Securing Your Cannabis Business; Physically and Digitally
To skip to any section within this article, click the links below:
Editor’s Note: Growers Network appreciates its readers! If you are limited on time, we are now offering abbreviated versions of our articles. Click below to view.
About Todd Kleperis and Hard Car Security
I’m former US Army. I served during the original Desert Storm, and when I left I started working in commercial security. I gained 15 years of experience building security plans and products in Asia. I also implemented numerous methods to prevent or reduce cyber attacks.
Securing Your Physical Business
If I can follow a legitimate worker in or out of a building, I can access its infrastructure with ease. The same can be done digitally by “piggybacking” malware onto legitimate packets.
A mantrap is anything that that can lock a person into one place. The minute you’re past one door, you can’t get through the next. It’s like an airlock, minus the vacuum.
First Shooter Response
You need to teach employees the basics:
- How do they respond if somebody walks into the facility with a weapon?
- How do they react in a shooter situation?
- What is the emergency response if there is a problem?
The cannabis industry practically mandates at least one security guard for every facility. Any cannabusiness will see their overhead increase as a result. However, a robot can patrol 24/7 and only has an initial cost. It will diligently patrol without any distractions. Sharp Electronics has a pretty fantastic robot for this purpose.
Modern metal detectors can be embedded inside of a wall or door jam. You don’t want threats to know that you know about a weapon. You can quietly dial for help before an incident occurs.
Securing Your Cyber Business
How do you defend your business?
A company called DarkTrace uses a heuristic method to detect intrusions. The first week DarkTrace is active, it learns the behavior of your business and employees. By the second week, it is protecting your systems from anomalies.
A company called KnowBe4 has a training simulator for phishing and hacking attempts. It sends out unscripted messages to trick employees, with a strange-looking link. It trains employees to recognize when something doesn’t look right.
The majority of attackers are looking for credit card(s) to get a dollar or two. If you ever notice your credit card is getting charged random, small amounts of less than $15, somebody phished you.
You build redundancies. They need to be implemented prior to a major event by your IT personnel. Be proactive about implementing redundancies for your systems.
Look at the Whole System
I was recently at a big grow site. They had their entire system on an open WiFi network: computers, sensors, controllers, etc. A saboteur could shut it all down, kill their harvest, and listen while they cried.
Know Your Risks
- Dispensaries are targets for thieves and robbers. Physical security is essential.
- Deliveries have to worry about robbery during their deliveries.
- Online ordering is becoming a big deal and customer information must be protected.
- Any online business needs to prioritize cybersecurity. It would be catastrophic if somebody knew customer information and order history.
Questions from the Community
The system is vulnerable to robbery and theft. It deals primarily in cash, which is a risk. Additionally, the products are worth thousands of dollars and are often shipped with minimal protections.
Believe it or not, a large facility may not have a lot of money, especially early on. It’s about “hardening” or fortifying a location. If you want to harden a location, what’s your security budget? That determines what you can do.
Legalization has been really positive for security. It has forced communities to recognize and acknowledge that they were putting people in harm’s way.
However, there is one concern with legalization that doesn’t get mentioned. If you hire a security company to remotely monitor you from another state, make sure that it is legal for them to do so, or you could both be in trouble.
If you like the abbreviated article, let us know in the survey at the bottom of the article! We’re always interested in hearing your feedback.
If you want to read more, you can read the full article below.
Securing Your Physical Business
Here’s an example. I walked into a dispensary a few weeks ago and I was surprised by the lack of security. While I was behind the glass enclosures talking with the owner, I noticed the back door was being used by people leaving the dispensary. I asked him if he was familiar with “piggybacking” and he said he was not.
I asked him to walk with me so I could demonstrate. I put my finger behind him and told him to pretend it was a gun and to react how you normally would at gunpoint. He walked silently through the door with me.
That’s piggybacking: if I can follow you in or out of a building very quickly, I can access your infrastructure with ease. This is the same term that they use in data centers and in big federal facilities.
Editor’s Note: Tailgating is similar to piggybacking, except it relies on deception instead of coercion. A tailgater is somebody who simply goes through an open door that somebody else left open or is holding open for them out of politeness. A tailgater lacks the necessary security clearance to pass an area, and relies on the fact that people may not recognize a security threat.
You’ve probably been in one without realizing it. If you’ve walked into an airport and had to go through a backscatter machine or millimeter wave machine, you’ve been in a mantrap.
A mantrap is anything that that can lock a person into one place, like the backscatter machine. You could simply make one with two locking doors from Home Depot. The minute you’re past one door, you can’t get through the next.
You could say it’s a lot like an airlock, minus the air getting sucked out of it.
I’d like for business owners to understand that if their employees are sitting behind bulletproof glass, but the wall holding the glass is made of drywall, then they did absolutely nothing to protect their people.
There should be a standard guideline to show people the basics:
- What is your response if somebody walks into your facility with a weapon?
- Have you trained people how to react in a shooter situation?
- Have you talked with your employees about what the emergency response would be if there was a problem?
- How do you teach critical awareness to your staff?
A red team event is when you hire somebody from outside your company to test your system’s limits. I highly recommend this for anybody in this industry: hire somebody to try everything they can think of in order to disrupt your systems. They’re going to shake the figurative cage; they’re going to kick the tires, go around the side, figure out a way in; they’re going to see if they can pull an AC unit off of the top of the building and get in.
It doesn’t matter whether it’s the local computer guy or a bigger security provider. Both could come in and test your system viability, your structure, and what happens when things go sideways.
A robot, on the other hand, can patrol 24/7, and it only costs the initial purchase (or rental price) and electricity costs. It will diligently patrol without any of the normal human distractions. Sharp Electronics has a pretty fantastic robot for this express purpose.
Example of a patrolling robot by Sharp Electronics.
It’ll detect everything from noxious gases to AC leaks to fires to intrusions. It will regularly sweep the perimeter, and if it detects something it will send an alert to a monitoring center. The monitoring center agent can talk to the intruder and inform them that they are being monitored, that the police are on their way, and that they may want to leave the premises.
There’s also the ability to sense weapons and hostile situations with video analytics. IBM has software that can determine if a person is brandishing a weapon within a location (such as a bank or dispensary) based on the movements of people nearby and the person’s posture. The software would then notify the local police without the need for employee intervention.
Securing Your Digital Business
You have to expect that things are always going to go wrong.Todd Kleperis
Say for example that I have an open network of 10 people in my office. One random night at 2 AM, one of the computers turns on and starts uploading files from the HR person’s desk. If DarkTrace is installed on the network, it will recognize the anomaly and take note of everything going on. It can be set to alert you immediately or it can take actions to stop the anomaly on its own.
DarkTrace uses what’s known as a “heuristic” method in order to detect intrusions. The first week DarkTrace is active it starts learning the behavior and schedules of your business and employees. By the second week, it is already protecting your systems from anomalies and unusual behavior. It can even provide you with a daily or weekly intelligence report if you want. It tracks what’s going on on your network. It’s one of those things you want before you need it.
There’s two parts to how DarkTrace works: the software and the hardware. The hardware is physically integrated into the computer network and the software analyzes the whole enterprise’s network. It can even detect your WiFi coffee pot in the office or a work laptop in another country because a guy’s travelling for work.
For example, it can send out an uncanned, unscripted message to trick people. The message will read, “Hey Employee, this is your buddy Todd. Can you pick up the phone and call me or click this link?” And the link will look a little strange or the message seems off. It trains them to recognize when something doesn’t look right and avoid it. Until someone experiences getting locked out of their system, they may not learn.
Don’t click that link. If you click that link, your entire network is exposed.
The reality is that the majority of phishing attacks are looking for a quick hit. They want your credit card to get a dollar or two. When a person is phishing, it’s a lot like actual fishing. They throw out a lure or a snare, and try to catch you. If you fall for the trick, you open up your systems or credit cards to abuse. If you ever notice your credit card is getting charged small amounts of less than $15 and you don’t know where those charges are coming from, somebody phished you.
There is software to protect you against phishing. If anybody in your audience wants to know some helpful software for their business, I can help find them some resources. We’re in the business of helping customers solve their problems, and we’re not trying to get a quick buck.
I don’t want to name specifics, but a very large bank lost hundreds of thousands of accounts because they failed to have backups. One social network lost millions of accounts from internal hacking. Recently, a major cannabis point-of-sale business may have had a serious cyberattack against them and their redundancies either failed or weren’t implemented properly.
You also have to expect attacks from all sides. Combating internal theft or internal cybersecurity is another separate issue that could take an even longer time to work through. Disgruntled employees can represent a threat to your business.
The majority of people are worried about other issues, like how much is the facility build-out going to cost? What are the CCTVs going to cost? What does my security guard cost me? Security is seen almost like an upfront insurance cost, and cybersecurity is not up there on the list of priorities.
Many people are in the early stages of learning about cyber security. I’ve met people in the industry who have been doing cannabis for 30 years, but technology escapes them when they don’t have their iPhone.
For example, I was recently at a big grow site. They had their entire system on an open WiFi network: computers, sensors, controllers, the whole shebang. I had to warn them: What if somebody tampered with their system? A saboteur could shut it all down, kill their harvest, and listen in on their conversations while they cried. They were a little put off by that knowledge, so we fixed their systems up for them.
Each kind of business has different needs. Some businesses are going to be less susceptible to certain types of intrusions.
For example, dispensaries are generally the biggest targets for would-be crooks. While good management practices can protect against simple theft, a dispensary might have specific clones that are one-of-a-kind genomes created only for them. Those clones are part of their secret sauce and they don’t want to lose them. As a result, a dispensary might want to invest more in physical security than cybersecurity. On the other hand, online ordering is becoming a bigger deal and therefore cybersecurity is becoming more important to protect customer information.
Deliveries definitely have to worry about physical security. We’ve been aware of multiple occurrences where a delivery person was robbed during delivery. It’s crazy to have somebody driving around with $20,000 worth of product in their car and no protection. Hard Car Security offers armored transport specifically for this purpose.
Any business that thrives on the internet needs to prioritize cybersecurity. Weedmaps, for example, has their own computer infrastructure and much of their information is publicly available. Now how do they secure it? They must have an IT specialist (or several) on their team that has implemented data encryption to prevent somebody from hacking in and obtaining their user information. It would be a nightmare if somebody knew where everybody nearby lives and all of the products they’ve bought in the last year.
You should also make sure to protect yourself personally. If somebody has access to your phone, they might be able to access your other systems. One thing I warn people about all the time is to avoid free WiFi networks. If you do access them, change your passwords frequently. It might seem annoying, but it’s very difficult to dig yourself out of identity theft. It’s much easier to change passwords on a regular basis. Alternatively, make a VPN. There are tutorials on YouTube on how to use one.
Questions from the Community
There’s also security issues arising from scale. In California, we’ve seen facilities that are hundreds of thousands of square feet. Arizona has virtually no limits on grow operation size. How do you secure different sized facilities like that? That’s the kind of thing where somebody should call us and for a consultation.
On a different level, the industry is experiencing a financial bubble. Vendors are always looking to raise their prices because they believe the cannabis industry has more money than it does. Investors are constantly overestimating the value of the industry. The industry is not stable, and that is a security risk.
It’s about “hardening” or fortifying a location. If you want to harden or fortify a location, what’s your budget? Because if you have a $5 budget, you may be only able to buy a “Beware of Dog” sticker. If you’ve got a $50k budget, you can do a bit more. If you’ve got a $500,000 budget, you can do some Mission Impossible kinds of nonsense. The main difference between operations is that a larger operation has to physically spread their budget out.
I’ll give you a personal example. A customer we recently helped had to make a choice. They could put up a conventional, physical fence for around $35,000. But fences can easily be circumvented, and aren’t necessarily a safe option without investing a lot of money. With our help, they had the option to put up a barrier wall with a laser beam for about $7000. You can’t cross that beam without being detected and the alarm being raised. We saved them almost $30k for what amounts to greater security.
There are also some cheap and simple solutions that might seem silly on the surface, but have proven to be effective:
- One of the number one strategies for people trying to save money is buying a sticker that says “Beware of Dog.” It sounds like a stupid thing to do. But you would not believe how many common thieves or crooks will leave a facility because they have a beware of dog sticker on the door.
- You can install fake cameras. There’s a company out there called Brickhouse Security that offers fake cameras for $10-$15, and presents the illusion of security as a deterrent. If you’ve got a limited budget, you work within that budget.
Editor’s Note: Brickhouse Security also provides real security cameras and systems.
There is one concern with legalization that doesn’t get mentioned. Say for example that you’re in Arizona, and you hire a security company that’s monitoring you remotely from Wyoming or Kansas. If they’re remotely monitoring you in Arizona and either your state’s law or their state’s law doesn’t allow it, you’re breaking state law as a business owner. The security company that installed that system is also breaking the law. When you have goobers who are not cognizant of the law, it resonates poorly.
About Todd and Hard Car Security
Everything needs to be protected, from the entire growhouse all the way to the budtender who needs network security on their laptop and phone.Todd Kleperis
I actually ventured into the security industry because I’m former US Army. My unit was on 24-hour notice during the original Desert Storm. I served 6 years in the military, and when I left I started working in the commercial space. Transitioning from the military into private security has proven to be a blessing. In the military, you see security firsthand; you help build it. Then you get to deploy your plan and stop bad people who do bad things.
After my service, I gained 15 years of experience building security plans and products in Asia. I’ve designed security systems for a wide variety of scenarios, from something as simple as the factory floor of a napkin manufacturer all the way up to very intricate weapons systems for corporate clients.
My team and I started investigating methods to prevent the damage from these attacks. We initially began with preventative software, and now we’re using aggressive-defense software to detect if somebody’s causing problems in a network.
We’ve got multiple people with specialized backgrounds for this reason. Some of my employees have access to NSA-level, encrypted technology designed for the UK government. That technology is now being used on networks across the United States.
Do you want to receive the next Grower’s Spotlight as soon as it’s available? Sign up below!
Want to get in touch with Hard Car Security or Todd?
You can reach them via the following methods:
Do you have any questions or comments?
About the Author
Hunter Wilson is a community builder with Growers Network. He graduated from the University of Arizona in 2011 with a Masters in Teaching and in 2007 with a Bachelors in Biology.