The cannabis industry has been booming recently due in part to legalization legislation that has helped to alleviate barriers to market entry. Recent trends tell us that the cannabis marketplace is projected to grow at a staggering rate from $10.3 billion in 2018 to $39.4 billion by 2023. With more and more states opening up their borders for marijuana, many businesses are looking to technology to manage this increase in customers.
As of November 2018, 10 states have legalized recreational cannabis while 33 have approved it for medical uses. As more states are opening their borders to legal cannabis, business owners are beginning to become more digital in their endeavors thanks to this newfound legalization. But digitization isn’t all good if you don’t have a cybersecurity plan to protect your data.
Brands that are able to infuse innovative technology into their network infrastructure can use it to analyze and predict valuable consumer trends that will enable them to make critical decisions in the future. Having a cybersecurity plan in place to supplement this type of innovative undertaking is what will help your cannabis business thrive. Let’s look into the specific areas of interest that you should be focusing on when cultivating your cybersecurity plan and which proactive measures you need to take to avoid being a victim of a cyber-attack.
The Current State of the Cannabis Industry
Until recently, the U.S. cannabis industry was a small, underground community. Now, the U.S. accounts for 90% of the global marijuana market due to multi-state legalization efforts.
With the economic impact of the cannabis industry on the U.S. expected to nearly quadruple from now until 2023 per an earlier cited source, companies are seeking to make more concerted efforts towards protecting their customer’s data at the point of sale (POS). As the industry continues to grow at a rapid pace and regulations continue to lag behind, business owners are faced with Wild West high stakes risky scenarios as they continue to rake in millions of dollars in revenue. Cannabis companies are continuously searching for robust POS solutions that will help them organize their products and keep their customer data safe from prying eyes.
This cybersecurity mindset wasn’t always something that was emulated on a large scale in the cannabis industry though. It wasn’t until the MJ Freeway servers were hacked in 2017 that the industry took notice of the potential devastation that data breaches can have on their customer’s privacy. This one breach event nearly shut down the cannabis industry across the country, forcing dispensaries to use paper-based order processing for weeks on end.
Since the cannabis industry is under heavy regulations and tracking along with the heavy amount of data collection and storage of personally identifiable information (PII), the industry also needs to consider the privacy and security of its systems and networks from the ground up. It is for this reason that these companies are looking to optimize their cybersecurity foothold and create a more robust plan of attack for hackers who seek to compromise their network. Before they can flesh out a cybersecurity plan however, they need to understand and plan for the most common network threats to their environment.
The Most Common Network Threats for Cannabis Companies
Many businesses in the cannabis industry are beginning to offer customers the convenience to make purchases online or through a mobile app, using a POS system. After the transaction is completed, these businesses maintain their consumer data on cloud-based software-as-a-service (SaaS) platforms for ease of recollection for future purchases.
Automatically following every transaction, the POS systems will report purchases to the states’ compliance tracking systems via an API connection. At the end of the day, the business can automatically upload their daily sales into the state’s database to maintain compliance.
These automatic data dumps are meant to track every plant, product, and person associated with the production and sale of marijuana. This process does legitimize the industry, but since the data uploads are filled with PII, they are a potential hotbed for hackers. Due to this, cannabis companies need to be on high alert for these most common threats to their network.
Fraudulent emails can really create a hailstorm for cannabis businesses due to how quickly they work to pry open your network and PII to ransomware or worse. The fact remains that 91% of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails. If you don’t want to be a victim of a phishing scam, make sure not to download attachments from unknown senders or share your personal information anywhere over email.
POS Force Authorization Scam
When a customer’s card is declined, the merchant has the ability to perform a “force auth” to complete the transaction if their code doesn’t go through. Forcing the transaction requires the merchant to call the cardholder’s issuing bank to obtain an authorization code to override the decline.
In a POS Force Authorization Scam, any combination of digits forming the “code” will override the denial. If the merchant chooses to enter the fake authorization code, the transaction will go through, but the merchant assumes all the risk and will not be able to file a dispute once they find out that the authorization code was fraudulent.
For this reason, it’s always best practice for cannabis companies to follow the necessary procedures to double check the validation of the authorization code and card with the cardholder’s issuing bank. Better safe than sorry, right?
Overcoming Data Breach Scenarios
Thankfully, there are ways for budding cannabis cultivators to overcome these dastardly data breach scenarios and operate in a safe, efficient, and effective manner moving forward. These merchants just need to practice some of the basic cybersecurity best practices to ensure their cyber hygiene is in the best possible shape for the future.
More often than not, the barrier to entry for hackers to your network lies in your network and applications passwords. If you choose the same weak password for every application, it may be only a matter of time before a breach occurs on your network. This is why creating a complex password is key to dramatically decreasing a hacker’s ability to obtain your sensitive information.
Creating passwords that are at least 12 characters in length that include letters, numbers and symbols (*$%^!), will put you in a better position to fend off brute-force attacks. Make sure to change your password every 6-12 months with another complex and protected password to keep hackers on their toes. In all reality, strong password management should be required to onboarding new employees to ensure they understand what’s at stake.
Bring Your Own Device (BYOD)
Even though 74% of businesses currently have a BYOD policy in place in the workplace, that doesn’t mean that it would be a great solution for the cannabis industry. Even though these platforms provide greater flexibility, productivity, and convenience for employees of all levels to perform their daily tasks on the go, they also require substantial responsibility from the end user. Without a complete understanding of the risks that are inherent in operating within a BYOD environment, cannabis employees who are thrust into such an environment may leave the company open to a breach.
The best ways to deter a breach for BYOD-focused cannabis companies is to password protect all known devices that have remote access to the network. Advise your employees not to download untrusted apps and also to report their devices lost or stolen immediately after they have to ensure that any protected data does not get compromised.
Why is Data Security Important for Cannabis Companies?
A data breach for a cannabis company can have significant financial and regulatory consequences. If a breach occurs and there are no proactive measures in place to keep the data safe, then it will likely result in a plethora of compliance fines to go along with the company’s stolen financials.
If the cannabis business is considered a health care provider, then the data breach could have an even greater impact than if the business is a dispensary. Cannabis businesses that have a testing lab in a state where marijuana is legal for medicinal use only would almost certainly be subject to greater fines. This is because these businesses possess the personal information of their customers which is also tied to their individual medical records.
Due to this link between medical records and financial data, cannabis businesses would be subject to adherence to provisions of the HIPAA Act which carry heavy penalties if violated. This is why it’s best to focus on what is most pertinent to your cannabis company while maintaining a solid understanding of cybersecurity to avoid becoming a cyber attack victim.
Keep From Falling Prey to a Cyber-Attack
Cannabis companies have a significant amount of resources at their disposal at any given time to provide for their customers. This in itself makes the cannabis company a target for hackers. To keep from falling prey from a devastating cyber attack without having to resort to exceedingly inconvenient physical measures, it would behoove your organization to follow these guidelines.
First on your list of directives for your cybersecurity plan should be to determine which data, assets, and device warrant the most protection. Once you have an inventory of these resources, you need to develop a plan of action. This plan should identify those who hold the responsibility to preserve these resources and how to reach them at critical times.
Once this information is laid out, it’s best practice to adopt off-site data back-ups for your data to prevent the possibility of data loss. You can do this by integrating intrusion detection software that aims to help you minimize the loss of valuable information if that were to ever happen.
After the high-level infrastructure has been configured, you must ensure that you educate your employees on how to recognize internal and external vulnerabilities. The intent behind these training sessions is to help prevent security breaches but also to effectively react to attacks at a moment’s notice. Employee training should address issues such as safe password management, cryptographic communications, secure browsing practices, and proper system configuration.
When Proactive Measures Aren’t Enough, Have a Backup Plan
In the end, all of the proactive measures you’ve planned for don’t always guarantee that you won’t become a victim to a cyber-attack. It’s for this reason that you should focus on mitigating damages and working with law enforcement after a breach occurs.
Following a breach, it’s wise to determine the nature of the breach and if it was caused by the malicious intent of another, the negligent acts of someone internally, or due to something entirely different. After this, you must outline the extent of the damage caused by the cyber-attack while being as transparent and honest as possible. If you have any forensic evidence to back up your claim, now is the time to present that to law enforcement due to its significance in being used at trial.
Finding the Right Cybersecurity Solution
Unfortunately for cannabis entrepreneurs, finding the right cybersecurity solution to protect themselves and their customers isn’t easy. The security measures that come stock with POS software aren’t sufficient enough to protect against modern cyber threats such as ransomware, spyware, and DDoS attacks. This is why it’s best to seek out an agency that focuses on strategizing cybersecurity data protection plans specifically geared towards your needs.
The cybersecurity companies that you should focus on working with are those who have a ton of experience with businesses operating in industries that require a ton of compliance and regulatory efforts to secure. Since cannabis companies predominantly work with POS financial terminals that are linked to SaaS platforms, it would also be best for your cybersecurity solution to excel in working with PCI DSS compliance as well as Cloud Security.
Lastly, don’t forget to ensure that the cybersecurity company you choose has a dependable track record with handling HIPAA cases. Whether you are currently listed as a health care provider or not, it’s always best to have a solution on hand that can handle the overflow in case state or national regulations change in the future.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.