Recent numbers indicate that the global legal marijuana market is expected to reach $146.4 billion by the end of 2025. A survey by Grand View Research further added that medical marijuana will likely dominate the market a few years from now with a projected value of $66.3 billion.
This is mainly because of the growth of CBD and the legalization of hemp which has received a favorable response from Americans. In 2018 alone, the sale of legal cannabis in the U.S. reached nearly $10 billion.
While cannabis is clearly on the verge of revolution, the industry also needs to consider the security and privacy of its networks and systems from the ground up. This is because the cannabis industry is mainly monitored and regulated by hackers no thanks to the huge amount of data collection and personal health information it stores.
Just last year, cyber attackers penetrated the cannabis traceability database of Washington State and went on to steal sensitive data and product transfer information. Meanwhile, over in Canada, hackers breached the privacy of 4,500 Ontario cannabis store customers after detecting a malfunction in the country’s post website.
As more cannabis businesses utilize state cannabis tracking systems, point-of-sale software, and accounting apps, they also present themselves as attractive targets for cybercriminals. Experts predict that cybercrime damages will hit $6 trillion by 2021 which makes it more profitable than the global trade of all major illegal drugs combined.
This is why it is essential for cannabis companies to have a strong cybersecurity strategy which is built on the foundation of knowing the critical information maintained by the network and the threats within the industry. Having a robust cybersecurity strategy enables businesses to accumulate valuable insights into network weaknesses that are waiting to be exploited by online criminals.
Strategies of data security continue to evolve depending on whether the business hosts its information technology systems in the cloud or on-site. Familiarizing oneself with the necessary countermeasures can help prevent the worst while preventing catastrophic financial losses in the long run.
Throughout the country, states that have legalized cannabis have an arsenal of surveillance cameras, alarms, and security guards to protect against armed robbery and product diversion. The following are among the robust cybersecurity solutions to keep sensitive personal health information away from prying eyes.
- Centralized Policy Management: Not everyone at the company needs to have access to all essential business data. Developing centralized policy management enables businesses to designate levels of access to particular network users to prevent potential intruders from penetrating into the system.
- Mobile Device Management: This is a type of security software utilized by an IT department to manage, track and secure the mobile devices of employees. In most cases, employees are often bringing their work with them to different locations, thus, increasing the risk of their devices being stolen and your network breached. Installing an MDM software helps monitor mobile devices accessing business information and potentially wiped data should the worst-case scenario take place.
- Single Sign-On (SSO) or Two-Factor Authentication: SSO is a security measure that allows cannabis businesses to put up a single set of user credentials to be utilized throughout all applications a user may have on the network. 2FA, meanwhile, builds an added layer of security that blocks a hacked password from gaining access. Both of these security measures will provide convenience for any IT department to get rid of prime vectors for cyberattacks.
- Segment Network Data: Unnecessary network traffic may put the consumer’s health information at risk especially if company members are accessing data through a public connection. By segmenting network data, businesses can filter, limit, and allow users to only access specific network resources. Network segmentation will require a decent firewall to encrypt digital information during transit.
- Install End-To-End Encryption: Company employees take massive risks with health information when they are transmitting it across insecure networks or through the internet. Using end-to-end encryption together with a virtual private network assures that the data will be safeguarded during distribution and accessed only by the intended recipient.
Aside from the aforementioned security solutions, cannabis businesses can create a whitelist of approved cloud applications as well. This enables companies to gain control over the potential entranceways of hackers into their respective business information. Better yet, the IT department can also put disaster recovery measures to prevent significant damage should ransomware attacks occur.
Perhaps the most popular yet effective way of safeguarding sensitive information is to take advantage of the Payment Card Industry Data Security Standard (PCI-DSS) services offered by RSI Security. The goal of these security standards to ensure that merchants are properly protecting cardholders’ data by setting up technical and operational requirements adhering to industry practices.
Why PCI-DSS Can Help Cannabis Businesses?
In general, PCI DSS ensures that cannabis businesses that accept, process, store or distribute information online are free from hackers and maintain a secure environment. It is managed and administered by the PCI Security Standards Council (PCI SSC) which is made up of payment card brands like MasterCard, JCB, American Express, Visa, and Discover.
They are responsible for enforcing and ensuring that every business processing card transactions are compliant with the PCI-DSS standards. Failure to comply with the PCI-DSS regulations may lead to hefty fines that can range from as small as $5,000 to as high as $100,000 per month.
Nevertheless, adhering to the PCI-DSS standards go beyond avoiding penalties from credit card companies. It displays that your businesses have taken the necessary steps to safeguard the data of consumers from fraudulent and cybercrime use, which is imperative in building lasting and trusting relationships.
Unlike other information security standards, PCI-DSS guarantees the security and privacy of data of a cannabis business through a set of requirements established by the PCI SSC. These may include a plethora of commonly known best practices like the installation of heavy-duty firewalls, use of anti-virus software, and end-to-end encryption of data transmissions.
Implementing these practices and maintaining a firewall configuration will ensure that your network is secure enough to protect the data of cannabis customers. In most cases, third-party providers like RSI Security will work together with the IT department to assure that businesses are not using vendor-supplied defaults for network passwords and other security parameters.
They are also responsible for initiating a vulnerability management program wherein cannabis businesses are tasked to encrypt the transmission of cardholder data across public and open networks. Additionally, the vulnerability management program will include the development and maintenance of secure systems and applications and the use or regular update of anti-virus programs as well.
Other than that, the PCI SCC also requires cannabis businesses to implement strong access control measures. This is primarily done by assigning user permissions, unique IDs, or even restricting physical access to the personal health information of consumers.
Furthermore, the governing body also requires cannabis businesses to maintain a policy that addresses the information security of contractors and employees. The PCI SCC also encourages cannabis businesses to take the following steps to ensure added security.
- Purchase and utilize only verified PIN entry devices at the point-of-sale.
- Buy and use approved payment software at the website shopping cart.
- Avoid storing sensitive personal health information on paper or in computers.
- Use industry-grade firewalls on your personal computers and networks.
- Educate employees and staff about protecting and securing the personal health data of consumers.
- Ensure that the wireless router used to store information is protected by a strong password and is encrypted.
- Examine PIN entry devices and personal computers regularly to ensure that no one has installed skimming applications or rogue software.
The Compliance Levels of PCI-DSS
PCI compliance is classified into four distinctive levels based on the annual number of transactions the business processes. The classification level indicates the regulations that every enterprise should follow to remain compliant.
- Level 1: It applies to cannabis businesses that process more than six million real-world transactions every year. They must take part in an annual internal audit conducted by an authorized PCI auditor from RSI security. Businesses that fall under this category are also required to undergo a PCI scan using an Approved Scanning Vendor (ASV).
- Level 2: This is geared towards businesses processing between one to six million real-world transactions yearly. They are required to complete an annual evaluation using a Self-Assessment Questionnaire (SAQ). A quarterly PCI scan may be required as well.
- Level 3: Cannabis merchants processing 20,000 to one million e-commerce transactions annually belong to this category. They are compelled to take part in an annual assessment using the necessary SAQ. Similar to Level 2, a PCI scan may also be required every quarter.
- Level 4: This is suitable for cannabis businesses that process fewer than 20,000 e-commerce transactions every year. It can also work for merchants that process up to one million real-world transactions annually. Just like Levels 2 and 3, an annual assessment and a quarterly PCI scan are performed to businesses falling under this group.
Throughout the years, PCI-DSS has gone through multiple iterations to keep up with the evolving online threat landscape. Although the basic rules for compliance have remained constant, the PCI SSC has added new requirements periodically to combat the modern techniques of online criminals.
Among the more significant of these additions was Requirement 6.6 which was introduced in 2008. It was developed to establish secure data against common web application attack vectors like RFIs, SQL injections, and several malicious inputs.
Meeting this requirement can be done through the implementation of a web application firewall (WAF) or by application code reviews. The latter includes a manual evaluation of web application source code together with a vulnerability examination of the application security.
Moreover, the assigned reviewer is required to know the newest trends in web application security to make sure that future threats are addressed properly. The review is usually done by a qualified internal resource or a third-party while the approval must come from an outside organization.
Alternatively, cannabis businesses can also safeguard their data against application-layer attacks by deploying WAF between the application and consumers. The WAF examines all incoming network traffic and sorts out malicious attacks.
What Are The Benefits Of Adhering To PCI-DSS Standards?
Cannabis businesses might think they are immune to such malicious attacks because of their relatively modest structure. Roughly 1,000 retail dispensaries learned otherwise in 2017 when a hack of the main backups and databases of MJ Freeway momentarily halted business operations.
With virtual information being accessed and breached anywhere at any time from multiple devices, it is important for customers to know that their data is protected. Even though merchants might think that compliance can be expensive and burdensome, they can bring about a host of benefits that include a strong brand reputation and increased security.
Locking physical office doors at night is not enough to keep the cannabis business safe anymore. With compliance regulations in place, getting some new locks that keep track of all the channels. These locks come in the form of compliance procedures, 2FA, access controls and many other processes that will keep business information safe wherever it may be.
Like it or not, consumers would be less inclined to do business with an organization that has experienced breaches. As a business that complies with PCI-DSS, you should be able to decrease data breach significantly. In other words, customers will see your company as someone with a strong commitment to protecting their data, thereby, ensuring a better relationship.
However, PCI compliance is not only about checking off list guidelines but it is also a proven way to withstand outside attacks. Recent studies by Verizon revealed that businesses compliant with PCI-DSS are 50% more likely to successfully rebound from a breach.
To Wrap It Up
Each cannabis merchant is responsible for its customer base. Sustain your business, manage each risk, and work your way towards being PCI compliant by talking to the experts at RSI Security today.