Following a string of legalizations across the U.S. in 2020, the cannabis industry continues to mature and vastly expand. New Frontier Data projects the sector to be valued at $40B+ by 2025. With several new markets expected in 2021, marijuana continues to make strides toward federal approval. The multi-billion-dollar market attracts many investors and entrepreneurs for massive investment opportunities while drawing the attention of cybercriminals who see financial opportunities and exploit the seed-to-sale lifecycle.
Understanding Risk and Security
Before we dive into the specifics, it is beneficial to understand the leading risk that the cannabis industry faces.
As one of the most volatile industries, cannabis is no stranger to a box of complex challenges wrapped in a bow of contradictions. The market is highly regulated and unregulated at the same time. Marijuana is not federally recognized but legalized in several states in the U.S. Then, there are local laws, regulations, and jurisdictions that business owners must contend with and inconsistent from state to state.
Recently, Mississippi’s Supreme Court overturned a medical marijuana initiative that voters approved in 2020. So now what? After the state’s health department had been working on a program, investors and business owners began plunking their cash into businesses with plans to begin operations this summer. Their investments are at risk, for now.
The hodgepodge of regulatory requirements and laws present a challenging landscape that plant-touching and ancillary businesses must navigate through. It is like stepping onto a minefield, and if business owners do not have the proper guidance or effectively evaluating risk, they may step on a mine.
Cybersecurity: The Current State and Why it’s Targeted
Beyond the legalization and regulatory challenges, compliance, fraud, cybersecurity, and reputational incidents lead to perils. But what do these risks have in common? Security!
Cannabis is all too familiar with security. The challenging environment, coupled with ever-growing threats, demands high-quality protection. However, most business owners’ security understanding is limited to physical protection and have yet to incorporate cybersecurity as part of their security program.
IT risk management is not a priority nor understood by many cannabis entrepreneurs until it is too late. Common is the thought of ‘it cannot happen to me’ or ‘I am too small to be attacked,’ but it is naive to embrace those thoughts. Additionally, in a vastly expanding environment and where mergers and acquisitions regularly occur, risk doors are constantly opened where security is compromised. Those doors (vulnerabilities) often remain open and unchecked, leaving the business exposed to a breach.
Financial losses resulting from a security incident are devastating, especially to a new or small business owner that does not have the capital to withstand an attack. Cybercriminals are lured to cash moving through the market and seek large financial payouts. From intellectual property, temperature control systems to sensitive medical and health data and POS customer data, the data collected is highly prized. A breach could result in a significant financial impact, risk of losing a license, and irreparable reputational harm for a business owner.
Cyber Challenges Cannabis Currently Faces
Specific digital security obstacles that plague cannabis must be understood to mitigate cybersecurity risks effectively.
Sensitive Data
Cybercriminals target the information stored and shared among business owners and experts. For example, dispensaries are considered healthcare providers, bounded by HIPAA (Health Insurance Portability and Accountability Act) and state healthcare data privacy and protection regulations. Medical records are the most valuable data and sold on the dark web for top dollar. An exposure, or violation of healthcare laws, will have significant penalties and reputational harm.
Privacy
Data collection and privacy protection are the top issues that business owners fail to prioritize or understand. Cannabis has suffered several data breaches in the recent past, from Point-of-sale (POS) tracking data, as required by state laws, to other customer information, including financial transactions, personal data, and even video footage. Online adversaries prize this information, and a security incident will expose the business to inadequate data protection. Loss of credibility and trust among stakeholders affects long-term growth.
Reputation
Reputation is one of the lesser-known issues that correlate with cybersecurity incidents. Reputation crosses all boundaries, even in a virtual world, and the market is competitive. Investors, employees, business partners, and customers will be less likely to partner or purchase from businesses that irresponsibly handle data and ignore the privacy of their customers.
Financial
Given the high rate of failures post-breach, many savvy investors require businesses to peel back their curtains and demonstrate solid digital protection before funding. They want to understand how the data is protected and, most importantly, how their financial investment is secure and best positioned for growth. Dispensaries also operate under a cash-only model and utilize intermediary financial institutions to exchange currency due to a lack of federal recognition. Inadequate security on intermediary applications that process cryptocurrency can lead to a transmission breach and loss of funds.
Third Party Risks
Third-party stakeholders include vendors, suppliers, business partners, and employees, and they present significant risks to your digital infrastructure. If those members are not compliant with data protection, their actions (or inaction) will have consequences that impact business operations and revenue in the event of an incident. An emerging trend appeared where business partners require their stakeholders to meet minimum IT risk management standards to do business together.
Within the next few years, rapidly changing regulations will impact the cannabis and cybersecurity industries. Both sectors are young, growing, and evolving rapidly, but many challenges prevail. There is a golden opportunity for the trade to embrace IT risk management to create an industry-wide cyber-aware culture.
What the Cannabis Sector Must Do Now
Adopting digital security and treating it as equal to physical security is critical. Businesses must confront the growing number of online threats head-on and develop a scalable cybersecurity risk management program that aligns with best practices.
Partnering with the right security advisor who understands the industry’s challenges and can effectively handle the volatile cannabis environment is critical in building a cyber-secure eco-space.
A robust protection program will enhance the overall security and preparedness of the enterprise and hedge against security incidents. A well-defined framework consists of risk analysis, security technology, awareness training, and comprehensive guidelines and policies that consider both cannabis regulations and data protection and privacy laws.
Knowledge is power, and it is an essential component in creating cyber-aware cultures within every company, from leadership to frontline employees. Humans are the result of most incidents, but they are also the best defenders of an organization’s data.
Comprehensive security is a differentiating factor of every successful business. If cannabis business owners want to succeed and maximize their growth and investment opportunities, now is the time to be proactive and invest in cybersecurity before it is too late. The goal of every business is to achieve cyber resilience.
How can REP Help?
REP advises cannabis business owners and investors on cybersecurity and reputational risks. We provide concierge advisory by arranging access to best-in-class security technology, combined with white-glove client services, and develop comprehensive IT security programs that protect and defend clients against cyber and reputational threats. REP specializes in individuals, to small and medium-sized businesses.
How Can Sapphire Risk Help?
Tony Gallo and the team at Sapphire Risk Advisory Group have over 30 years of security experience and expertise. Sapphire has written hundreds of cybersecurity plans for winning cannabis business security applications. Follow us on social media to stay up to date with Texas cannabis industry updates!
Author
Tom Kowalski is the Founder and CEO of REP, a global cybersecurity advisory firm specializing in managing cybersecurity and reputational risk. Tom provides peace of mind to his clients, protecting and defending against cybersecurity and reputation threats.
Tom possesses formidable crisis communications, cybersecurity, and risk management skills. He founded REP in January 2020 and advises clients on the impact of adverse cybersecurity events. Among his past executive roles, he has managed reputational risk for the U.S. Army, several non-profits, and many global B2B financial, energy, oil and gas, healthcare, cybersecurity, and high-tech companies, and consumer luxury brands.
Tom holds a certificate in Cybersecurity Strategy from Georgetown University and a bachelor of science in Marketing from Central Connecticut State University. He is actively involved in the New York and National chapters of ISACA (Information Systems Audit and Control Association) and the FAIR (Factor Analysis of Information Risk) Institute associations.
- Cannabis in the US Virgin Islands
- Case Study: New Jersey Cannabis Retailer
- Delivery Vehicle Security
- Crime Prevention Through Environmental Design (CPTED)
- Schedule III: Cannabis Regulatory Disruptions Ahead
- Perfect Your Delaware Cannabis Business License Application With a Security Consultant
- Our Story: Sapphire Risk Advisory Group
- What You Need to Know About Cannabis Security in Kentucky
- Exploring the Trend of Secret Shoppers in Cannabis Retail
- Adult-Use Cannabis in Ohio: How to Expand With a Plan!