Cyberattacks are a huge concern for every industry. For cannabis businesses, this is particularly true due to the vast amounts of personal data and protected health information which they are required to collect and store. Beyond consumer data, cannabis companies likely also maintain trade secrets in their company databases.
This issue came to the forefront for cannabis businesses in 2019 when over 85,000 customers from multiple cannabis dispensaries were impacted by a data breach linked to THSuite, a point-of-sale software company.
Why Cybercriminals Target Cannabis
With the immense growth and billions of dollars flooding into the fledgling industry, cannabis businesses are an attractive cybercrime target.
To understand if your cannabis business is at risk for a cyber threat, you must first consider the typical cybercriminal. Their motivations direct them towards higher payouts and a likelihood of vulnerabilities to exploit. Factors that put cannabis businesses at higher risk include:
- The cannabis industry is relatively new. As such, there isn’t a playbook for most businesses to follow. This lack of information makes it far less likely that cannabis businesses will have protections to prevent attacks compared to established industries.
- Most cannabis businesses are startups. New businesses are ideal targets for cyberattacks due to a lack of awareness of potential threats. It can also take time before cybersecurity best practices are considered or in place.
- Privacy is paramount for cannabis patients. While many patients have found life-changing benefits of medicinal cannabis, there could be significant harm if their personal information was exposed. Patient data could be used in identity theft, for blackmail, or cause other losses.
- Cannabis businesses are typically small. Most of these operations aren’t large enough to include an IT person or staff. This means it’s likely that best practices aren’t in place to be able to handle a cybersecurity attack.
Best Practices for Cannabis Business Cybersecurity
We’ve outlined some cybersecurity best practices for cannabis businesses to prevent cyberattacks and create systems to ensure data protection.
1. Create user-level permissions to limit who has access to your data.
Keep your data locked down with permission-level access. What one employee needs is not necessarily what another needs. This also applies to third-party vendors or contractors. When employees are harvesting crops, or a cultivator is renting land from farmers and planting on it, proprietary information should only be accessible by those who need it, and an access log should be maintained.
2. Ensure the R&D process is secure.
A cultivator’s cannabis formulas are their main competitive advantage. Growers must consider the way they store the information behind the R&D of their cannabis crops. Is it maintained electronically? Accessible by a specific computer desktop? What credentials do people need to access it? While most businesses use third-party cloud services, many growers maintain their own servers because of this risk.
Distributors also need to participate in protecting cultivators’ R&D information. Many cannabis distributors have access to grower’s proprietary R&D information. This allows them to market the product and understand which products are best for buyers with specific needs. These distributors should ensure their employees can’t open their supplier to a potential cyberattack.
3. Define where and how customer data is stored, and identify ways it can be potentially breached.
When employees scan driver’s licenses, even if the business keeps paper files, consider where they are stored. Whether data is stored securely off site, or on a protected network, maintaining compliance is critical. Be aware of record keeping mandates for HIPAA, state laws, and other requirements for cannabis distribution.
4. Consider cannabis cyber insurance coverage.
It’s no secret that finding insurance of any type is difficult for cannabis businesses. Even as this reality will continue so long as cannabis remains illegal at the federal level, many cyber insurance options are becoming available to cannabis businesses, and at increasingly competitive rates. Cyber policy underwriters will undoubtedly conduct more due diligence with cannabis companies, going beyond the typical policy application. Expect reviews of the types of information that are collected from consumers, how the data is stored, and how it can be accessed.
Impact of Cyber Attacks for Cannabis Businesses
As a cannabis business owner or manager, it’s important to understand the impact of a potential cyberattack on the business.
A study by the Ponemon Institute and IBM determined the average cost of a data breach exceeded $3 million. This amount includes all costs such as remediation, notifying customers, and following typical state mandates for resolving such an event. The outcome, according to the national cybersecurity alliance, is that 60% of small businesses go out of business within six months after a security breach.
Even if a cannabis business is able to handle the financial fallout, there is irreparable damage to the company’s reputation and brand resulting in revenue losses for years.
