When assessing the necessary components for a successful cannabis retail business, operators often don’t see much in their point-of-sale (POS) systems beyond the bells and whistles touted by their sales agents. Rarely do they take the system’s security into account.
When it comes to protecting their businesses, most owners prioritize issues surrounding their cash, their physical security and, of course, their inventory. While this makes sense, it leaves them open to digital attacks that cybercriminals have begun to exploit. Several well-publicized attacks involving MJ Freeway’s POS system and its complementary track-and-trace software program, Leaf Data Systems, have disrupted operations for thousands of businesses.
Even non-security problems have befallen these systems, such as the recent shutdown of Franwell’s METRC software over the course of a weekend in Maryland. These problems remind us once again that the cannabis industry and the tools it uses to conduct business are works in progress.
Nevertheless, businesses cannot afford downtime.
Plus, a security breach could be particularly costly for a medical dispensary; California, for example, allows for civil suits of $2,500 per record if patient data gets released into the wild.
Implementing the right technology standard operating procedures and enforcing them effectively can help businesses lock down their data as effectively as they secure cash and merchandise.
Both cloud-based and on-premises POS systems have different strengths and drawbacks in their design.
On-Premises Vs. Cloud
The majority of POS systems come in two flavors: on-premises and cloud-based.
With cloud-based systems, the terminals, tablets and other hardware connect directly to a web service. All of this traffic is encrypted and passes over the internal network.
As the cannabis industry grows and private health and credit card information is routinely shared between insurance carriers and credit companies, companies will need to create sound policies and infrastructure around their POS system. For on-premises POS systems, virtual local area networks that can segregate the POS system from your WiFi and security cameras can shield your data should these points of entry become compromised. Any tablet, terminal or iPhone that accesses the POS should not be used for any other purpose. Mobile device management software and desktop remote management and maintenance can assist in policing the usage of such devices.
We’re often amazed when we see clients that have spared no expense on their physical security systems using routers from Best Buy that were set up by the store manager. Often, these are inherently insecure and unprepared for the level of growth most cannabis business owners plan for. Ultimately, whether selecting a POS system or creating the network that connects it to the Internet, the best thing a business owner can do is pick the right partner. Don’t listen to tribal knowledge; understand the players in the market. Talk to professionals who have worked with the systems and choose your partners carefully. And don’t just go with the cheapest system. You likely will never be happy, and it will probably be the least secure.
State Traceability Programs
No one has a choice when it comes to the seed-to-sale program selected by each state. However, retailers can take simple defensive measures now to shield them from system failures that are otherwise beyond their control. The state-mandated systems need to be maintained by professionals if they’re on-premises, or there will be issues. The system must be properly fortified and backed up to protect against the possibilities of a store experiencing a shutdown or bad date being sent. If the system is cloud-based, the export feature must be used to make sure that data is being pulled down.
In the event of a statewide system shutdown, the good news — if there is any — lies in the shared misery of every retail outlet, especially on multi-tenant, cloud-based track-and-trace programs. The state, in this case, may be more lax in reporting during this time. We have repeatedly seen clients that diligently back up their data recover faster and resume normal business operations more quickly than their peers.
What Employees Need To Know
People, such as employees or even management, are often the weakest link in data security. For this reason, businesses should impose a deny-first policy with POS system data. In the data security world, a deny-first policy maintains that systems and people should deny access by default to anyone or anything requesting it. Authentication should be verified by two factors before granting access.
Many of these policies don’t require new software at all. For instance, compensation can be tied to the amount of goods sold, so that employees are not incentivized to share their log-in data with each other. These can be implemented in the POS system through the use of access controls and assigning the lowest level necessary for each employee. Inventory controls and proper video surveillance also helps keep people honest. For many teams, the fear of being watched is often enough. The company has to back up the threat with action when infractions are committed, as well as report it to the proper authorities, depending on the infraction. When people know there’s a no-tolerance policy and that eyes are trained upon them, there are a lot fewer incidents.
Moving Forward
While some of the POS systems on the market today will suffice for the tasks at hand, there are a number of improvements, from user experience to better reporting and integration, that can be made right now. Currently, usability controls are subpar in many cases, so business owners can’t service customers appropriately. There is a wealth of information about sales, trends, customer behaviors and day-to-day activity that has yet to be thoroughly utilized by many players in the cannabis space. It all cries out for deeper innovation, which will come once the industry leads on its own, instead of merely emulating other industries.
Of course, retailers need to keep their businesses secure in the meantime, and they can do so by learning how to use their tools safely.
Until the time comes when retailers seek a more managed solution to their network needs, diligently preserving and protecting data will keep businesses running while we envision and create our collective future as an industry.
Eric Schlissel is the CEO of GeekTek, a national, managed IT/cybersecurity firm headquartered in Los Angeles, California. He has spoken extensively throughout the country as a panelist and moderator on cannabis and technology. He has been widely published and quoted in The Los Angeles Times, Wired, CIO Magazine and ChannelPro.