Cyber threats such as ransomware, phishing and data theft pose significant risks to cannabis dispensaries. These attacks can disrupt operations with long recovery delays, compromise client data, invite litigation and damage business reputations.
IBM says the average global cost of a data breach is $4.45 million, prompting 51% of organizations to raise their security budgets. Implementing security measures to protect data from theft or loss will help avoid excessive fines and penalties and the loss of credibility and trust. Or worse — license forfeiture.
Overall, 60% of small to midsized businesses are victims of cyberattack. As the cannabis industry grows, so do the threats. Outsourcing cybersecurity services for planning, best practices and risk assessments is a preventative approach for protecting sensitive customer data.
Prioritizing Cybersecurity in the Cannabis Industry
The California Cannabis Industry Association admits that cannabis retailers may become prime targets for cybercriminals due to their lack of investment in cybersecurity defenses. While cybercriminals often target retailers in general, the unique nature of the cannabis industry could make cannabis retailers a lucrative target.
In January 2020, THSuite, a popular cannabis point-of-sale provider was attacked. Personal information such as medical data, photo IDs and addresses belonging to some 30,000 individuals were exfiltrated. The hack exploited an unsecured and unencrypted database containing approximately 85,000 files.
An informal survey by MJBizDaily found that 59% of marijuana businesses have not taken precautions to address cyber incidents. “Cannabis companies could make savory targets,” wrote Rolling Stone.
Establishing Cybersecurity Measures for Cannabis Retailers
Establishing procedures, policies and awareness training for staff, determining the controls needed to thwart phishing, social engineering and ransomware attacks can be highly complex. Cybersecurity industry professionals who stay current with new technologies (including AI language-generation tools like ChatGPT) continuously monitor for evolving threats and strategies to mitigate risk.
In certain situations, organizations can elect to hire a virtual chief information security officer (vCISO) part-time and onsite, as a stopgap solution to kick-start a security program. A sampling of cybersecurity controls that cannabis businesses should consider include:
– Early threat detection and response: The cost of a security breach can be significant, so early threat detection is crucial. Outsourcing services like managed threat detection and response (MDR) provides cannabis businesses and dispensaries with dedicated security experts who continuously monitor networks for any signs of intrusion. This proactive approach helps reduce the time it takes to detect and respond to cyber threats.
– Endpoint security: Cannabis dispensaries rely on various endpoints, including point-of-sale systems, online ordering platforms, and employee devices, making them vulnerable to attacks. Endpoint detection and response (EDR) solutions can monitor and protect these endpoints from potential threats. With EDR services, dispensaries can centralize their endpoint security and protect against malware, ransomware, and other cyber threats.
– Penetration testing: Penetration testing (“pentesting”) is a security assessment tool that simulates attacks to identify vulnerabilities in a network. Pentesting enables cannabis dispensaries to identify weaknesses and address them before cybercriminals exploit them.
Compliance Mandates and Security Standards
Any business that collects, stores or processes personal information is required to comply with data privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This includes protecting personal information (names, addresses, email addresses, IP addresses) from unauthorized access, use, disclosure, alteration or destruction. It also applies to sensitive personal data, such as information about health, race, ethnicity and sexual orientation.
Once banking is underway and operational, cannabis retailers will need to comply with payment card industry (PCI) rules. Once you accept credit or debit cards, then you are required to comply with PCI DSS, a set of security standards designed to protect cardholder data.
The Imperative of Cyber Risk Assessments
With malware, ransomware and data breaches becoming more sophisticated and damaging, organizations need to adopt a framework that identifies and mitigates risks before they become active threats or security incidents. If governments decide to rank cannabis as a regulated industry on par with health care and finance, then dispensaries may eventually want to run regular security risk assessments by knowledgeable third parties and cybersecurity experts.
A major benefit of cyber risk assessments is that they can minimize the possibility of disruptions caused by cyberattacks, which can lead to significant financial losses. Assessments can reduce cybersecurity risks by continuously evaluating the organization’s attack surface, identifying, quantifying and prioritizing risks. By identifying potential vulnerabilities and implementing appropriate measures, businesses can enhance their defense capabilities and ensure continuity.
When developing a cybersecurity strategy, it is important to consider established frameworks (such as ISO 27001, NIST 800-53, NIST CSF, CIS). These frameworks consist of various domains, including strategy, maturity, vendor risk, classification, roles and responsibilities, incident response and more. In the field of cybersecurity, decisions are always made based on risk assessment.
(Other risk assessments include data classification and discovery assessments, vendor risk assessments, application risk assessments, Wi-Fi risk assessments, cloud risk assessments, physical risk assessments, and security awareness assessments. Each type of assessment targets different aspects of the organization’s IT infrastructure and security measures.)
The cannabis industry faces significant risks from cyber threats like ransomware, data theft and phishing, leading to operational disruptions, client data compromise and probable litigation. Cybersecurity measures, including outsourcing services like early threat detection and response, endpoint security and penetration testing are critical to protect sensitive customer data and reputation. By regularly assessing cyber risks and vulnerabilities, the cannabis industry can ultimately become more resilient to cyber threats.
Michelle Drolet is CEO of Towerwall, a specialized cybersecurity provider offering professional onsite services with clients such as CannaCare, Foundation Medicine, Middlesex Savings Bank, and Milford Regional Medical Center. Founded in 1999 in Framingham, Massachusetts, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity programs. Drolet can be contacted at michelled@towerwall.com.