough to use the default passwords on their internet-connected devices, the first — and most often only — line of defense against cybercrime is an educated workforce.
“If you are not putting security parameters in place, then you are just leaving your front door open,” says Kelly Beaver, co-founder of CannaTech Network and director of client success for Flourish. “Some people set up their security with their login and password set as ‘Admin.’ You went through all the trouble to buy a nice security system but didn’t change the standard password?”
Phishing is by far the most common form of cybercrime, according to the FBI’s Internet Crime Report 2020. The FBI defines phishing as the “use of unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.”
A recent report from the cybersecurity company Tessian estimates that 75% or organizations around the world experienced a phishing attack in 2020. Tessian reports that Microsoft is the most impersonated brand used for phishing emails, and 76% of phishing emails do not have an attachment. According to the FBI, in 2020 California and Florida were home to more victims of cybercrime (69,541 and 53,793, respectively) than any other U.S. state. California saw the highest amount of loss in the country, totaling more than $621 million in 2020.
Drake says there are many third-party software solutions to help businesses filter out phishing emails, but most rely on users marking emails as junk or spam and then use those submissions to build on its algorithms and databases to determine if incoming emails are phishing attempts.
The secure email gateways (SEGs) that come standard from most email service providers and third-party security software will filter out a lot of the known threats, but newer attacks can easily slip past those defenses, and then it comes down to the procedures and training the company has in place to be able to catch the malicious emails before it’s too late.
“If people aren’t trained on it, and if they don’t have it in mind, then there’s a good chance that it will work,” Drake says. “You really should be looking toward some kind of outsourced auditing system or setting standard operating procedures that make you revisit compliance annually, so it is on every employee’s mind.”
Phishing schemes typically start with hackers testing to see if an email or phone number has someone readily available to respond at the other end. Once verified, the attacker usually starts probing for personal information that can be used to grant them control of the email account itself, as well as all the services that are associated with it.
Drake says one such tactic is to pose as a fellow employee and email other known accounts within the company looking to get their password reset to their preferred phrase or code.
“They will say, ‘I need to get my password reset to ‘X’ or ‘I’m on the road, can you reset my password to ‘X?’” Drake says. “So it’s not just about gathering information, but also about trying to get people to perform actions on their behalf.”
While the very term “cybersecurity” evokes the idea of a digital line of defense, many business owners and operators are unaware of the actual physical threats they installed themselves at their businesses. Beaver says a lot of cannabis businesses have IT infrastructure as one of the last budgeted items. In many cases, business owners simply take the internet router they received from their service provider for free instead of spending a little extra for something much more secure.
“They end up going with poor, mass-produced products, like one a person would have in their house, and they are using that to protect the business that is running credit card transactions or storing people’s information,” Beaver says. “If someone is writing malicious code for an attack or trying to breach someone’s Wi-Fi, and they have the same router as millions and millions of other people, then they are a prime target because it’s easy for someone writing malicious code to write it for the product everyone has instead of something that is more secure.”
Beaver believes many people are under the impression that the devices they’re using, such as METRC hardware, environmental control systems or card processing software, have their own security. However, if someone is inside their local network, they can target every connected device.
METRC is a minimum level of security, similar to getting a router from Comcast, Beaver says.
“The worst thing is for people to see that you are only following the basic, core minimum to keep their data safe,” he says, “and if there’s a breach, then that will become the story of your business.”
“Compliance and security are two completely different things,” Drake adds.
Drake says IOT devices have IP addresses and are on a network and are therefore accessible to anyone who can provide authentication. It is all too common for purchasers of these devices to simply skip updating the pre-installed passwords, leaving them under the default settings, which literally leaves the device open to anyone who wants to access it.
Websites like Shodan.io, can search for internet-connected devices that aren’t secure, Drake says.
The end goal for cybercriminals after successfully phishing for personal data or access to an internet-connected device is ransomware. As defined by the FBI, ransomware is “a type of malicious software designed to block access to a computer system until money is paid.”
“It doesn’t take much for a ransomware hacker to find an internet-connected device that is controlling your water pumps. Next thing you know, you can’t turn your water pumps on,” Drake says. “There are huge amounts of damage that can occur when you have internet-connected devices.”
“Even the big, multi-national businesses are getting hacked. It’s not a matter of if, it’s a matter of when,” Beaver adds.
As an example, Drake points to the German hospital that had its emergency care disrupted by a ransomware attack on September 9, 2020. In that case, the hospital’s digital infrastructure, which coordinates doctors, treatments and beds, was encrypted by hackers who demanded payment before letting hospital workers back into the system. The attack forced the hospital to cancel hundreds of operations and close its emergency department. During the attack, a 78-year-old woman died on her way to the hospital as her ambulance had to be rerouted, delaying her treatment.
Another, more recent ransomware attack hit the largest refined-oil pipeline in the United States, the Colonial Pipeline, on May 7, 2021. Hackers used ransomware to halt the flow of refined oil through the pipeline and demanded 75 bitcoin (worth approximately $4.4 million at the time) for its release.
“Ransomware attacks are happening all the time,” Beaver says. “It’s going on every day.”
Take the Initiative
While cybercrime is getting more and more complex, the steps business owners can take to protect themselves are far from rocket science.
Drake says it is relatively safe for businesses to use services and software that have strong security protocols, like two-factor authentication, but having good training and standard operating procedures in place that address cybercrime tactics is an important first step. Hiring an outside firm for reoccurring security audits is another critical step to maintain strong security protocols.
“Having a mixture of things in place, not only good tech security practices, but good standard operating procedures within your business, is going to be your best security,” Drake says. “You really should be looking toward some kind of outsourced auditing system or setting standard operating procedures that make you revisit compliance annually, so it is on every employee’s mind.”