Jeremy O’Keefe: The Importance of Information Security in the Cannabis Industry

Jeremy O’Keefe is the CEO of Yobi, a streamlined software platform that addresses the unique point of sale and seed-to-sale requirements of the cannabis industry.

Continued after the jump.

Find us in your favorite podcast app:
Spotify SoundCloud iTunes Stitcher

Jeremy and our podcast host TG Branfalt recently connected for a conversation about cannabis software, where many technology companies in the space have gone wrong, the importance of information security in the digital age, the advantages of using Yobi‘s software suite, and more!

Tune in via the media player below or you can scroll down to find a full transcript of this week’s Ganjapreneur.com podcast episode.


Listen to the podcast:


Read the transcript:

Commercial: This episode of the Ganjapreneur Podcast is made possible by Evergreen Gateway, a provider of cannabis friendly financial services. As many cannabis entrepreneurs have experienced firsthand, it can be very difficult to get approval for essential financial services once your bank finds out what industry you’re in. Evergreen Gateway makes it easy for cannabis entrepreneurs to access the financial resources that you need to operate your business. From merchant accounts to cash advances, virtual checking and depository banking, Evergreen Gateway has established solutions that cater to the specific needs of the cannabis industry. Get in touch today at evergreengateway.com.

TG Branfalt: Hey there, I’m your host TG Branfalt and thank you for listening to the Ganjapreneur.com Podcast, where we try to bring you actionable information and normalize cannabis through the stories of ganjapreneurs, activists, and industry stakeholders. Today I’m joined by Jeremy O’Keefe, he’s the CEO of Yobi Software, a seed to sale point of sale system designed to simplify the cannabis business ecosystem. Jeremy specializes in cybersecurity and has developed retail and operational software for global brands, such as Amazon and Zappos. How are you doing this afternoon, Jeremy?

Jeremy O’Keefe: I can’t complain. How about yourself?

TG Branfalt: I’m all right, man. It’s great to have you on, especially to really pick your brain about the cybersecurity aspect. But before we get into any of that, tell me about yourself, man. How’d you end up working in the tech aspect of the cannabis space?

Jeremy O’Keefe: Oh man, it was a long and windy road, really. So, I started off right out of high school joining the Air Force and served the better part of a decade as an electronic worker technician. From there, I went and got my computer science degree from UNOV and cut my teeth building a retail operation software for one of Tony Shay’s startups in downtown Las Vegas that was funded through Amazon and Zappos, kind of a skunk works programs.

TG Branfalt: And I mean, that’s wild. So, you go from the Air Force, you end up in sort of traditional retail. How do you end up coming across cannabis as sort of an industry that you wanted to serve?

Jeremy O’Keefe: I’ve always wanted to be a part of the cannabis industry and always kept a really close eye on the market. Mainly just personal skin in the game, hated the negative stigma that was attached to the cannabis and to its users, and saw the opportunity to kind of leverage my experience in the retail technology space. Well, because right before, when I had switched over to start Yobi, I was the lead engineer on a customer facing point of sale system that was the kind of central hub for managing all the inventory and sales for these frictionless commerce stores. I saw the other cannabis software companies kind of falling on their face with just basic operational tasks, securing their databases, uptime, data bleeding, just all the kind of basic fundamental tasks. And thought that I can build something better. So, I quit my job and got started. I got permission from the wife first and then quit my job got started.

TG Branfalt: So I mean, a lot of people, they compare the tech space, the early sort of Silicon Valley days to sort of the green rush now, that the cannabis and the tech space is in that way. You’ve sort of straddled both. What do you make of that comparison and the analysis that people make when they say that?

Jeremy O’Keefe: I think it’s accurate in some aspects and it completely misses the mark in others. So, the fact is what we’re building for cannabis is not something magical or something new. It’s basic retail operations, ins and outs with your margins. So, it has the wow factor because it is cannabis, and the additional complexity with being the state APIs you have to report to and all that, and that’s definitely in the wild West still with regulated commerce. But in terms of just day to day operational tasks, it’s nothing new and it’s fairly straightforward.

TG Branfalt: Is that compliance aspect of it, is that sort of the biggest difference between sort of a traditional retail system and a cannabis retail system?

Jeremy O’Keefe: Oh, absolutely. I mean, that’s the largest kind of differentiator is the fact not only do we have to track the entire chain of custody and the lifecycle of the product, but that every state does it differently. So, that’s obviously been a large order for most operators just to kind of make sure, especially multi-state operators, to make sure each state is in compliance when you have potentially 33 different state regulations to worry about.

TG Branfalt: So, tell me about Yobi Software. I’ve had several seed to sale sort of companies on the podcast and they all give me sort of the elevator pitch. What sets Yobi Software apart from these other point of sale, seed to sale platforms?

Jeremy O’Keefe: Well, quite a bit. So, the initial kind of point of sale, seed to sale platforms, were more or less white labeled systems leveraged from the different ERPS and the cannabis leaf slapped on top of them. I mean, you could tell by the structure a lot of these. And I think that really speaks to how important experience is in developing software and developing quality software that actually brings value to clients. And that takes time and it takes a deep knowledge of building these kind of platforms before for other markets. And we’re the only team that’s actually done this successfully in a different market before, and have interest in our current platform for supply chain management to build some proof of concepts for some large scale breweries to track their chain of custody for kegs and for other items. So, I think that points to our versatility in the stability of our platform, the fact that non-cannabis operators are looking to use our technology to track their own internal, I guess, activities.

TG Branfalt: So, in terms of what does Yobi offer that say, I’m not going to really mention some of the competitors, but that the other services just don’t have? Why would a regulator choose to implement your software as opposed to all of the other sort of files that are on their desk?

Jeremy O’Keefe: Okay. Gotcha, gotcha. So, the biggest two differentiators obviously is going to be the RFID leverage. The majority of cannabis operators are already required to use RFID tags to track the life cycle of a plant, all of its movements, and as well as all the packages once they’re created and how they’re broken down. The difference is that no one is leveraging this technology that’s already in people’s operations, their staff is already trained to use them. So, we just leveraged the RFID side instead of the barcode side of the tag, which allows you to capture hundreds of plants in seconds instead of have to manually locate and scan each barcode individually.

So, you can actually audit a room of 2,500 plants in less than 20 minutes versus, I think, our last test was around six hours of labor time. Our second one is their compliance aspects. So, these APIs are still the Wild West. They’re unreliable. They don’t always kind of tell you when things were passed or failed. So, we developed a separate queue system. So, you could potentially create a plant, move a plant, change its phase and harvest that plant all with metric being down. And then once it comes back up, it will automatically sync all those actions in the correct chronological order for you.

TG Branfalt: And so, that speaks to sort of the uptime differences that you had mentioned at the top?

Jeremy O’Keefe: Exactly. So, we manage our uptime, but we know external dependencies we have no power over, so we just made sure that it had a good fall tolerance tendencies and would actually spin back up as soon as the other systems were available.

TG Branfalt: You had mentioned sort of security and just sort of running down. In 2018, you there was a breach of MJ Freeway in Washington, Move dispenser in Florida, the VPN mentor analysis that found 30,000 patient records earlier this year were leaked from … how do these happen? And how often do breaches like this happen, both on sort of a traditional retail space where you have experience and sort of the cannabis space?

Jeremy O’Keefe: I mean, the most common reason these breaches happen is just a lack of technical background with the founding team or the lack of focus on the actual product to make sure it is secure and scalable. There’s too much of a focus on sales and not enough on product. And I think when your product is faulty and you build a scalable, repeatable sales model, you’re just doing nothing but producing upset customers and more opportunities for vulnerability and for attacks. The reason these attacks happen so much in the cannabis industry is because a lot of these operators are learning as they go. So, they haven’t really got over the pitfalls or training you learn from the people above them on what to avoid in terms of best practices for your data security and retention procedures and things like that.

For example, with the ones you mentioned there, also don’t forget to mention the crash and leak in Nevada, I believe it was in 2017, from MJ Freeway’s Leaf platform that actually exposed both mine and my wife’s data to the public and the state actually had to sponsor a credit reporting tracking for the year for both of us was affected. Yeah, it was huge. So, it was definitely pretty wild to see. If that happened in real time I’d be directly affected by it, so I knew we had made the right choice by kind of coming into this market and making a difference. The other aspect, I think the reason these are vulnerable is a basic functionality. I mean, you don’t see Netflix or Amazon crashing. You don’t see their data getting breached, is because they follow the best practices for software and for data retention, especially with someone’s personal, identifying information on it.

With MJ Freeway, I remember reading that they had an exposed port to their production database. And what happens is you have crawlers that go through and just pretty much check every active IP address, check every single port, and if anything is publicly accessible when they get logged, and will actually get reviewed or hit with further testing. So, a port is like similar to, almost like a garage door on a storage unit. So, if any of these are unlocked, it’s not like people come through every night and check the locks on these storage units to see if anything’s available, but what the crawlers do is they go through and mark the ones that are unlocked and someone will come behind them and pull the data down and see what’s available.

So, even when these things are password protected, there are so many publicly accessible scripts out there that you could just run against a database and it will just brute force by using combinations of user names and passwords until it eventually cracks it. A lot of them will be cracked within about three days, depending on the password complexity, using the most commonly used passwords.

TG Branfalt: So, you had mentioned that there’s a training issue potentially that happens and allows these to happen. Is that something that is, I guess, sort of a hole when people are brought into a dispensary? Like do people not think sort of about this technical aspect and train their employees properly? Is that sort of the assertion?

Jeremy O’Keefe: It’s not even the operator’s fault, it’s the software developer’s fault for just not securing the platform when they’re being paid and entrusted to do just that. I mean, that’s pretty much your entire, your job is to store and make sure their data is accurate and it’s actionable and it hasn’t been modified by third parties. And at the end of the day, that’s our core responsibility. It’s a basic lack of knowledge. For example, the S3 bucket that was exposed, which is similar to a port but for like a directory on your computer that anyone can grab anything from it. There’s a big blue button right there on these S3 buckets that says make private, encrypted, and you just have to push that button and it’s completely protected. So, it just highlights the lack of experience in this space and how people are just trying to capitalize on what they think is a quick and easy market with tech.

TG Branfalt: So, what are the ramifications of these breaches, A, for the businesses that are breached, B, for patients, and C, for just your everyday recreational user?

Jeremy O’Keefe: Oh man, so ramifications are anywhere from losing your state contract, which Nevada bailed on after the breach in 2017 with MJ Leaf, to obviously, huge amounts of lost revenue, a lack of consumer trust and confidence in the market. It kind of sets us back as a legitimate industry and a legitimate market. We’re trying to remove these stigmas of the do nothing, know nothing stoner. And having these tech platforms kind of fall on their face only really gives into that stereotype of no one knows what they’re doing here. In terms of the customers getting their data leaked, I mean, I was a government contractor at the time one of our stuff was leaked and I could’ve potentially lost my job because if you’re a cannabis patient you automatically lose or you can automatically be fired for almost no reason in the majority of states. So, both recreational users and medicinal users have to be careful who they give their data to, because there’s no guarantee that it’s going to be stored securely like it would be with a larger third party service.

TG Branfalt: Is there less concern, do you think, because cannabis is mostly a cash business, sort of the breaches that would… what we worry about when something happens with Amazon, right, credit cards, that sort of stuff?

Jeremy O’Keefe: Yeah, I think so. I just think there’s a lack of kind of a longterm thinking with this market. It’s brand new, people are excited, they’re trying to capture as much market share as they can, as quick as they can, which isn’t a bad thing but you have to make sure that your foundation is covered. Your fundamentals are solid before you try to scale anything because otherwise we’re building on something that’s not scalable.

TG Branfalt: When you talk to regulators, do they actually understand sort of the tech aspect of it? Do they understand sort of the ramifications of just sort of hastily choosing or choosing sort of maybe the best bid? What happens there?

Jeremy O’Keefe: It’s the old joke about the astronauts saying they were sitting on this huge rocket that was built by the lowest bidder, and it hasn’t changed for the cannabis industry either. So yeah, I mean, a lot of times it’s with whoever the buzziest words are, or whoever knows the person in the legislative body to get something kind of pushed through is how it still works.

TG Branfalt: Do you anticipate with all these breaches that states that go online, that they will take this more seriously and maybe take a closer look at the platforms? Are you getting that sense?

Jeremy O’Keefe: Sometimes, I mean, I do notice people are preferring to use a METRC as the compliance platform, which has proven to be the most scalable and most secure end to that. They are focused on that one aspect and not trying to boil the ocean in terms of offering that plus a myriad of other tech solutions, which allows them to focus on that and really build a solid product there. And I think stretching yourself too thin is where things start to get a little out of whack, I guess.

TG Branfalt: So, how should these point of sale companies respond when these incidents occur? I studied communications and crisis communications was something I was particularly interested in. And so, I’m just wondering, sort of from your point of view is if there were a breach by your software, how would you respond as a company, or how would you direct your company to respond?

Jeremy O’Keefe: We would automatically get in front of it. Let anybody that was, information that was compromised, know ahead of time so they could take proactive measures to prevent any damage from occurring. Obviously take responsibility and make sure that we covering any negative effects to their credit report and offering protection there. But not just that, but showing the solution that we implemented to make sure that it never happened again. And focusing on really just repairing our brand and then overcompensating for that aspect if that was to happen. But to prevent it out of the gate, we should just, I mean, you should follow the best practices. Your database should never be publicly accessible. It should be accessible to a single entity that you have total control over, that you have to pass through even with your own applications, as a reverse proxy kind of a validator.

This helps with security. It helps with DDOS attacks, which is where someone will just spam your… pretty much like hitting the refresh button a bunch of times on your browser to the point where you have thousands of people doing it at once to where it crashes your server. So, handling things like that, that kind of every other large scale enterprise company needs to have, is something that the cannabis industry should be looking at now as well, especially with how big everything’s getting so quickly.

TG Branfalt: Is the industry behind the more traditional services in this regard, even though it’s so reliant on the seed to sale technology?

Jeremy O’Keefe: Oh, absolutely. It’s pretty far behind and the fact that there’s just the basic fundamental KPIs aren’t being tracked in terms of sell through rates or turnover, inventory aging, just breaking apart real actual analytics. A lot of people will just throw some values onto a chart and kind of let it go with no real “What am I supposed to do with this?” kind of mentality. And that’s really where it falls behind the most. It is ahead of the game in terms of using RFID for smaller to midsize operations, which is great, but just getting them over that hump of the stigma that’s with RFID, that a lot of our competitors have put in people’s heads to say that it doesn’t work or whatever the story is this time because they don’t support it.

It really just boils down to not understanding how to use it and no background in it. If it didn’t work, it wouldn’t be used by our department of defense to track all of our equipment. It wouldn’t be used by NASA to track everything that goes on rockets. So, I’m going to trust what NASA uses and try to use the same processes as they do.

TG Branfalt: Is there any way really to build a perfect system though? I mean, with the rate at which hackers get more brazen, they get more savvy, tech is constantly changing. Is there any way to build a perfect system here?

Jeremy O’Keefe: Absolutely not, honestly. It’s always going to be a moving target. There’s always a new vulnerability, a new update, a new way to do things. So, staying ahead of it and knowing that your software is a living, breathing project and it’s going to always be updating, changing, iterating to match the needs of the industry and to stay up to date with security best practices. One of the biggest concerns with the large scale enterprises that kind of rushed to market and were built on things like Drupal or Vue.js, or some of these other kind of plug and play systems, they don’t scale well.

They’re quick to build small prototypes for personal webpages or apps like that, but once you get to a large scale multi-state operator and they start to really slow down, become non-responsive and just the technical debt kind of comes home to roost, which will require a complete retooling of the system. So, a lot of the competitors are just throwing money at the solution in terms of server space and computational speed to kind of make it work faster instead of just having a more lean and scalable solution.

TG Branfalt: So, while we’re talking about adapting, what was it like for you to adapt to sort of the needs of the cannabis industry, both professionally and personally?

Jeremy O’Keefe: Oh, it was great personally. I mean, when we first started the samples were a lot more common five years ago, so that was the best part. But in terms of professionally, I mean, I was always into retail and the big data sets. I know it doesn’t seem exciting, but I just like to see where things go and how they got there and just the whole kind of life cycle and chain of events that happened. And with me already building that solution for retail kind of apparel, this and that, which is really kind of boring for me, I got to kind of jump into a market that really interests me and I’m passionate about. I mean, I’ve been growing myself, off and on, not very well for about six years. And it’s just a great to be a part of something you really care about. And this is a turning point in our civilization where modern day prohibition is ending, and it’s exciting to be a part of this.

TG Branfalt: Are you tracking your own plants using your software?

Jeremy O’Keefe: Oh no, I can’t even get one … out of it. I’m just … for awhile.

TG Branfalt: When states required the seed to sale tracking stuff, I mean and every state requires the seed to sale tracking, do the laws ever include any consequences for the firms who actually leaked this data?

Jeremy O’Keefe: In the language there, there are consequences stated, and you also have to carry a certain liability insurance for exposing customers’ PII, but in terms of that ever being leveraged or used against the people that do it, I haven’t seen any real cases that any states have followed through with that.

TG Branfalt: Is that insurance? I know that insurance is hard to get for industries, for companies that touch the plant. Is insurance something that the tech industry, the cannabis tech industry has trouble with as well?

Jeremy O’Keefe: Yes and no. It depends on who you’re talking to and kind of the questions they ask. So, most people just say they’re retail tracking or supply chain tracking, but if there are a lot of cannabis specialized insurance agencies that have popped up now that really make it a lot easier to kind of lay everything out and get a decent and fair rate on what you’re doing, because they realize at the end of the day you’re just ones and zeros. You don’t have any type of physical connectivity to the plant or any type of activities that way. You’re just tracking ins and outs through your system.

TG Branfalt: So, let me ask you, a lot of people have sort of, they talk about sort of blockchain as being sort of this magic potion to stop breaches and this sort of perfect software to protect data and this sort of thing. Again, I’m not a tech guy, I’ve said this a hundred thousand times on the show, but is blockchain tech something that could be used and should be used to help prevent sort of breaches for seed to sale tech?

Jeremy O’Keefe: No, I mean the blockchains, it gets thrown around a lot by everybody, but at the end of the day, blockchain actually exposes more data than it hides it. It’s usually used for shared parties will create a blockchain and what that will do is it puts a block of data onto a chain in one direction only. So, there’s always a historical record and no previous ones can be changed. So, this is great for tracking a supply chain, product breakdowns into new products, transactions. So, it’s an immutable ledger, which means it can’t be edited after everything’s been created. So, it’s a true source of truth for any historical action that was taken inside this blockchain.

And blockchains can be anything. They’re not just cryptocurrency or anything like that. They’re utilized by a lot of large scale operations like IBM and Google obviously. I think our Google sheets and Google docs are tracked using a certain kind of blockchain technology that just links your previous versions to your next versions so you can go back or go forward depending on what you want to do and start new chains that way. So, it’s really just almost like a data management system, more than some kind of super problem-solver tech at the end of the day.

TG Branfalt: What advice would you have for entrepreneurs who are worried about potential data breaches, or what advice would you have for them best practices wise, to prevent these breaches? Is there anything sort of the retailer can do?

Jeremy O’Keefe: Due diligence on your provider. Asking what their SOPs are, their standard operating procedures for security, for who has access to their systems and what are their catastrophic recovery procedures? So, worst case scenario what happens? They should have an answer for those questions if they want to be able to reliably support and store your data. For example, we do snapshots of our database every 15 minutes and we do full backups of it every single hour. And we keep a 30 day block of backups as a rolling replacement. So I mean, just things like that to make sure that it’s not if but when, as worst case scenario. Like motorcycle wrecks, you plan for the slide not for the ride.

So, you want to make sure that you’ve got everything covered in the worst case that something does happen, but you obviously plan to make sure it doesn’t. But yeah, just retailers asking their operators how they do stuff, what their background is. I mean, if you look at the background of most cannabis tech founders, I mean, none of them have done anything like this before in their lives. So, there’s a pretty steep learning curve when it comes to that and they need to build a really smart team around them to help guide this product development and make sure that it’s brought in house and that they have full ownership of it, because third parties and outsource contractors are never going to give it the attention and the passion that the core of your company really deserves.

TG Branfalt: I mean, you’re definitely a lot more passionate than a lot of the type people that I have come in contact with. I guess because you have this opportunity, how much is that driving you? I mean, because you can definitely tell that this is sort of a culmination for you.

Jeremy O’Keefe: Oh, absolutely. This is a dream come true. I went to college with a major in computer science and a minor in graphic design because I wanted to build something from nothing and make a difference and I just so happen to be in one of the best industries out there as it gets legal so I have no complaints.

TG Branfalt: Where could people find out more about the software, more about you? How can they get in touch with you?

Jeremy O’Keefe: Oh yeah, definitely. Getyobi.com is our site. G-E-T-Y-O-B-I. Finding out more about us, you can follow us on Twitter at YobiSays, or if you’re in Latin America, YobiDice. So, we’re pretty proactive on there. We respond to requests and comments. We try to be out there and listening to people that are in the trenches and seeing what they’ve got going on.

TG Branfalt: Well, I really want to thank you, man, for coming on the show. This has been really sort of enlightening for somebody who’s not a tech guy to just sort of be able to break this down. We’ve covered as many of the breaches as we’re able, and so this is the first time that I’ve actually had someone on the show that has expertise in this sort of realm. So, I really appreciate you taking the time and joining me today.

Jeremy O’Keefe: Of course, I appreciate you listening to the explanations. That’s not often I get to do that living and working at home.

TG Branfalt: Well, hopefully we’ll get out of the house soon, man.

Jeremy O’Keefe: Oh, yeah. One way or another.

TG Branfalt: Thanks so much.

Jeremy O’Keefe: Thanks, man, thanks.

TG Branfalt: That’s Jeremy O’Keefe, he’s the CEO of Yobi Software, a seed to sale point of sale system designed to simplify the cannabis business ecosystem. You can find more episodes of the Ganjapreneur.com Podcast in the podcast section of Ganjapreneur.com and in the Apple iTunes store. On the Ganjapreneur.com website, you will find the latest cannabis news and cannabis jobs updated daily, along with transcripts of this podcast. You can also download the Ganjapreneur.com app in iTunes and Google Play. This episode was engineered by Trim Media House. I’ve been your host, TG Branfalt.

End


New to Cannabis? Start Here.

The Ganjapreneur beginner's guide to all things cannabis.

Website & branding by the Ganjapreneur in-house agency:

Blue Dream - Uplifted cannabis industry branding & marketing.

Uplifted cannabis industry branding & marketing.