The Importance of Cybersecurity for Cannabis Businesses

Cybersecurity is usually at the forefront of business owner and consumer’s minds whenever a new breach or threat is announced. In 2018, a U.S. cannabis business was alerted by a conscientious user that their website search portal was exposing patient data. This prompted several states to issue immediate cybersecurity regulations aimed at the cannabis industry. California privacy legislation AB-2402 and Oregon Revised Statutes 646A.602 readily come to mind. As a security professional, I can assure you, no one is ever 100 percent safe.

Attackers have time and unlimited resources at their disposal. The average in-house security team is bombarded by company initiatives with strict budgets, various leaders pressing their agendas, and never-ending daily responsibilities. Attackers can spend their days scanning the Internet for vulnerabilities, writing damaging code, and most importantly taking their time for the right opportunity to pounce. For them, there is no 9 to 5 clock. An unfortunate, but common, theme at companies I consult for is never having time to do all that is needed to protect themselves. Technical debt piles up as leaders charge forward and security becomes a game of simply keeping your head above water.

“Attackers often compromise smaller, less secure businesses and use their environments as their base of operations,” says Verizon. “The attackers rely on relatively insecure systems with poor monitoring and logging as an additional layer of security when perpetrating attacks. Your systems might be the origin of major breaches and, in addition, your intellectual property might be an attractive bonus.”

For small-to-medium sized companies (SMBs) the threat is real and often more dangerous. SMBs don’t tend to staff many permanent advanced IT or security folks. In my experience with smaller companies, they have an IT generalist, or two, who can cover the basics and may have specialized skills which benefit their employer. When I attended MJBizcon last year, a fellow cybersecurity organization shared their metrics on costs associated with full-time staffing of security professionals. The data suggested staffing a full-time security firewall specialist would run approximately $78k per year. This also applied to hiring a security professional for data backup and disaster recovery, malware, antivirus, and software patching. Those two security roles alone, even without a security leader, would cost an average employer roughly $156k in annual salary/benefits. Add on some form of security leadership such as an IT manager/director and the cost increases into the $250-300k range. Oh, and don’t forget annual training and other incidental costs that also quickly add up.

According to a Cybersecurity Special Report for 2018; “Many small/midmarket businesses are only beginning to realize how attractive they are to cybercriminals.” I invite our readers to consider this statistic offered by the article stating, “More than half (54 percent) of cyber-attacks result in damages of more than $500k. These damages include, but are not limited to, lost revenue and customers/[patients], opportunities, reputation, and out-of-pocket costs.” Data from LastPass, a company offering encrypted password storage, shares these sobering reports. The National Cyber Security Alliance reports that more than 70 percent of cyberattacks target small businesses. They also found 60 percent of hacked SMBs go out of business within six months! In other words, it’s not a question of IF your business will be attacked. It’s a question of WHEN, how severely, and… will you survive?

Some thoughts on building a cybersecurity framework are shared by Michelle Drolet in Cannabis Business Executive’s online article. In the article, Michelle brings to light,” The meteoric rise of cybercrime has caught many organizations unawares. Malware has spread from PCs to smartphones, phishing scams have grown more sophisticated, and ransomware is running rampant.” DOPE magazine presented an article showcasing four reasons hackers target the cannabis industry:

  • Valuable Information
    • Patient information, order history, intellectual property, research & development, customer/patient names, addresses, dates of birth, phone numbers, driver’s license numbers, medical information, and more
  • Multiple Points of Entry
    • Email, web, USB devices, mobile devices
  • Immature Security Posture
    • Unfortunately, when it comes to cybersecurity, companies fail to invest the necessary capital needed to ensure the security of their digital assets.
  • Untrained, Underfunded, or Understaffed Security Team
    • The cybersecurity industry is currently challenged with a shortage of qualified individuals to combat, defend, and respond to the number of threats

What can SMBs do to not lose their shirts, not only in an attack but with staffing as well? There are many resources provided by cybersecurity organizations to help. These resources are available at little to no cost. An example would be the Federal Trade Commission’s Cybersecurity for Small Business resources. The FTC even posts a guide for protecting your business against scams.

Culture-based training is also a great way to educate your entire staff on basic cybersecurity risks and principles. All the fancy tech in the world can’t protect a business if your cyber culture is lax or nonexistent. Enter the Cyber Readiness Institute (CRI) and Cannakins Consulting!

CRI’s Cyber Readiness Program is designed to be straightforward and accessible for SMBs regardless of size, technical expertise, and sector. Designed in collaboration with leading cyber experts, and with input from organizations of all sizes at different points in global value chains, it focuses on embedding basic cyber policies and processes into an organization. It also recognizes that organizations need to work with the resources they have to advance their cyber capabilities and not necessarily hire or bring in new skill sets to manage the risk.

At Cannakins Consulting, we understand the technical and culture-based threat landscape presented to today’s businesses. We offer practical security assessments of your business environment that can be coupled with a managed or co-managed cyber awareness training program. Our technical assessments result in actionable reports which can be used as a template to strengthen your cyber security posture. Find and fix vulnerabilities, track suspicious activity, detect unauthorized wireless use, create custom email alerts, and other advantages from real-time environment monitoring. We are certified as a Cyber Readiness Champion in partnership with CRI. Through their Cyber Readiness Program, Cannakins and our clients gain access to up-to-date culture-based training. You don’t need to suffer through deep technical reviews that make your eyes glaze over! Working through the cyber awareness program with Cannakins by your side puts your staff ahead of the cyber awareness curve. We collaborate with you to create a fully documented cybersecurity plan with incident response and recovery instructions. CRI gives graduates of the program a recognized certification you can proudly display on site and digitally to let customers know your company and staff take protecting their privacy seriously. How cool (and smart)! Contact us today to protect your business and vision!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.