IT Security for Cannabis Businesses

The Hidden Threat: Why Cannabis Businesses Should Care About IT Security and What To Do About It

Most cannabis business owners understand the importance of physical security but fail to see how critical IT or data security is as well. In this article, we’ll explain why cannabis business owners should care about IT security and what they can do to protect their companies.

The IT Security Threats Cannabis Businesses Face

Hackers

You might not think that hackers target cannabis businesses, since cannabis businesses often have limited IT assets and many in the US don’t accept credit cards, but a lot of hacking is automated these days or aimed at the easiest targets/low-hanging fruit. Even a single location cannabis business is as likely to be targeted by hackers as a large business with dozens of locations.

If you follow the news at all, you’re probably already aware of the significance of the threat from cybercrime to businesses in general. In a high-profile incident in May 2021, the DarkSide ransomware gang shut down a major oil pipeline and extracted a payment of $5 million from Colonial Pipeline. Around the same time, the US Secretary of Homeland Security Alejandro Mayorkas, announcing a new federal effort to prevent ransomware attacks, mentioned that between half to three-fourths of all ransomware attacks target small businesses, and that US businesses paid a total of $350 million in ransoms in 2020.

A separate survey found that 46% of small businesses have been victims of ransomware attacks, with most paying between $10,000-$50,000 to retrieve their data, and some paying over $100,000.

Employee Theft

Employee theft is a problem in the cannabis industry. You have a lot of low-paid, high-turnover workers handling an expensive, easy-to-move product with a still-thriving black market. And it’s not just the physical product you have to worry about. You also have to worry about your IT. Employees can potentially steal financial data and physical devices and take customer data and sell it on the dark web.

Employee theft costs US businesses an estimated $50 billion per year. A recent MJBizDaily article highlighted the fact that employee theft in cannabis businesses is becoming more subtle and often involves IT, including employees giving discounts to their friends on the sly. It mentions one interesting example: “[Gary Cohen, CEO of Cova Software,] points to one case in which an assistant manager at a client’s store was under pressure to improve her performance. To do so, she changed the permissions settings on the store’s POS system, enabling her to offer discounts and drive up sales.”

Regulators

Regulators aren’t out to steal your data, of course, but they can do things just as damaging to your business if they catch you not following the rules for seed-to-sale tracking, surveillance system management, etc. – including hitting you with fines, taking away your licenses, even imposing criminal charges.

Some examples of compliance enforcements that were related to IT security for cannabis businesses include:

  • The most damaging compliance enforcement action against a legal cannabis company was against Denver-based Sweet Leaf. In 2017 the company had 400 employees and over 25 licenses. Then Denver police revoked their licenses, raided their stores, seized and destroyed 7,000 pounds of cannabis, and sentenced the company’s owners to a year in jail for engaging in “looping,” or allowing customers to buy more than the allowed amount of cannabis so that they could resell it on the black market. In this case it appeared the company deliberately engaged in illegal activity, but it’s also not hard to imagine where failure to properly track sales via a POS system can lead a cannabis company to unintentionally engage in looping and get punished all the same.
  • CannTrust, one of Canada’s largest medical cannabis companies with over 67,000 customers, had its licenses suspended in 2019 for various violations. This appears to have been related to their IT and surveillance systems, as their remediation efforts included “updating security measures…implementation of controls, processes and systems to mitigate the risks related to the original suspension, improved recordkeeping as well as comprehensive training for all staff.”
  • Regulators will often release data on violators and their fines and punishments, but rarely disclose the reasons for the violations – perhaps because doing so would identify these businesses as poorly run and good targets for a burglary. In any case, one law firm was able to request and obtain detailed records of compliance violations in Colorado in 2015, and the results make for interesting reading. The most common violations were for recordkeeping, Metrc, camera coverage, and insecure recording devices. In one particular case, one business failed to maintain employee records, transport manifests, and diagrams; didn’t secure its surveillance equipment; and didn’t have proper camera coverage. As a result, all the business’s licenses were revoked and products destroyed and the owner was prohibited from holding a cannabis license for 8 years and fined $50,000.

On top of cannabis laws, data privacy laws like GDPR and the California Consumer Privacy Act (CCPA) increasingly require businesses to do more to protect their customers’ data, and of course all medical cannabis firms have always been subject to HIPAA data security rules.

Why You Need Ongoing Security Management

Maintaining IT security isn’t a one-time project that you can just set and forget. It’s something you have to constantly monitor and maintain, since security threats are always constantly evolving, hackers are continually refining and adjusting their techniques, and you’re continually changing your environment (adding new devices, users, software, etc.) in ways that can increase your vulnerability. Also, security breaches require early detection and rapid response in order to isolate the problem and limit damage.

The Ransomware Example

Ransomware is a perfect example of the need for constant management. Ransomware only developed in the last few years after the spread of cryptocurrency made it possible for hackers to collect ransoms from victims anonymously. With ransomware, hackers encrypt your files and then demand a ransom payment to decrypt them. The average ransom payment in 2020 was over $100,000.

To prevent the initial ransomware infection you have to perform maintenance tasks including keeping all software and antivirus definitions updated, monitoring your firewall for intrusion attempts or suspicious traffic, and blocking email accounts sending spam to your users. And to ensure you’re able to recover from ransomware, you have to continually perform and validate backups.

What’s scary about ransomware gangs is that they’ve evolved their tactics to wait around and/or move laterally in your systems before starting the encryption in order to maximize the damage and possibly infect your backups at the same time. With constant maintenance, you might be able to catch these lurkers before they can do anything.

In addition, many ransomware gangs have also developed the practice of “double extortion” in which they not only encrypt your data but also steal it and threaten to release it to the public, so just backing up your data is no longer enough. Some even practice “triple extortion” in which they contact clients of a hacked company directly – for example, the cannabis patients of a medical dispensary – and demand payment from the clientsnot to release their data to the public.

Cannabis Compliance Requires a Long-Term Approach, Too

Another reason that ongoing management is important in the cannabis industry is the need to maintain compliance. Many states require you to maintain surveillance footage for at least a few months and important records (including financials and inventory) for several years. You should be routinely checking these assets to ensure they’re being retained, are secure, and protected from tampering and destruction.

Key Measures You Can Take to Protect Your IT Security

Install a hardware firewall and monitor it. Route your traffic through a business-grade firewall like those from Sophos and Fortinet. This will block a lot of malicious traffic from entering your network, remove a lot of vulnerabilities in your environment, and bring up alerts when suspected intrusions occur.

Install and maintain antivirus software. Practice defense in depth. Install antivirus on your PCs and servers, so that even if malicious traffic or files gets through to your devices they’ll be neutralized and deleted before they can do any damage.

Segment your networks. Using a business-grade switch or wireless access points, you can divide networks by their security level to minimize the threat to most sensitive assets. For example, segment your POS system and private network away from your guest WiFi. This can also help to improve performance. 

Use Mobile Device Management (MDM). Mobile device management software like Microsoft Endpoint Manager and Jamf let you manage lots of tablets and smartphones remotely. It’s a lot quicker than managing them one-by-one. MDM software lets you remotely update mobile devices’ software, back them up, wipe them if they get lost or stolen, and more. 

Back up your data. To protect yourself from ransomware and ensure you don’t lose important records, make sure to back up your data on a regular basis. If you can, keep at least one backup onsite and one in the cloud, and don’t use continuous backups/replication in case you accidently delete something or get infected with malware.

Monitor and manage your surveillance system. Many states require you to keep a close eye on your surveillance system – making sure it’s always recording, doesn’t have any obstructions, is properly lit, is storing footage for a certain period of time, etc., – and to report any problems that occur to authorities as soon as possible.

Next Steps: Ways to Approach IT Security

Doing Nothing

Doing nothing about IT security is the cheapest and easiest option, but we wouldn’t recommend it, despite the fact there are many cannabis businesses out there that take this approach. You’ll end up paying more in lost licenses, lost customers, disruption to your business, and damage to your reputation, and hurt your ability to attract inventors or sell your business later on.

DIY

Trying to do it yourself or have another employee do it as a side job is another option, but IT security is a complicated subject and requires constant learning and vigilance and some expensive tools that allow you to remotely manage and monitor your environment. You’ll end up taking up a lot of time from other areas of the business where your focus is needed.

Hiring In-House

Hiring an in-house IT person is an option as well. People that specialize in security can demand salaries in excess of $100,000, but you can hire IT generalists (IT manager, sysadmins, etc.) for $40,000-$80,000/year depending on experience and location that can handle IT security for you. They’ll cost a lot and won’t be experts in security, but no one will know your environment better or be more motivated to protect it.

Outsourcing

Managed services means outsourcing your IT management (including security) to an IT services provider like Cure8. With managed services you’re charged on a per-user or per-device basis, or some combination of the two. It’s usually cheaper than hiring someone in-house, especially for smaller businesses, and managed services companies often have their own in-house security experts and advanced toolsets. Plus, managed service providers don’t have off-hours or take vacations.

How Can Sapphire Risk Help?

Tony Gallo and the team at Sapphire Risk Advisory Group know that IT security for cannabis businesses is important. Sapphire has written hundreds of cybersecurity plans for winning cannabis business security applications. Follow us on social media to stay up to date with Texas cannabis industry updates!

Author

Eric Schlissel is the CEO/CTO of Cure8, one of the world’s leading cannabis IT services providers. His company helps dispensaries, distributors, manufacturers, and cultivators throughout the US and Canada to plan, install, secure, manage, and scale their IT.

He has been a featured panelist at many cannabis industry events, including those put on by the NCIA and CCIA. He’s also a respected IT thought leader outside of the cannabis industry, being quoted in publications such as Wired, the Los Angeles Times, InfoWorld, and Information Week. Outside of work, Eric can be found gardening with his two small children, trying to perfect the feat of growing a thriving basil plant and ripened tomatoes at the same time. He is currently developing in the fine art of bourbon tasting, enjoys travel, and is a foodie-wannabe.