The cannabis industry is not immune to cyberthreats. Many Canadian businesses lost millions after a distributor for the government-operated Ontario Cannabis Store was hit by a cyberattack that left the region incapable of processing or delivering orders to retailers. In another cyberattack, hackers stole $3.6 million an Australian medicinal-cannabis firm intended to send to an overseas contractor.
These are just two examples of how the industry has become a popular target for cyber-extortion in recent years due to the nature of the business. Dispensaries typically are all-cash operations that collect vast amounts of protected health data and personally identifiable information. In addition, most cannabis companies are small operations that employ fewer than 100 workers, and many don’t have advanced cyber-protection systems in place.
Sophisticated hackers could target workers via email-based phishing scams and steal protected health information to sell or client records to extort. They could even disarm a dispensary’s security system to rob a location.
Further increasing the industry’s vulnerability is a shift toward operational automation to lower costs and increase yields. The move toward automation has provided attackers more entry points to disable systems and cripple businesses digitally.
As a result, insurance carriers have been hesitant to write coverage for these types of threats, particularly in the currently difficult cyber-insurance market. To find sufficient coverage, companies need to have the right controls in place.
To prove to insurance carriers they’re worth the risk, cannabis companies must perform a comprehensive assessment of all cyber-related risk and pinpoint their vulnerabilities, then implement a cyber-defense strategy and show carriers how their organization has reduced potential exposures.
Establishing a strong cyber-defense program and following these eight defensive strategies can help companies ward off cyberattacks.
1. Train your employees
Regularly educate employees about the importance of cybersecurity. Employers should provide workers with periodic phishing training and follow up with additional refresher courses at least once a year.
2. Evaluate employee understanding
To ensure workers are retaining information learned during training, send fake phishing emails and record performance to ascertain whether the training was successful. If it wasn’t, implement additional training.
3. Employ protective tools
Among several other important technological safeguards, multi-factor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most insurance carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also a minimum requirement for obtaining insurance coverage.
4. Regularly update software and security protocols
Keep all of your organization’s software and systems up to date with the most recent patches and security updates.
5. Establish a corporate policy for passwords
Drive password management from the top down and mandate the use of complex passwords employees must change regularly. Send automated reminders to enforce the policy.
6. Use microsegmentation to protect against cyberattacks
This network-security approach divides a network into smaller segments, giving businesses more control over their security and protecting against cyberthreats like hackers, malware, and viruses.
7. Have a backup plan
Hedge your bets by establishing a solid backup plan that will allow your organization to restore operations in the event of a ransomware attack. Back up your data daily, if possible, and store the information off-site and off-network.
8. Devise an incident-response plan
Companies should work out a plan for dealing with a cyberattack before one occurs. The plan should include how to respond, a system to confirm what happened, and the resources to remedy the situation.
Brian J. Schnese is a senior risk consultant in HUB International’s risk services division and a member of the division’s organizational resilience consulting team. A former federal investigator, he has more than fifteen years of professional experience in regulatory compliance and managing risk in state and federal governmental agencies as well as private-industry operations. Previously, he served as a senior manager in the national investigations center of a Fortune 50 corporation.
