Cyberattacks are a huge concern for every industry. For cannabis businesses, this is particularly true due to the vast amounts of personal data and protected health information which they are required to collect and store. Beyond consumer data, cannabis companies likely also maintain trade secrets in their company databases.
This issue came to the forefront for cannabis businesses in 2019 when over 85,000 customers from multiple cannabis dispensaries were impacted by a data breach linked to THSuite, a point-of-sale software company.
With the immense growth and billions of dollars flooding into the fledgling industry, cannabis businesses are an attractive cybercrime target.
To understand if your cannabis business is at risk for a cyber threat, you must first consider the typical cybercriminal. Their motivations direct them towards higher payouts and a likelihood of vulnerabilities to exploit. Factors that put cannabis businesses at higher risk include:
We’ve outlined some cybersecurity best practices for cannabis businesses to prevent cyberattacks and create systems to ensure data protection.
Keep your data locked down with permission-level access. What one employee needs is not necessarily what another needs. This also applies to third-party vendors or contractors. When employees are harvesting crops, or a cultivator is renting land from farmers and planting on it, proprietary information should only be accessible by those who need it, and an access log should be maintained.
A cultivator’s cannabis formulas are their main competitive advantage. Growers must consider the way they store the information behind the R&D of their cannabis crops. Is it maintained electronically? Accessible by a specific computer desktop? What credentials do people need to access it? While most businesses use third-party cloud services, many growers maintain their own servers because of this risk.
Distributors also need to participate in protecting cultivators’ R&D information. Many cannabis distributors have access to grower’s proprietary R&D information. This allows them to market the product and understand which products are best for buyers with specific needs. These distributors should ensure their employees can’t open their supplier to a potential cyberattack.
When employees scan driver’s licenses, even if the business keeps paper files, consider where they are stored. Whether data is stored securely off site, or on a protected network, maintaining compliance is critical. Be aware of record keeping mandates for HIPAA, state laws, and other requirements for cannabis distribution.
It’s no secret that finding insurance of any type is difficult for cannabis businesses. Even as this reality will continue so long as cannabis remains illegal at the federal level, many cyber insurance options are becoming available to cannabis businesses, and at increasingly competitive rates. Cyber policy underwriters will undoubtedly conduct more due diligence with cannabis companies, going beyond the typical policy application. Expect reviews of the types of information that are collected from consumers, how the data is stored, and how it can be accessed.
As a cannabis business owner or manager, it’s important to understand the impact of a potential cyberattack on the business.
A study by the Ponemon Institute and IBM determined the average cost of a data breach exceeded $3 million. This amount includes all costs such as remediation, notifying customers, and following typical state mandates for resolving such an event. The outcome, according to the national cybersecurity alliance, is that 60% of small businesses go out of business within six months after a security breach.
Even if a cannabis business is able to handle the financial fallout, there is irreparable damage to the company’s reputation and brand resulting in revenue losses for years.