In Part 1 of this primer on cybersecurity for the cannabis industry, we talked about what’s at stake for operators if they become victims of a cyber attack. We discussed the most popular types of threats and how to identify them. Additionally, we covered a real example of a cultivator that lost thousands of dollars due to a somewhat sophisticated socially engineered attack.
Now, in Part 2, we will explore in-depth how to best prepare your cannabis business to withstand a cyber threat and what to do if a threat or breach has been detected.
As the adage goes, “An ounce of prevention is worth a pound of cure,” which is especially true when it comes to cybersecurity for cannabis businesses.
Because almost half of all data breaches were caused by a negligent employee or contractor, it is very important to conduct regular cybersecurity training with staff. These sessions review how to spot suspicious emails and links as well as tips for setting strong passwords. It is a good idea to include cybersecurity training as part of new employee onboarding because new hires are the most susceptible to socially engineered attacks. As part of a comprehensive preparedness plan, test phishing emails can be used to test if employees put cyber training into practice. Perform individual remedial training for employees who don’t respond properly or who fail to report the suspicious email.
Similarly to locks on doors, a secure network will help protect a business from many cyber attacks and can limit the damage if there is a breach. The following recommendations will enhance the security of systems a cannabis business relies upon:
If secure systems are locked doors, passwords often are the keys to gain entry.
Sometimes criminals can gain access to other businesses after compromising a vendor or service provider, which is why it is also important to perform due diligence on any company that has access to a business’s sensitive information. A quick Google search may help to reveal whether an entity has been involved in previous data breaches and how they responded to the issue. Also, feel empowered to ask vendors what protective measures they take to secure sensitive information.
Simple office policies are effective at keeping sensitive information safe.
Cannabis operators have intimate knowledge of the cannabis industry and business principles, but they may not have the IT background needed to protect their businesses from a cyber attack. For this reason, it is recommended to hire a dedicated IT specialist or outsource this work to a contractor or firm. These IT experts can conduct the required staff training, establish and monitor the secure network, and react quickly if a breach occurs. Although this level of knowledge comes at a price, it is nothing compared to the significant financial loss businesses face after falling victim to a cyber attack or data breach.
Brian Ellis and Vivian Isaboke, Cybersecurity, Privacy & Technology attorneys at Bressler, Amery & Ross, P.C. who are familiar with the patchwork of state and federal privacy and cybersecurity laws, note that such laws apply with equal force to the cannabis industry:
“Depending upon the state where you operate and/or where your customers are located, the law may actually require you to take active steps to prevent, identify, respond to, and resolve cyber security and data privacy incidents and events. Regardless of legal requirements, however, it is best practice to discuss information security with qualified professionals and to ensure that your business and reputation are as protected as possible.
“Though data privacy and information security may seem like additional headaches for cannabis companies already subject to rigorous regulation by state and local authorities, the legal obligations of a business and its employees with respect to personal and/or proprietary data of customers and third parties continue to evolve – and could lead to disastrous consequences if not taken seriously. Ensuring a deep understanding of these legal obligations and considerations is of paramount importance.”
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
– Robert Mueller
As cybersecurity measures evolve and improve, the criminals causing these attacks also adjust and become more sophisticated. Therefore, there is a possibility that a cannabis business will face a cyberthreat or become victim to a breach despite taking all the recommended protective measures.
Perhaps a well-intentioned employee accidentally clicked a link and determined immediately that something was amiss. Maybe a criminal hacked their way into a secure office network. Or, the entire staff gets a duplicate friend request and private messages for money through social media from a coworker. All of these scenarios pose a risk to the cannabis company.
Any cyber security breach should be considered a serious threat to a company’s integrity and dealt with accordingly. In addition to retaining a qualified professional to investigate, respond to, and resolve suspected incidents or events, the following steps are useful:
For cannabis companies, having a clear plan to respond to a possible incident is often a core and critical issue. Developing an incident response plan with steps to help mitigate a cybersecurity incident will ensure that you and your organization can move quickly should this occur. Be sure to include contact information for your insurance provider and law enforcement (both your local police, as well as state and federal authorities with expertise, such as the FBI and the Secret Service, which investigate financial crimes) so that this information is readily available to you when responding to a cybersecurity incident.
All cybersecurity statistics referenced in this article can be found at https://purplesec.us/resources/cyber-security-statistics/.
Do you own a hemp, CBD, dispensary, marijuana, or cannabis business and need a business bank account? We’ve validated over $8 billion dollars in cannabis-related funds since 2015. Bank with confidence. Bank with Safe Harbor Financial today.Open Your Account