In Part 1 of this primer on cybersecurity for the cannabis industry, we talked about what’s at stake for operators if they become victims of a cyber attack. We discussed the most popular types of threats and how to identify them. Additionally, we covered a real example of a cultivator that lost thousands of dollars due to a somewhat sophisticated socially engineered attack.
Now, in Part 2, we will explore in-depth how to best prepare your cannabis business to withstand a cyber threat and what to do if a threat or breach has been detected.
Protective Cybersecurity Measures for Cannabis Operators
As the adage goes, “An ounce of prevention is worth a pound of cure,” which is especially true when it comes to cybersecurity for cannabis businesses.
Because almost half of all data breaches were caused by a negligent employee or contractor, it is very important to conduct regular cybersecurity training with staff. These sessions review how to spot suspicious emails and links as well as tips for setting strong passwords. It is a good idea to include cybersecurity training as part of new employee onboarding because new hires are the most susceptible to socially engineered attacks. As part of a comprehensive preparedness plan, test phishing emails can be used to test if employees put cyber training into practice. Perform individual remedial training for employees who don’t respond properly or who fail to report the suspicious email.
Similarly to locks on doors, a secure network will help protect a business from many cyber attacks and can limit the damage if there is a breach. The following recommendations will enhance the security of systems a cannabis business relies upon:
- Install firewalls on networks. Having a firewall in place reduces your risk as it enables you to control what traffic can get into your network;
- Keep all of your computer systems and software up to date. Vulnerabilities in operating systems and software are the primary points of vulnerability that bad actors use to compromise systems, so keeping your computers—and software application versions—up to date helps to keep that door shut to them;
- Secure and password protect wifi systems. Open wifi networks allow bad actors free access to your network and data. Password protecting them makes it more difficult for them to get into your network;
- Keep access to sensitive information restricted to only the staff that need it;
- Use device encryption on all computers. In the event that a computer is stolen, device encryption makes it much harder for bad actors to get data from your hard drives.
If secure systems are locked doors, passwords often are the keys to gain entry.
- Require strong passwords and have periodic mandatory password resets;
- Use separate passwords for each system you have access to;
- Use a trusted password manager to manage your passwords. Not only will your passwords be stored securely, but there are features that help you prevent using the same password for various accounts or websites;
- Utilize multi-factor authentication (“MFA”). MFA is an extra layer of security that makes it more difficult for an attacker to gain access to a device or service because a password alone is not enough to pass the authentication check.
Third-Party Risk Mitigation
Sometimes criminals can gain access to other businesses after compromising a vendor or service provider, which is why it is also important to perform due diligence on any company that has access to a business’s sensitive information. A quick Google search may help to reveal whether an entity has been involved in previous data breaches and how they responded to the issue. Also, feel empowered to ask vendors what protective measures they take to secure sensitive information.
Simple office policies are effective at keeping sensitive information safe.
- Identify and designate a trained and qualified Chief Information Security Officer (“CISO”);
- Work with the CISO to draft, implement, and periodically update information security, privacy, and incident response policies;
- Lock screens when away from them;
- Implement a clean desk policy and shred documents to prevent sensitive information or passwords from getting into the wrong hands;
- If hard copies must be kept, store them in locked drawers.
Cannabis operators have intimate knowledge of the cannabis industry and business principles, but they may not have the IT background needed to protect their businesses from a cyber attack. For this reason, it is recommended to hire a dedicated IT specialist or outsource this work to a contractor or firm. These IT experts can conduct the required staff training, establish and monitor the secure network, and react quickly if a breach occurs. Although this level of knowledge comes at a price, it is nothing compared to the significant financial loss businesses face after falling victim to a cyber attack or data breach.
Brian Ellis and Vivian Isaboke, Cybersecurity, Privacy & Technology attorneys at Bressler, Amery & Ross, P.C. who are familiar with the patchwork of state and federal privacy and cybersecurity laws, note that such laws apply with equal force to the cannabis industry:
“Depending upon the state where you operate and/or where your customers are located, the law may actually require you to take active steps to prevent, identify, respond to, and resolve cyber security and data privacy incidents and events. Regardless of legal requirements, however, it is best practice to discuss information security with qualified professionals and to ensure that your business and reputation are as protected as possible.
“Though data privacy and information security may seem like additional headaches for cannabis companies already subject to rigorous regulation by state and local authorities, the legal obligations of a business and its employees with respect to personal and/or proprietary data of customers and third parties continue to evolve – and could lead to disastrous consequences if not taken seriously. Ensuring a deep understanding of these legal obligations and considerations is of paramount importance.”
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
– Robert Mueller
What to Do if a Breach is Detected
As cybersecurity measures evolve and improve, the criminals causing these attacks also adjust and become more sophisticated. Therefore, there is a possibility that a cannabis business will face a cyberthreat or become victim to a breach despite taking all the recommended protective measures.
Perhaps a well-intentioned employee accidentally clicked a link and determined immediately that something was amiss. Maybe a criminal hacked their way into a secure office network. Or, the entire staff gets a duplicate friend request and private messages for money through social media from a coworker. All of these scenarios pose a risk to the cannabis company.
Any cyber security breach should be considered a serious threat to a company’s integrity and dealt with accordingly. In addition to retaining a qualified professional to investigate, respond to, and resolve suspected incidents or events, the following steps are useful:
- If a cyber attack has been caught early and nothing has been clicked on or shared, inform the person or company with the possibly compromised account so they can reset passwords. Do not click any links or attachments or forward the email.
- If it is possible that a breach has occurred, engage the CISO, IT, and security teams to do an investigation immediately. This limits the severity of the breach, and in some cases, transactions sent to fraudulent accounts can be reversed.
- Lastly, contact authorities if required under applicable law and/or if it is possible a crime has been committed.
For cannabis companies, having a clear plan to respond to a possible incident is often a core and critical issue. Developing an incident response plan with steps to help mitigate a cybersecurity incident will ensure that you and your organization can move quickly should this occur. Be sure to include contact information for your insurance provider and law enforcement (both your local police, as well as state and federal authorities with expertise, such as the FBI and the Secret Service, which investigate financial crimes) so that this information is readily available to you when responding to a cybersecurity incident.
All cybersecurity statistics referenced in this article can be found at https://purplesec.us/resources/cyber-security-statistics/.