Cannabis Business Security: Physical and Digital

---

About Todd Kleperis and Hard Car Security

---

What’s your background? I’m former US Army. I served during the original Desert Storm, and when I left I started working in commercial security. I gained 15 years of experience building security plans and products in Asia. I also implemented numerous methods to prevent or reduce cyber attacks.

---

Securing Your Physical Business

---

What are some security terms?

Piggybacking

If I can follow a legitimate worker in or out of a building, I can access its infrastructure with ease. The same can be done digitally by “piggybacking” malware onto legitimate packets.

Mantrap

A mantrap is anything that that can lock a person into one place. The minute you’re past one door, you can’t get through the next. It’s like an airlock, minus the vacuum.

First Shooter Response

You need to teach employees the basics:

1. How do they respond if somebody walks into the facility with a weapon?
2. How do they react in a shooter situation?
3. What is the emergency response if there is a problem?

Red Teaming

A red team event is when you hire somebody from outside your company to test your system’s limits. They shake the figurative cage and find your vulnerabilities. What about security robots? The cannabis industry practically mandates at least one security guard for every facility. Any cannabusiness will see their overhead increase as a result. However, a robot can patrol 24/7 and only has an initial cost. It will diligently patrol without any distractions. Sharp Electronics has a pretty fantastic robot for this purpose. How do you detect weapons? Modern metal detectors can be embedded inside of a wall or door jam. You don’t want threats to know that you know about a weapon. You can quietly dial for help before an incident occurs.

---

Securing Your Cyber Business

---

How do you defend your business? A company called DarkTrace uses a heuristic method to detect intrusions. The first week DarkTrace is active, it learns the behavior of your business and employees. By the second week, it is protecting your systems from anomalies. How do you train employees for cyber threats? A company called KnowBe4 has a training simulator for phishing and hacking attempts. It sends out unscripted messages to trick employees, with a strange-looking link. It trains employees to recognize when something doesn’t look right. What’s the goal of phishing? The majority of attackers are looking for credit card(s) to get a dollar or two. If you ever notice your credit card is getting charged random, small amounts of less than $15, somebody phished you. How do you prepare for something going wrong? You build redundancies. They need to be implemented prior to a major event by your IT personnel. Be proactive about implementing redundancies for your systems. What are some other considerations when it comes to cyber security?

Look at the Whole System

I was recently at a big grow site. They had their entire system on an open WiFi network: computers, sensors, controllers, etc. A saboteur could shut it all down, kill their harvest, and listen while they cried.

Know Your Risks

Each kind of business has different needs:

1. Dispensaries are targets for thieves and robbers. Physical security is essential.
2. Deliveries have to worry about robbery during their deliveries.
3. Online ordering is becoming a big deal and customer information must be protected.
4. Any online business needs to prioritize cybersecurity. It would be catastrophic if somebody knew customer information and order history.

Protect Yourself

If somebody has access to your phone, they might be able to access other systems. Avoid free WiFi networks for this reason. Alternatively, make or use a VPN.

---

Questions from the Community

---

Are there risks unique to the cannabis industry? The system is vulnerable to robbery and theft. It deals primarily in cash, which is a risk. Additionally, the products are worth thousands of dollars and are often shipped with minimal protections. What are differences in security based on operation size? Believe it or not, a large facility may not have a lot of money, especially early on. It’s about “hardening” or fortifying a location. If you want to harden a location, what’s your security budget? That determines what you can do. How has legalization affected security? Legalization has been really positive for security. It has forced communities to recognize and acknowledge that they were putting people in harm’s way. However, there is one concern with legalization that doesn’t get mentioned. If you hire a security company to remotely monitor you from another state, make sure that it is legal for them to do so, or you could both be in trouble.

There’s a company (and software) called DarkTrace that employs aggressive defense. DarkTrace was originally designed by the UK government, MI5, and Cambridge University to look for anomalies in computer networks and use AI to learn what those anomalies are. Say for example that I have an open network of 10 people in my office. One random night at 2 AM, one of the computers turns on and starts uploading files from the HR person’s desk. If DarkTrace is installed on the network, it will recognize the anomaly and take note of everything going on. It can be set to alert you immediately or it can take actions to stop the anomaly on its own. DarkTrace uses what’s known as a “heuristic” method in order to detect intrusions. The first week DarkTrace is active it starts learning the behavior and schedules of your business and employees. By the second week, it is already protecting your systems from anomalies and unusual behavior. It can even provide you with a daily or weekly intelligence report if you want. It tracks what’s going on on your network. It’s one of those things you want before you need it.

A brief overview of how the software works. There’s two parts to how DarkTrace works: the software and the hardware. The hardware is physically integrated into the computer network and the software analyzes the whole enterprise’s network. It can even detect your WiFi coffee pot in the office or a work laptop in another country because a guy’s travelling for work.

There’s a company called KnowBe4 that trains your employees how to respond to cyber threats by simulating a variety of different strikes against your systems. It’s a training simulator for phishing and hacking attempts that has proven very effective. For example, it can send out an uncanned, unscripted message to trick people. The message will read, “Hey Employee, this is your buddy Todd. Can you pick up the phone and call me or click this link?” And the link will look a little strange or the message seems off. It trains them to recognize when something doesn’t look right and avoid it. Until someone experiences getting locked out of their system, they may not learn.

Don’t click that link. If you click that link, your entire network is exposed.

The majority of stuff on TV is just that: stuff on TV. The reality is that the majority of phishing attacks are looking for a quick hit. They want your credit card to get a dollar or two. When a person is phishing, it’s a lot like actual fishing. They throw out a lure or a snare, and try to catch you. If you fall for the trick, you open up your systems or credit cards to abuse. If you ever notice your credit card is getting charged small amounts of less than $15 and you don’t know where those charges are coming from, somebody phished you. There is software to protect you against phishing. If anybody in your audience wants to know some helpful software for their business, I can help find them some resources. We’re in the business of helping customers solve their problems, and we’re not trying to get a quick buck.

You have to expect that things are always going to go wrong. Most people talk about redundancies, but they need to be implemented prior to a major event. IT personnel need to be proactive about installing and maintaining redundancies for both data and systems. I don’t want to name specifics, but a very large bank lost hundreds of thousands of accounts because they failed to have backups. One social network lost millions of accounts from internal hacking. Recently, a major cannabis point-of-sale business may have had a serious cyberattack against them and their redundancies either failed or weren’t implemented properly. You also have to expect attacks from all sides. Combating internal theft or internal cybersecurity is another separate issue that could take an even longer time to work through. Disgruntled employees can represent a threat to your business.

Be Aware The majority of people are worried about other issues, like how much is the facility build-out going to cost? What are the CCTVs going to cost? What does my security guard cost me? Security is seen almost like an upfront insurance cost, and cybersecurity is not up there on the list of priorities.

---

Look at the Whole System Many people are in the early stages of learning about cyber security. I’ve met people in the industry who have been doing cannabis for 30 years, but technology escapes them when they don’t have their iPhone. For example, I was recently at a big grow site. They had their entire system on an open WiFi network: computers, sensors, controllers, the whole shebang. I had to warn them: What if somebody tampered with their system? A saboteur could shut it all down, kill their harvest, and listen in on their conversations while they cried. They were a little put off by that knowledge, so we fixed their systems up for them.

---

Know Your Risks Each kind of business has different needs. Some businesses are going to be less susceptible to certain types of intrusions. For example, dispensaries are generally the biggest targets for would-be crooks. While good management practices can protect against simple theft, a dispensary might have specific clones that are one-of-a-kind genomes created only for them. Those clones are part of their secret sauce and they don’t want to lose them. As a result, a dispensary might want to invest more in physical security than cybersecurity. On the other hand, online ordering is becoming a bigger deal and therefore cybersecurity is becoming more important to protect customer information. Deliveries definitely have to worry about physical security. We’ve been aware of multiple occurrences where a delivery person was robbed during delivery. It’s crazy to have somebody driving around with $20,000 worth of product in their car and no protection. Hard Car Security offers armored transport specifically for this purpose. Any business that thrives on the internet needs to prioritize cybersecurity. Weedmaps, for example, has their own computer infrastructure and much of their information is publicly available. Now how do they secure it? They must have an IT specialist (or several) on their team that has implemented data encryption to prevent somebody from hacking in and obtaining their user information. It would be a nightmare if somebody knew where everybody nearby lives and all of the products they’ve bought in the last year.

---

Protect Yourself You should also make sure to protect yourself personally. If somebody has access to your phone, they might be able to access your other systems. One thing I warn people about all the time is to avoid free WiFi networks. If you do access them, change your passwords frequently. It might seem annoying, but it’s very difficult to dig yourself out of identity theft. It’s much easier to change passwords on a regular basis. Alternatively, make a VPN. There are tutorials on YouTube on how to use one.

Certainly. Because this industry still deals primarily in cash, you’ve got a large amount of cash floating around. Additionally, the product can be worth hundreds of thousands if not millions of dollars. It’s being shipped all over the place and not a lot of people are tracking it. The system, as a whole, is vulnerable to robbery and theft. There’s also security issues arising from scale. In California, we’ve seen facilities that are hundreds of thousands of square feet. Arizona has virtually no limits on grow operation size. How do you secure different sized facilities like that? That’s the kind of thing where somebody should call us and for a consultation. On a different level, the industry is experiencing a financial bubble. Vendors are always looking to raise their prices because they believe the cannabis industry has more money than it does. Investors are constantly overestimating the value of the industry. The industry is not stable, and that is a security risk.

I don’t think security based on size alone is the issue. Good security is about your budget. Believe it or not, a large facility may not have a lot of money for a security system, especially during their set up phase. For example, monitoring cameras can be done relatively cheaply at a small site, but become increasingly expensive the larger the business is. A few cameras are cheap, but larger setups become complicated. It’s about “hardening” or fortifying a location. If you want to harden or fortify a location, what’s your budget? Because if you have a $5 budget, you may be only able to buy a “Beware of Dog” sticker. If you’ve got a $50k budget, you can do a bit more. If you’ve got a $500,000 budget, you can do some Mission Impossible kinds of nonsense. The main difference between operations is that a larger operation has to physically spread their budget out. I’ll give you a personal example. A customer we recently helped had to make a choice. They could put up a conventional, physical fence for around $35,000. But fences can easily be circumvented, and aren’t necessarily a safe option without investing a lot of money. With our help, they had the option to put up a barrier wall with a laser beam for about $7000. You can’t cross that beam without being detected and the alarm being raised. We saved them almost $30k for what amounts to greater security. An artist's rendition of a fence combined with a laser intrusion detection system. There are also some cheap and simple solutions that might seem silly on the surface, but have proven to be effective:

1. One of the number one strategies for people trying to save money is buying a sticker that says “Beware of Dog.” It sounds like a stupid thing to do. But you would not believe how many common thieves or crooks will leave a facility because they have a beware of dog sticker on the door.
2. You can install fake cameras. There’s a company out there called Brickhouse Security that offers fake cameras for $10-$15, and presents the illusion of security as a deterrent. If you’ve got a limited budget, you work within that budget.

Editor’s Note: Brickhouse Security also provides real security cameras and systems.

Contrary to what you might think, legalization has been really positive for security. Legalization has forced communities to recognize and acknowledge that they were putting people in harm’s way. Legalization has resulted in an effort to standardize best safety practices which will enable people to do what they need to do to protect their people and their product. That’s all good stuff. There is one concern with legalization that doesn’t get mentioned. Say for example that you’re in Arizona, and you hire a security company that’s monitoring you remotely from Wyoming or Kansas. If they’re remotely monitoring you in Arizona and either your state’s law or their state’s law doesn’t allow it, you’re breaking state law as a business owner. The security company that installed that system is also breaking the law. When you have goobers who are not cognizant of the law, it resonates poorly.