Cannabis Business Security: Physical and Digital


Securing Your Cannabis Business; Physically and Digitally

In this Growers Spotlight, we interview Todd Kleperis, the CEO of Hard Car Security. Todd served 6 years in the US Army during the original Desert Storm and has spent 15 years designing security plans and products for companies throughout Asia.

The following was an interview with an industry expert. Growers Network does not endorse nor evaluate the claims of our interviewees, nor do they influence our editorial process. We thank our interviewees for their time and effort so we can continue our exclusive Growers Spotlight service.


Abbreviated Article

Editor’s Note: Growers Network appreciates its readers! If you are limited on time, we are now offering abbreviated versions of our articles. Click below to view.



About Todd Kleperis and Hard Car Security


What’s your background?

I’m former US Army. I served during the original Desert Storm, and when I left I started working in commercial security. I gained 15 years of experience building security plans and products in Asia. I also implemented numerous methods to prevent or reduce cyber attacks.



Securing Your Physical Business


What are some security terms?

Piggybacking

If I can follow a legitimate worker in or out of a building, I can access its infrastructure with ease. The same can be done digitally by “piggybacking” malware onto legitimate packets.


Mantrap

A mantrap is anything that that can lock a person into one place. The minute you’re past one door, you can’t get through the next. It’s like an airlock, minus the vacuum.


First Shooter Response

You need to teach employees the basics:

  1. How do they respond if somebody walks into the facility with a weapon?

  2. How do they react in a shooter situation?
  3. What is the emergency response if there is a problem?


Red Teaming

A red team event is when you hire somebody from outside your company to test your system’s limits. They shake the figurative cage and find your vulnerabilities.

What about security robots?

The cannabis industry practically mandates at least one security guard for every facility. Any cannabusiness will see their overhead increase as a result. However, a robot can patrol 24/7 and only has an initial cost. It will diligently patrol without any distractions. Sharp Electronics has a pretty fantastic robot for this purpose.

How do you detect weapons?

Modern metal detectors can be embedded inside of a wall or door jam. You don’t want threats to know that you know about a weapon. You can quietly dial for help before an incident occurs.



Securing Your Cyber Business


How do you defend your business?


A company called DarkTrace uses a heuristic method to detect intrusions. The first week DarkTrace is active, it learns the behavior of your business and employees. By the second week, it is protecting your systems from anomalies.

How do you train employees for cyber threats?

A company called KnowBe4 has a training simulator for phishing and hacking attempts. It sends out unscripted messages to trick employees, with a strange-looking link. It trains employees to recognize when something doesn’t look right.

What’s the goal of phishing?

The majority of attackers are looking for credit card(s) to get a dollar or two. If you ever notice your credit card is getting charged random, small amounts of less than $15, somebody phished you.

How do you prepare for something going wrong?

You build redundancies. They need to be implemented prior to a major event by your IT personnel. Be proactive about implementing redundancies for your systems.

What are some other considerations when it comes to cyber security?

Look at the Whole System

I was recently at a big grow site. They had their entire system on an open WiFi network: computers, sensors, controllers, etc. A saboteur could shut it all down, kill their harvest, and listen while they cried.


Know Your Risks

Each kind of business has different needs:

  1. Dispensaries are targets for thieves and robbers. Physical security is essential.
  2. Deliveries have to worry about robbery during their deliveries.
  3. Online ordering is becoming a big deal and customer information must be protected.
  4. Any online business needs to prioritize cybersecurity. It would be catastrophic if somebody knew customer information and order history.


Protect Yourself

If somebody has access to your phone, they might be able to access other systems. Avoid free WiFi networks for this reason. Alternatively, make or use a VPN.



Questions from the Community


Are there risks unique to the cannabis industry?

The system is vulnerable to robbery and theft. It deals primarily in cash, which is a risk. Additionally, the products are worth thousands of dollars and are often shipped with minimal protections.

What are differences in security based on operation size?

Believe it or not, a large facility may not have a lot of money, especially early on. It’s about “hardening” or fortifying a location. If you want to harden a location, what’s your security budget? That determines what you can do.

How has legalization affected security?

Legalization has been really positive for security. It has forced communities to recognize and acknowledge that they were putting people in harm’s way.

However, there is one concern with legalization that doesn’t get mentioned. If you hire a security company to remotely monitor you from another state, make sure that it is legal for them to do so, or you could both be in trouble.

If you like the abbreviated article, let us know in the survey at the bottom of the article! We’re always interested in hearing your feedback.

If you want to read more, you can read the full article below.


Securing Your Physical Business



Piggybacking

Here’s an example. I walked into a dispensary a few weeks ago and I was surprised by the lack of security. While I was behind the glass enclosures talking with the owner, I noticed the back door was being used by people leaving the dispensary. I asked him if he was familiar with “piggybacking” and he said he was not.

I asked him to walk with me so I could demonstrate. I put my finger behind him and told him to pretend it was a gun and to react how you normally would at gunpoint. He walked silently through the door with me.

Piggybacking is a lot less fun than it sounds.

That’s piggybacking: if I can follow you in or out of a building very quickly, I can access your infrastructure with ease. This is the same term that they use in data centers and in big federal facilities.


Tailgating

Editor’s Note: Tailgating is similar to piggybacking, except it relies on deception instead of coercion. A tailgater is somebody who simply goes through an open door that somebody else left open or is holding open for them out of politeness. A tailgater lacks the necessary security clearance to pass an area, and relies on the fact that people may not recognize a security threat.


Mantrap

You’ve probably been in one without realizing it. If you’ve walked into an airport and had to go through a backscatter machine or millimeter wave machine, you’ve been in a mantrap.

An example of a mantrap.

A mantrap is anything that that can lock a person into one place, like the backscatter machine. You could simply make one with two locking doors from Home Depot. The minute you’re past one door, you can’t get through the next.

You could say it’s a lot like an airlock, minus the air getting sucked out of it.


First Shooter Response

I’d like for business owners to understand that if their employees are sitting behind bulletproof glass, but the wall holding the glass is made of drywall, then they did absolutely nothing to protect their people.

This is why you don’t use drywall to protect anything vital.

There should be a standard guideline to show people the basics:

  1. What is your response if somebody walks into your facility with a weapon?
  2. Have you trained people how to react in a shooter situation?
  3. Have you talked with your employees about what the emergency response would be if there was a problem?
  4. How do you teach critical awareness to your staff?

Red Teaming

A red team event is when you hire somebody from outside your company to test your system’s limits. I highly recommend this for anybody in this industry: hire somebody to try everything they can think of in order to disrupt your systems. They’re going to shake the figurative cage; they’re going to kick the tires, go around the side, figure out a way in; they’re going to see if they can pull an AC unit off of the top of the building and get in.


It doesn’t matter whether it’s the local computer guy or a bigger security provider. Both could come in and test your system viability, your structure, and what happens when things go sideways.

Sure. The cannabis industry practically mandates at least one security guard in every facility. An average security guard can run $20-25/hr if they’re armed. Any business that works directly with the final product will see their overhead increase as a result.

A robot, on the other hand, can patrol 24/7, and it only costs the initial purchase (or rental price) and electricity costs. It will diligently patrol without any of the normal human distractions. Sharp Electronics has a pretty fantastic robot for this express purpose.


Example of a patrolling robot by Sharp Electronics.

It’ll detect everything from noxious gases to AC leaks to fires to intrusions. It will regularly sweep the perimeter, and if it detects something it will send an alert to a monitoring center. The monitoring center agent can talk to the intruder and inform them that they are being monitored, that the police are on their way, and that they may want to leave the premises.

In airports and other high security areas, you usually have the old-fashioned metal detectors that are rectangular boxes. They’ve been around a long time, and technology has only gotten better over the years. Metal detectors can now be embedded inside of a wall or even in a door jam. They can be hidden almost anywhere. You don’t want potential threats to realize that you know they have a weapon on them. You can quietly dial for help and activate emergency protocols before an incident occurs.

There’s also the ability to sense weapons and hostile situations with video analytics. IBM has software that can determine if a person is brandishing a weapon within a location (such as a bank or dispensary) based on the movements of people nearby and the person’s posture. The software would then notify the local police without the need for employee intervention.

IBM software allows for intelligent monitoring of surveillance footage.


Securing Your Digital Business

You have to expect that things are always going to go wrong.Todd Kleperis
There’s a company (and software) called DarkTrace that employs aggressive defense. DarkTrace was originally designed by the UK government, MI5, and Cambridge University to look for anomalies in computer networks and use AI to learn what those anomalies are.

Say for example that I have an open network of 10 people in my office. One random night at 2 AM, one of the computers turns on and starts uploading files from the HR person’s desk. If DarkTrace is installed on the network, it will recognize the anomaly and take note of everything going on. It can be set to alert you immediately or it can take actions to stop the anomaly on its own.

DarkTrace uses what’s known as a “heuristic” method in order to detect intrusions. The first week DarkTrace is active it starts learning the behavior and schedules of your business and employees. By the second week, it is already protecting your systems from anomalies and unusual behavior. It can even provide you with a daily or weekly intelligence report if you want. It tracks what’s going on on your network. It’s one of those things you want before you need it.

A brief overview of how the software works.

There’s two parts to how DarkTrace works: the software and the hardware. The hardware is physically integrated into the computer network and the software analyzes the whole enterprise’s network. It can even detect your WiFi coffee pot in the office or a work laptop in another country because a guy’s travelling for work.

There’s a company called KnowBe4 that trains your employees how to respond to cyber threats by simulating a variety of different strikes against your systems. It’s a training simulator for phishing and hacking attempts that has proven very effective.

For example, it can send out an uncanned, unscripted message to trick people. The message will read, “Hey Employee, this is your buddy Todd. Can you pick up the phone and call me or click this link?” And the link will look a little strange or the message seems off. It trains them to recognize when something doesn’t look right and avoid it. Until someone experiences getting locked out of their system, they may not learn.

Don’t click that link. If you click that link, your entire network is exposed.

The majority of stuff on TV is just that: stuff on TV.

The reality is that the majority of phishing attacks are looking for a quick hit. They want your credit card to get a dollar or two. When a person is phishing, it’s a lot like actual fishing. They throw out a lure or a snare, and try to catch you. If you fall for the trick, you open up your systems or credit cards to abuse. If you ever notice your credit card is getting charged small amounts of less than $15 and you don’t know where those charges are coming from, somebody phished you.

There is software to protect you against phishing. If anybody in your audience wants to know some helpful software for their business, I can help find them some resources. We’re in the business of helping customers solve their problems, and we’re not trying to get a quick buck.

You have to expect that things are always going to go wrong. Most people talk about redundancies, but they need to be implemented prior to a major event. IT personnel need to be proactive about installing and maintaining redundancies for both data and systems.

I don’t want to name specifics, but a very large bank lost hundreds of thousands of accounts because they failed to have backups. One social network lost millions of accounts from internal hacking. Recently, a major cannabis point-of-sale business may have had a serious cyberattack against them and their redundancies either failed or weren’t implemented properly.

You also have to expect attacks from all sides. Combating internal theft or internal cybersecurity is another separate issue that could take an even longer time to work through. Disgruntled employees can represent a threat to your business.

Be Aware

The majority of people are worried about other issues, like how much is the facility build-out going to cost? What are the CCTVs going to cost? What does my security guard cost me? Security is seen almost like an upfront insurance cost, and cybersecurity is not up there on the list of priorities.


Look at the Whole System

Many people are in the early stages of learning about cyber security. I’ve met people in the industry who have been doing cannabis for 30 years, but technology escapes them when they don’t have their iPhone.

For example, I was recently at a big grow site. They had their entire system on an open WiFi network: computers, sensors, controllers, the whole shebang. I had to warn them: What if somebody tampered with their system? A saboteur could shut it all down, kill their harvest, and listen in on their conversations while they cried. They were a little put off by that knowledge, so we fixed their systems up for them.


Know Your Risks

Each kind of business has different needs. Some businesses are going to be less susceptible to certain types of intrusions.

For example, dispensaries are generally the biggest targets for would-be crooks. While good management practices can protect against simple theft, a dispensary might have specific clones that are one-of-a-kind genomes created only for them. Those clones are part of their secret sauce and they don’t want to lose them. As a result, a dispensary might want to invest more in physical security than cybersecurity. On the other hand, online ordering is becoming a bigger deal and therefore cybersecurity is becoming more important to protect customer information.

Deliveries definitely have to worry about physical security. We’ve been aware of multiple occurrences where a delivery person was robbed during delivery. It’s crazy to have somebody driving around with $20,000 worth of product in their car and no protection. Hard Car Security offers armored transport specifically for this purpose.

Any business that thrives on the internet needs to prioritize cybersecurity. Weedmaps, for example, has their own computer infrastructure and much of their information is publicly available. Now how do they secure it? They must have an IT specialist (or several) on their team that has implemented data encryption to prevent somebody from hacking in and obtaining their user information. It would be a nightmare if somebody knew where everybody nearby lives and all of the products they’ve bought in the last year.


Protect Yourself

You should also make sure to protect yourself personally. If somebody has access to your phone, they might be able to access your other systems. One thing I warn people about all the time is to avoid free WiFi networks. If you do access them, change your passwords frequently. It might seem annoying, but it’s very difficult to dig yourself out of identity theft. It’s much easier to change passwords on a regular basis. Alternatively, make a VPN. There are tutorials on YouTube on how to use one.


Questions from the Community


Certainly. Because this industry still deals primarily in cash, you’ve got a large amount of cash floating around. Additionally, the product can be worth hundreds of thousands if not millions of dollars. It’s being shipped all over the place and not a lot of people are tracking it. The system, as a whole, is vulnerable to robbery and theft.

There’s also security issues arising from scale. In California, we’ve seen facilities that are hundreds of thousands of square feet. Arizona has virtually no limits on grow operation size. How do you secure different sized facilities like that? That’s the kind of thing where somebody should call us and for a consultation.

On a different level, the industry is experiencing a financial bubble. Vendors are always looking to raise their prices because they believe the cannabis industry has more money than it does. Investors are constantly overestimating the value of the industry. The industry is not stable, and that is a security risk.

I don’t think security based on size alone is the issue. Good security is about your budget. Believe it or not, a large facility may not have a lot of money for a security system, especially during their set up phase. For example, monitoring cameras can be done relatively cheaply at a small site, but become increasingly expensive the larger the business is.

A few cameras are cheap, but larger setups become complicated.

It’s about “hardening” or fortifying a location. If you want to harden or fortify a location, what’s your budget? Because if you have a $5 budget, you may be only able to buy a “Beware of Dog” sticker. If you’ve got a $50k budget, you can do a bit more. If you’ve got a $500,000 budget, you can do some Mission Impossible kinds of nonsense. The main difference between operations is that a larger operation has to physically spread their budget out.

I’ll give you a personal example. A customer we recently helped had to make a choice. They could put up a conventional, physical fence for around $35,000. But fences can easily be circumvented, and aren’t necessarily a safe option without investing a lot of money. With our help, they had the option to put up a barrier wall with a laser beam for about $7000. You can’t cross that beam without being detected and the alarm being raised. We saved them almost $30k for what amounts to greater security.

An artist’s rendition of a fence combined with a laser intrusion detection system.

There are also some cheap and simple solutions that might seem silly on the surface, but have proven to be effective:

  1. One of the number one strategies for people trying to save money is buying a sticker that says “Beware of Dog.” It sounds like a stupid thing to do. But you would not believe how many common thieves or crooks will leave a facility because they have a beware of dog sticker on the door.
  2. You can install fake cameras. There’s a company out there called Brickhouse Security that offers fake cameras for $10-$15, and presents the illusion of security as a deterrent. If you’ve got a limited budget, you work within that budget.

Editor’s Note: Brickhouse Security also provides real security cameras and systems.

Contrary to what you might think, legalization has been really positive for security. Legalization has forced communities to recognize and acknowledge that they were putting people in harm’s way. Legalization has resulted in an effort to standardize best safety practices which will enable people to do what they need to do to protect their people and their product. That’s all good stuff.

There is one concern with legalization that doesn’t get mentioned. Say for example that you’re in Arizona, and you hire a security company that’s monitoring you remotely from Wyoming or Kansas. If they’re remotely monitoring you in Arizona and either your state’s law or their state’s law doesn’t allow it, you’re breaking state law as a business owner. The security company that installed that system is also breaking the law. When you have goobers who are not cognizant of the law, it resonates poorly.




About Todd and Hard Car Security

Everything needs to be protected, from the entire growhouse all the way to the budtender who needs network security on their laptop and phone.Todd Kleperis
Hard Car Security is a technology provider to the cannabis space. We do everything from armored cars and cannabis delivery to cybersecurity and robotics. We also build infrastructure for weapons detection, which helps dispensaries and other businesses find hidden weapons before there are problems.


I went to Babson College and got my degree in Entrepreneurial Studies. That might seem strange because it isn’t a degree related to security.

I actually ventured into the security industry because I’m former US Army. My unit was on 24-hour notice during the original Desert Storm. I served 6 years in the military, and when I left I started working in the commercial space. Transitioning from the military into private security has proven to be a blessing. In the military, you see security firsthand; you help build it. Then you get to deploy your plan and stop bad people who do bad things.

After my service, I gained 15 years of experience building security plans and products in Asia. I’ve designed security systems for a wide variety of scenarios, from something as simple as the factory floor of a napkin manufacturer all the way up to very intricate weapons systems for corporate clients.

When I was living in China, I started to receive numerous requests for cyber security help from Chinese companies. When a phishing attack would go out, it would hit the networks of these companies hard. These attacks are still a common problem in the Asian Pacific-rim countries. Almost every country and company in the area is impacted by these attacks, and many also choose to participate in the attacks. Everyone wants a technological advantage or competitive edge.

My team and I started investigating methods to prevent the damage from these attacks. We initially began with preventative software, and now we’re using aggressive-defense software to detect if somebody’s causing problems in a network.

We offer a very interesting combination of technologies all in a single company. For instance, we could have a robot patrol the outside of a facility whose security system we designed while an RFID-tagged armored truck picks up product; meanwhile our Agent Verify computer system enables the truck driver to get into the facility and protects against intruders. Everything needs to be protected, from the entire growhouse all the way to the budtender who needs network security on their laptop and phone.

We’ve got multiple people with specialized backgrounds for this reason. Some of my employees have access to NSA-level, encrypted technology designed for the UK government. That technology is now being used on networks across the United States.

Do you want to receive the next Grower’s Spotlight as soon as it’s available? Sign up below!


Want to get in touch with Hard Car Security or Todd?

You can reach them via the following methods:

  1. Website Contact Form
  2. Phone: 760-890-4341
  3. Email: [email protected]

Resources:

  1. Confused about the basics of cybercrime? Check out this helpful article to learn more.
  2. Want to learn more about cyber crime and what the police are doing to stop it? Check out the FBI page on cyber crime.
  3. Want to learn specific tips about protecting your business? Cannabis Business Times has you covered!
  4. Want a consultation? Contact Hard Car Security on their website and mention us!

Do you have any questions or comments?

Feel free to post below!


About the Author

Hunter Wilson is a community builder with Growers Network. He graduated from the University of Arizona in 2011 with a Masters in Teaching and in 2007 with a Bachelors in Biology.