Throughout the United States, states that have legalized cannabis mandate an arsenal of alarms, surveillance cameras and security guards to protect against product diversion and armed robbery. Indeed, all of them are necessary to protect customers, dispensary staff and the general community. But as retail owners have started to realize, digitized data also holds a deep allure for a different sort of criminal.
Over the past decade, retailers such as The Home Depot, Target and Sears have fallen prey to cyberattacks that have exposed consumer information and cost a fortune in remediation. It is often said in cybersecurity that there are two types of businesses: those that have been hacked and those that will be. As the industry matures and more thoroughly embraces the internet, cloud-based software solutions and credit payments, exposure to these hacks will certainly increase.
Despite the trend toward digital data banks, few state regulations address data security for medical cannabis and almost none do for adult-use. This disregard takes place amidst a backdrop of near-constant data breaches from enterprise institutions and corporations such as Equifax, the Securities and Exchange Commission (SEC), Boeing, Sonic and the cities of Atlanta and Baltimore, just to name a few.
Cannabis businesses might think they are immune to such attacks due to their relatively modest stature. At least 1,000 retail dispensaries learned otherwise in January 2017 when a hack of cannabis compliance software company MJ Freeway’s main databases and backups momentarily paralyzed their businesses. In a 2016 poll, cybersecurity firm Symantec found that 43 percent of all cyberattacks targeted businesses with 250 employees or less. In 2015, an SEC hearing revealed that 50 percent of these small businesses went out of business within the first six months after being attacked.
The overall lack of urgency in the face of these threats, at least in comparison to other threats, is not encouraging. When theft takes the form of armed robbery, the industry marshals its lobbyists and pushes for legislation. When it’s a data breach, most people don’t know how to approach addressing the problem.
It doesn’t have to be this way. Cannabis retailers can take some important steps on their own to prevent the most obvious attacks from derailing their businesses. Believe it or not, if Equifax, Anthem and several other powerful corporations had followed these steps, millions of records might still be held secure. Let that serve as motivation.
Knowing How to Keep a Secret
Strategies for data security change depending on whether your business hosts its IT on-site or in the cloud. Many breaches, however, start with a phishing email—a fraudulent email containing either a malware attachment, often in the form of an “urgent” document, or links to compromised websites. For instance, recently the Washington State Liquor and Cannabis Board announced a phishing scam alert in the form of a fallacious “MJ Freeway Data Request”—the first, we are certain, of many to follow.
From there, businesses may find themselves infected by ransomware, such as the infamous WannaCry or NotPetya programs, that encrypts every hard drive on a business’s network and demands a ransom, usually payable in Bitcoin, for the decryption key (a key which, incidentally, doesn’t always work). But businesses can also fall prey to any assortment of worms, trojans or viruses that can cripple systems as it steals data, crashes servers or robs CPUs of resources to mine for Bitcoin.
Again, no one must “settle” for any of this, especially in a hyper-competitive environment where no business can afford to slow down for a second. Familiarizing oneself with (and implementing) the following countermeasures can help prevent the worst, while paying for themselves in the long run.
1. Two-Factor Authentication/Single Sign-On
Two-factor authentication, or 2FA as it’s occasionally referred to, requires another form of data, usually a texted code, aside from one’s password to sign in. Single sign-on (SSO) allows for one single set of user credentials to be used across all applications a user may have on the network. 2FA creates an added layer of security that prevents a hacked password alone from gaining access. SSO provides convenience for any IT department to revoke access for a former/disgruntled employee—often a prime vector for cyberattacks.
2. Centralized Policy Management
Not everybody at your business needs to have access to all your prized documents. By developing centralized policy management, you assign levels of access to specific network users, thereby limiting it for potential intruders.
3. End-To-End Encryption
Employees take big risks with your information when they transmit it across the internet or through insecure networks. Using end-to-end encryption (E2EE) alongside a virtual private network (VPN) ensures that the information will be shielded in transit and readable only by the intended recipient.
4. Network Segmentation
Any portion of your network containing sensitive data (patient history, credit card information, etc.) should be housed on a network completely segmented from online ordering web portals, mobile apps, a Guest WiFi, etc. A good firewall is critical to these efforts. This data should also be encrypted when it is stored in digital form and not in transit (being sent across the internet).
5. Whitelists of Approved Cloud Apps
The proliferation of “shadow IT”—third-party cloud services that have not been vetted by a company’s IT department—has multiplied the amount of potential entranceways into a company’s data. As some hapless users have regretfully discovered, not every app listed on Android as “WhatsApp” (a secure messaging and free calling app) actually is the official application. Moreover, even services like Dropbox can get hacked. Developing whitelists that include only approved cloud apps can help you gain control over this hazardous sprawl.
6. Mobile Device Management (MDM)
Your employees aren’t just accessing your network on-premises—they’re often bringing their work with them to coffee shops, airports and residences. If those devices are lost or stolen, it represents a possible breach. MDM software can be installed on every mobile device—be it a smartphone, tablet or laptop—that your employees use to access the internet, so it can be tracked and potentially wiped should the worst-case scenario come to pass.
It is often said in cybersecurity that there are two types of businesses: those that have been hacked and those that will be.
7. Disaster Recovery
If you’re not keeping frequent and comprehensive backups of your data, you most likely will never be able to rebound from a ransomware attack. The free program RansomFree can help get you started on this undertaking.
When implementing these technologies, dispensary owners should understand they are not just protecting their businesses, but building a solid foundation for future growth. Data security is just one component of a comprehensive IT infrastructure, and its overall health and ability to scale with you can either make or break your business. This will ultimately demand a managed approach to your IT that is fully integrated into your larger business model. For this, you will need either a Chief Technical Officer (CTO) who knows how to manage an IT department or a managed IT service provider who understands both your business objectives and how to design a tech backbone that corresponds with your ambitions.
However, when it comes to data security, no business can afford to wait until it starts going national. If you want to survive, you’ll need to expand your definition of security to include both your physical and digital assets, and to plan for resiliency.
Eric Schlissel is the CEO of GeekTek, a national, managed IT/cybersecurity firm headquartered in Los Angeles, Calif.