In late 2018, the online Ontario Cannabis Store (OCS) experienced a data breach. The privacy of 4,500 OCS customers was compromised as names, postal codes, and delivery information fell into the hands of a hacker.
After an investigation, the flaw was found to be in Canada Post’s tracking system, with the breach extending beyond OCS customers. Although the incident was resolved quickly (and with little harm done), it was alarming to cannabis retailers and consumers alike. How did we let this happen? And how can we prevent it from happening again?
What is Cybersecurity?
Studies show that consumers are growing more aware of personal data protection and less confident that their data security is taken seriously. Building trust with your clientele is just one of many reasons why practicing cybersecurity is so important. Along with preserving sensitive data, cybersecurity protects personally identifiable information (PII), intellectual property, protected health information (PHI), and government and industry information from theft and damage. The goal is to keep the digital networks that hold both personal and business information secure.
“What people don’t realize is just how dangerous the online world has gotten over the past couple years,” says Loïc Calvez, Co-Founder and CEO of ALCiT, an emerging Managed Security Services Provider (MSSP). “The sheer number of cyber attacks and the sophistication we’re seeing now is nothing like it was before.”
What Happens When Cybersecurity is Compromised?
One of the most famous cybersecurity breaches happened to Target in November of 2013, when hackers compromised 40 million payment card accounts and 70 million customer records. Using stolen credentials, hackers gained access to an internal database where they installed malware and captured full names, addresses, and payment information.
“One of the big misconceptions is that small businesses aren’t targets for a cyber attack,” Calvez says.
“Business owners tend to believe you need to be a large, well-known company with a lot of money. Today that’s just no longer the case. Cyber attacks can be automated and are happening all the time. They’re targeting everyone.”
Consequences of a cybersecurity breach aren’t exclusive to customers, either.
“One of the less talked about consequences is the theft of intellectual property,” Calvez explains. “If a cannabis retailer were to get hacked, that could seriously hurt your brand and put you back at square one. Aside from that, your business would also have data showing what’s working for you and what’s not. What’s your biggest seller? What’s your key demographic? What kind of repeat business do you get? There’s a lot of private information from a business perspective that you wouldn’t want your competitor to get their hands on.”
It’s not just computers to be wary of—our phones, tablets, and other gadgets that can be connected to the Internet are also susceptible to cyber attacks. It’s important to learn about types of cyber threats and how to prevent them.
Four Common Types of Cyber Attacks
Hollywood movies would have us believe hackers are geniuses sitting behind giant computers writing codes for viruses and cracking passwords with incredible software. However, the reality is quite the contrary—most cyber breaches happen because someone either didn’t invest in proper cybersecurity, created lazy passwords, or clicked and opened something they weren’t supposed to.
Most cyber criminals aren’t attacking technology or software, they’re attacking people.
Following are some common types of attacks:
Phishing – Individuals are contacted by email, telephone, or text message by someone pretending to be a legitimate business. By creating a sense of urgency (your account is being frozen! Please update your payment info!), these hackers trick individuals into providing sensitive data such as personally identifiable information, credit card details, and passwords.
Man-in-the middle – Vulnerable networks, WiFi connections, and communication lines make it easy for cyber criminals to execute this security breach. Imagine being on a video call with your employee who has just given you sensitive information. A hacker (our man-in-the-middle) will be listening in on that conversation and collecting the information you spoke about.
Malware – Malware is short for malicious software and encompasses viruses, ransomware, and spyware. Cybercriminals will create this software and install it on their victim’s device(s) without their knowledge. While malware usually serves as a means for financial gain, sometimes hackers are looking for personal information or to damage your devices.
Password attack – Whether it’s through guessing or using some of the more common passwords, a password attack is an attempt to steal passwords and access information. Keep your passwords strong and implement a lockout policy to your cybersecurity.
Cybersecurity is a Team Effort
While firewalls and antivirus software will help keep you compliant and your data secure, they should not be your sole security measures.
“The fact of the matter is a lot of cyber attacks happen through email, malicious sites, misconfigured firewalls, and weak passwords,” explains Eric Schlissel, CEO and CTO at Geek Tek. “Make sure your team is aware of best practices for keeping your networks secure. Do they understand what a strong password is? Do they know what a phishing email looks like? Do they know how to identify a risky website? How about what to do if you get infected?”
Schlissel also points out the importance of assessing your business needs when it comes to cybersecurity.
“Risk mitigation is one of the most important things you can do,” Schlissel says. “If your database was compromised, what does that mean for your business? What happens if you’re found to be out of compliance?”
A Canadian report on data protection revealed that while small business owners recognize data security risk, they often underestimate the consequences. For cannabis retailers, ensuring their customers’ private information remains private is critical to the business. Moreover, any loss of data or being unable to produce information requested by regulatory governing bodies could put a cannabis retailer out of business.
So if you haven’t thought much about your cybersecurity, it might be time to start.