The cannabis industry is being normalized by consumers and businesses across the U.S., and that means a lot of things for dispensary owners who are navigating this complex marketplace. For one, the customer base is expanding to new users and patients; education is a pillar of the cannabis retail space now.
But that education is equally important within the business. Cannabis dispensaries must put policies and training programs in place to guard against digital security breaches.
Matthew Dunn, associate managing director in the Cyber Risk practice of Kroll, a risk consulting firm, wrote a whitepaper titled “Growing Cyber Threats Against Cannabis Retailers.” In his work, Dunn outlines the spectrum of digital breaches that could cause significant damage to a dispensary business—and how that business’s team can work together to create a culture that guards against such threats.
“It's a good opportunity for a new industry, really to not only think about the physical security of getting a business stood up, but to think about the cyber risks that are out there as well,” Dunn says. “Cyber risks are one of the biggest threats that we see for any type of business today, but especially for new businesses and a new industry—cyber criminals will try to attack any vulnerabilities that they see. [They know] that there's a fair amount of valuable data that cannabis dispensaries would have on their networks that could be monetized on the dark web.”
Read Dunn’s work on cyber security here.
Those cyber risks can take many forms: email “phishing” scams, ransomware attacks, interception of video surveillance (and “the internet of things,” as Dunn points out), cashless point-of-sale breaches, cannabis marketing data theft. These problems can affect any business, but the particular vulnerabilities of a new industry like cannabis (and one that does not have access to traditional banking services) mean that dispensary owners and employees must take proactive measures.
Even beyond the obvious financial concerns for your business’s customers, Dunn points out that there’s still a sort of stigma surrounding the cannabis industry. Customers and patients may not want it to be publicly known that they’re purchasing cannabis products; a breach of that privacy could, in some cases, do reputational damage to your customer base.
“Cyber criminals know that if they can get access to the names on those [dispensary customer] databases, it's ripe for extortion—to try to go ahead and say, well, ‘We'll out you, unless you provide us with payment,’” Dunn says. “It's similar to other type of extortion scams that we've seen in the past. When I was in the FBI, we used to see a lot of extortion-type crimes. And this is really no different. It's just criminals taking advantage of the situation.”
For businesses, there’s certainly the immediate cost of remedying a cyber security breach. And there’s the lost time spent managing the breach and managing the reputational fallout.
“We've seen in the past, with retailers that have been hit or even private companies that have been hit with data breach situations, that customers are going to be leery about going back and trusting those entities with maintaining their sensitive personal information,” Dunn says, “because they've proven that they cannot protect it. Especially today, the bad guys can take that type of information and utilize it to commit so many other different types of fraudulent activities.”
He points to three pillars of defense against cyber security breaches: people, policies and technology.
“The human element is the weak link in the cyber security chain,” Dunn says. “And the bad guys know that. They're going to target the individuals behind the keyboards. So, [while] understanding that your employees are your primary attack vector, they'll also be your first line of defense.”
It’s important to include any digital training in your business’s onboarding process. When getting new employees acclimated to a company culture, it’s an ideal opportunity to convey two-factor identification password policies, rules for personal devices, certain levels of security clearance within the business. In this way, employees are brought into a more tightly knit professional environment.
The same process extends to any third-party vendor networks. Employees dealing with finances and point-of-sale systems must understand the importance of encryption. Customers are providing sensitive data with each purchase; it’s the responsibility of the cannabis dispensary staff to ensure that such data is protected. A virtual private network (VPN) is a great idea for internal business management and external communications with, say, cashless payment processors.
“You have to understand that you are being targeted every single day,” Dunn says. “It doesn't matter what type of business you’re in [or] whether you're an individual or small-, medium- or large-sized company. Everyone is being targeted today, just because the information that has been stored electronically is worth so much money on the dark web to other criminals.”
Education, he reiterates, is the first step in a business’s defense against those crimes.