Tag Archives: cyber

May 3, 2023

Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

By Brian J. Schnese

The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.

Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.

Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.

A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.

While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.

Six hallmarks of a strong cyber-defense program:

Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
Engage protective tools. In addition to using antivirus software and keeping all software updated and patched, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

What if a breach occurs?

Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients? When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.

In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.

January 11, 2022

Top Five Insurances Cannabis Businesses Need in 2022

By Eric Rahn

No Comments

Cannabis remains one of the fastest growing industries with no signs of slowing down. According to a recent article in Forbes Magazine, the legal cannabis market is poised to grow 20-30% per year to the tune of $50 billion by 2026.[1]With great opportunity comes numerous risks. Claims and lawsuits against cannabis businesses are increasing in frequency and magnitude. As an insurance broker who specializes in the cannabis industry and works with a wide variety of cannabis, hemp and CBD businesses in every state where cannabis laws are established, our recent analysis has unveiled the top five insurances your cannabis business needs in 2022.

General Liability

General liability is the most essential coverage your business needs to protect you from a variety of claims including personal injury, bodily harm, property damage and other situations that may arise including slander, libel, copyright infringement and more.

Since general liability is not always required to obtain a cannabis license, many businesses are tempted to forgo the expense. This is one of the biggest mistakes you can make as one single lawsuit has the potential to cripple your business. With a comprehensive, cannabis-specific general liability insurance policy in place, your insurance company, not you, will pay medical expenses and property damage claims from third parties, in addition to hefty legal fees and fines.

Property & Casualty Insurance

If you own a dispensary, grow operation, warehouse, testing facility or any other type of cannabis business with inventory, you need to protect your assets from potential loss or damage. Property & casualty (P&C) insurance safeguards your business against common and costly perils such as a fire, lightning, explosion/implosion, and even less common – but still possible – risks like riots, strikes and terrorism.

P&C insurance not only pays for damages to your business property resulting from a covered loss but it also covers the contents within your place of business, including office furniture, computers, inventory and other assets essential to your business operations. There are policies that will also provide the funds required to keep your business afloat until the damages from the loss are repaired. Any cannabis business with a physical property and location(s) should have a comprehensive property and casualty P&C policy in place.

Product Liability/Product Recall

Recently, we’ve seen a dramatic influx of product liability claims, and in particular, product recalls. Lawsuits have ranged from a single plaintiff seeking damages for personal injuries to class action lawsuits where a defective product is tied to an entire group of claimants.

control the room environment — Preventing contamination can save a business from extremely costly recalls. Having the right insurance can prevent a recall from becoming costly in the first place.

As a cannabis business owner, you can be sued for any damage resulting from products that cause harm to others, this includes false advertising, mislabeled or defective products. No matter where you are in the supply chain, your business could be held liable. The process of defending litigation or reaching a settlement agreement can completely drain a company’s resources. You’ll have to deal with regulatory compliance, producing and distributing product warnings, recalling products, claim investigation, product testing and additional risk assessment.

Product liability insurance is often overlooked, especially by small to mid-size businesses. However, your cannabis business needs this type of coverage if you sell any goods or products that end up in the hands of the public. In fact, your business may be contractually obligated to have product liability insurance. One such lawsuit is enough to fold a business due to costly legal fees and fines, as well reputation damage beyond repair.

Product liability insurance is designed to protect your cannabis company from claims that can happen anywhere along the supply chain, including product contamination, mislabeled products, false advertising or defective products. With proper coverage, your insurance company will pay for damages and legal expenses if you are sued, up to your policy limits. Your product liability policy will also cover any medical expenses for those who are harmed by your business. Making sure your insurance policy includes product liability insurance should be a top priority in 2022.

Cyber Defense/Data Breach Insurance

Cyber fraud and data breaches are two of the greatest risks facing cannabis companies in 2022. With so much cash pouring into the space, cannabis businesses of all sizes are bulls-eye targets for cybercriminals. Even the smallest of cannabis businesses are at risk of data breaches because they are part of a larger interconnected network of seed to sale vendors. These types of crimes can have detrimental effects on your business in numerous ways. In the case of a data breach resulting in the disclosure of a third party’s private information, the third party could sue your business. The SEC could also find your company negligent in cyber fraud cases and impose significant fines.

By forgoing cyber defense & data breach insurance, your business will be solely responsible for expensive legal bills, significant revenue losses and hefty fines and penalties from regulators. Cyber defense & data breach insurance is a must-have coverage in 2022, and beyond, to protect your business from cybercrimes.

Directors & Officers Insurance

If you are looking to secure venture capital or funding from investors in 2022, and/or attract and retain qualified leadership, you need directors & officers (D&O) Insurance. D&O protects corporate directors and officers, as well as their spouses and estates, from being personally liable in the event your company is sued by investors, employees, vendors, competitors, customers, or other parties, for actual or alleged wrongful acts in managing the company. In the event of litigation, your D&O insurance will cover legal fees, fines, settlements and other expensive costs.

D&O is often the most overlooked coverage because many cannabis businesses are independently run, and no one foresees the potential for operational failures and mismanagement. However, businesses with any sort of vision for growth should make D&O a top priority. It not only protects your current executives and board members but is critical in attracting leading talent in the space, as well as drawing in new investors to scale up your business. In fact, we’re seeing more prospective investors and board members requiring D&O insurance prior to engaging with a company to ensure they are fully protected in the event of litigation.

When it comes to mitigating risk in this business, the stakes are sky high. Cannabis companies that have not incorporated risk management into their business/operational plans will need to in 2022. It all boils down to the THREE P’s: being “Proactive, Prepared and Protected.”

December 27, 2021

2022 Cannabis Industry Outlook: Your Business’ Future Depends on its Risk Management

No Comments

Cannabis risks have always outpaced the availability of insurance, in large part because of its status as a federally illegal substance and the dangers in extraction and production. But it now shares many of the same risks as other industries — catastrophic crop damage, cyber risk and a shortage of skilled workers.

With legalization becoming more common, the industry is positioned for enormous growth despite these challenges. However, enterprises that will benefit the most are those best positioned to manage risk.

Here are four obstacles to growth in the industry in 2022 and how enterprises can combat them:

Cybercrime will be the top manufacturing risk

Both cybercrime and cannabis have experienced major booms since the start of the COVID-19 pandemic. Cannabis companies watched as healthcare and pharmaceutical organizations were hit hard by cybercriminals in 2020, and now the threat could be headed their way.

For cannabis retailers, the vulnerability lies in their dependence on point-of-sale tech, while the threat for cultivators exists within their strong use of intelligent automation to manage the grow environment. Across the industry, the lack of sophisticated IT security systems is like a beacon for bad actors.

Nearly 60% of cannabis businesses say they haven’t taken the necessary steps to prevent cyberattack, but the winds are changing. Due to these concerns and the growing attention on cybercrime in the industry, cyber coverage is expected to rise 30% or more in 2022, which puts the onus on risk management practices that will help prevent cyberattacks and ensure coverage from insurers concerned about risk.

Barriers to business growth may result in more M&A

As of summer 2021, 18 U.S. states have legalized adult use and 37 states have legalized medical cannabis.

While this is opening opportunities for many cannabis businesses, the U.S. remains a complicated market. Federal regulations continue to hinder even more cannabis industry growth by restricting lending to the industry from traditional banking and financial institutions. While it’s not illegal to do service with the cannabis industry, many institutions stay away due to its high risk.

Smaller cannabis companies are impacted most heavily by this barrier and await passage of the Secure and Fair Enforcement (SAFE) Banking and Clarifying Law Around Insurance of Marijuana (CLAIM) Acts to allow easier access to capital. Together, these two acts of legislation will provide guidelines on how to work lawfully with legal cannabis businesses and prohibit penalizing or discouraging institutions from working with them.

In the meantime, M&A activity is expected to increase in 2022 as large cannabis businesses have the means to access capital and acquire these small companies. This includes Canadian cannabis companies, unburdened by federal restrictions, who are expected to increase their cross-border mergers and acquisitions.

Severe weather isn’t easing up

Extreme natural catastrophes are no longer rare, and they have only added greater uncertainty to the industry which has always had difficulties securing crop insurance.

NASA’s Aqua satellite took this picture of the smoke over California in 2017
Photo: NASA

For example, policies that transfer wind and hurricane damage risk in Florida or wildfire and smoke taint in California are virtually non-existent for cannabis — and for outdoor growers, a single weather event can wipe out an entire crop with no recourse.

One possible solution for cannabis companies that cannot secure traditional crop insurance is parametric insurance, which pays out in full when a weather element reaches a threshold, regardless of the actual damage.

Growers with indoor operations, or those considering moving that way, must cope with energy conservation initiatives. Measures like the one in California that would require indoor growers to use LED lighting by 2023 could cost the industry millions and present a direct threat to small operations’ viability. This makes it important for cannabis producers to institute conservation measures and undertake risk mitigation measures like improved safety measures at indoor growth facilities ahead of 2022 renewals.

As a continually emerging market, cannabis risks are great. Adding to these pressures is the growing impacts of climate change and cybercrime raising the bar even further. Growth for the cannabis industry in 2022 will depend upon strong risk management solutions and the ability for cannabis companies to implement them.

October 20, 2021

Keep ‘em Safe: Cash, Records, Products, People – Technology Helps Cannabis Businesses Succeed

By Dede Perkins

No Comments

It wasn’t that long ago that cannabis was underground, sometimes literally, and operators protected what was theirs any way they knew how. Before legalization, cannabis operators needed to secure their plants, cash, supplies and equipment not just from people who wanted to steal them, but also from law enforcement. The legacy cannabis market is now transitioning into a legal one, and licensed operators are joining the industry at an incredible rate, but security is still part of the success equation. Like before, operators need to protect plants, products, equipment and cash, but they now also need to protect records, privacy and data, and do so in a manner that complies with state regulations.

Cannabis regulatory authorities set security guidelines that cannabis business owners must follow in order to obtain and renew operational licenses. For instance, there are state-specific security regulations regarding video surveillance, camera placement, safes, ID verification, and more. While security measures help protect the business, they also protect the public. It’s a win-win for everyone involved. Here are five best practices and techniques to protect cash, records, products and people.

Hybrid cloud storage

State regulations call for reliable video surveillance footage that is accessible, in most cases, 24/7 and upon demand by cannabis regulatory authorities and local law enforcement acting within the limits of their jurisdiction. SecurityInfoWatch.com reports that video data is the industry’s next big investment, meaning there will be an increased demand and need to store video surveillance footage. Most states require video surveillance footage to be retained for a specific amount of time, often 45-90 days or longer if there is an ongoing investigation or case that requires the footage. While some businesses only retain video data for the state-required length of time, others choose to keep it longer.

Storing data on-site can become expensive and precarious. Best practices call for a hybrid cloud storage solution model as it provides on-site and both public and private cloud data storage solutions. This model provides users with the ability to choose which files are stored on-site and which files live in the cloud. Doing so improves file accessibility without impacting or compromising on-premises storage. In addition, it’s helpful to have two methods of digitizing data, for safety’s sake. In the event an on-site storage method crashes—though hopefully this won’t ever happen—there’s a version available off-site via the cloud. That said, with cloud-based storage solutions come cybersecurity threats that must be managed.

Cybersecurity

Due to the ongoing COVID-19 pandemic, more businesses are online than ever before. Unsurprisingly, cyberthreats are on an upward trend, including in the cannabis industry. Earlier this year, MJBizDaily reported that a data breach exposed personal information of current and former employees of Aurora Cannabis. The incident involved “unauthorized parties [accessing] data in (Microsoft cloud software) SharePoint and OneDrive”. Although this breach involved only employees, confidential customer information is also at risk of being compromised during a data breach.

On a separate occasion, an unsecured Amazon S3 data storage bucket caused a large-scale database breach that impacted almost 30,000 people across the industry, according to the National Cannabis Industry Association. The breach included scanned versions of government-issued ID cards, purchase dates, customer history and purchase quantities. Unlike the Aurora Cannabis breach, this one included customer data.

Just like other more established industries, the cannabis industry needs to protect and secure confidential data. If you don’t have a cybersecurity expert on your team, consider hiring a consultant to evaluate your risk or partnering with a credible cybersecurity technology company to implement proactive solutions. Before signing a contract, do your due diligence. Does the consultant and/or technology company understand the compliance regulations specific to the cannabis industry? Do their solutions meet the regulations in the state(s) where your facility operates? Taking the time to protect your company’s data before a breach occurs is proactive, smart business.

Smart Safes

A smart safe like this one can helps secure cash handling

Smart safes help secure cash handling, which given the difficult banking environment for cannabis companies, means they’re on the list of best practice security technology products. What is a smart safe? A smart safe is a device that securely accepts, validates, records and stores cash and connects to the other cash management technology solutions such as point of sale systems. They connect to the internet and provide off-site stakeholders visibility into a facility’s cash position.

A high-speed smart safe counts cash by hand faster than a human and is an overall more secure way to deliver cash bank deposits. At the end of the night, making a deposit at a physical bank location can be dangerous, exposing your cash and the individuals responsible for making the deposit to unsecured threats. Using a smart safe reduces that threat and also helps cannabis operators comply with financial recordkeeping and documentation requirements. Due to federal cannabis prohibition, many cannabis businesses lack enough insurance to fully cover their exposure to cash theft, which has led to a trending industry-wide investment in smart safes.

Advanced access control

Best practice access control means more than a ring of keys hanging off the facility manager’s belt. Advanced access control gives cannabis business owners and managers the ability to manage employee access remotely via the cloud. This feature can limit access areas within a facility, enabling an individual to revoke access instantly from a remote location making it a useful tool in the event of a facility lockdown or emergency. A mobile app and/or website can be used to lock or unlock secure doors, monitor access in real time and export access logs.

Advanced access control devices aren’t a standard in the industry yet. Although many state regulators don’t require cannabis businesses to utilize advanced electronic access control, using this technology is a best practice and may be required in the future.

Compliance software

Understanding the ramifications and keeping up with state-mandated compliance is challenging. While state regulations can be found online, they’re often in pieces, leaving operators unsure about whether or not they have them all. Once an operator is confident that they have the most current version of all the laws, rules, and regulations that apply to their cannabis business, making way through the dense legal jargon can be exhausting. Even after multiple readings, it can be unclear about how to apply these guidelines to the operator’s cannabis business, which is one reason cannabis businesses work with a trusted legal counsel to meet compliance requirements. For trusted advisors and cannabis business licensees and operators alike, cannabis compliance software solutions are designed to not just check boxes for a cannabis business, but to help everyone involved understand how the regulations apply to the operation. These solutions improve accessibility so that employees at all organizational levels understand the rules and requirements of their position and the products they work with.

In addition, compliance software can help licensees and operators establish and implement best practice SOPs to meet regulatory requirements. Because the cannabis industry is young and many operators are moving fast, many cannabis businesses are vulnerable to security breaches and threats. Prioritizing security and compliance can help cannabis leaders protect against potential threats. Investing in the latest and most innovative security technology solutions—beyond what is required by state regulations—can help operators outsmart those who seek to steal from them and position their companies as industry leaders that prioritize safety and compliance, protecting not just cash and products, but the people who work in their facilities and the customers who purchase their products.

July 21, 2021

ASTM Introduces Retail Cybersecurity Standard

By Cannabis Industry Journal Staff

No Comments

ASTM International, the international standards development organization, has proposed a cannabis standard for establishing retail cybersecurity protocols. Their D37 cannabis committee is currently working on the development of the standard.

The standard is designed to establish best practices for protecting critical databases in dispensaries, like inventory data, customer and patient information. The guide, developed by subcommittee D37.05, addresses “the company or government organizational need to mitigate the likelihood of cyberattacks and reduce the extent of potential cyberattacks, which can leave sensitive personal data, corporate information, and critical infrastructure vulnerable to attackers,” reads the scope of the project.

Technical Lead for the subcommittee and president of ezGreen Compliance, Michael Coner, says they hope to provide SOPs for retail operations to protect business data while staying compliant. “Cybersecurity is among the most prevailing issues concerning the cannabis industry as well as the global cannabis economy,” says Coner. “Establishing strong cybersecurity protocols for dispensary retail owners will help ensure the protection of data to maintain the integrity of cannabis consumers’ personal information.”

The ASTM committee is currently inviting stakeholders such as retailers and regulators to help with things like “identifying new data security issues that arise while operating active retail dispensary businesses.”

May 3, 2021

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor

No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.

Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored.

Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity.

Lumu: 2020 Ransomware Flashcard

Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.

Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25^th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.

Taking Action

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5^th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org

October 21, 2019

Soapbox

Cannabis Growers and Distributors: Your Cyber Risk is Growing Like Weeds

By Emily Selck

No Comments

Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.

Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.

Distributor Risk = A Customer’s PII

Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:

Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.

Grower Risk = Crop Trade Secrets

For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:

Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.

Cyber coverage is now ripe for picking

Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.

Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.

March 26, 2019

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner

No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

Phishing: Phishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

Tips: Do not download attachments from unknown senders!
Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password Management: Password complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-Fi: Being able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

Tips: Password protect devices that will be used for work (and, any device in general).
Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

May 3, 2018

Soapbox

CannaGrow Expo Heads to Palm Springs

By Aaron G. Biros

No Comments

We’ve covered the CannaGrow Expo previously, but this time around we catch up with Joseph De Palma, founder of CannaGrow, to talk about the genesis of his conference and what makes the event so special. This year’s CannaGrow Expo heads to Palm Springs, California, a new location for the event, on May 19^thand 20^th.

We’ve watched De Palma’s conference grow over the years, moving around the country and becoming the tight-knit community we know it as today. The meat and potatoes of the show are definitely the educational sessions, panel discussions, roundtables and the expo hall. But covering it year after year we’ve noticed a real sense of community develop, one where genuine idea sharing, collaboration and inclusivity are preached. There are no dumb questions at the CannaGrow Expo.

Tom Lauerman speaks to a room full of attendees at CannaGrow San Diego

According to Joseph De Palma, CannaGrow started in 2014, when the original event was held in Denver. “From the beginning, we wanted to create an event specifically for growers, where the focus was always on education and ‘becoming a better grower’,” says De Palma. “We had experienced the existing events in the marketplace, and almost all fit into two categories at the time, festival, or generic tradeshow. Those were fine for their purpose, but they didn’t foster an environment of education, and that’s what we believed was most important to the emerging cannabis industry.” Back in 2014, their show only had 10 sessions and 30 exhibitors. “Passionate growers from around the country had 2 days of grow-focused sharing and learning, and you could see the energy and excitement,” De Palma says. “Discussions would dive deep, people made new friends, and it really elevated the conversation around cultivation.”

Attendees gather at a lighting exhibit at CannaGrow San Diego

Since the show’s debut, it’s grown substantially. The 7^th CannaGrow Expo is fast approaching, and this upcoming conference has four separate tracks and roughly 100 exhibitors. But it still keeps its sense of community, one where you don’t feel crowded, where everyone has time to chat and network, without the overwhelming feeling that can come with larger trade shows. “That inclusivity and open dialog is built in,” says De Palma. “If you go to an event that’s tradeshow dominant, most people are there to walk, shop, and leave. At CannaGrow, growers and extractors come together with a plan for the weekend, remaining in a constant state of engagement with others at the show.”

This year’s show has some exciting additions to look out for. The agenda covers a wide range of topics, including everything from an introduction to growing with living soil to a discussion of cyber security. The Extraction Summit, new to this year’s event and held on Day 2, is their response to the massive rise in popularity and demand of extracts.

Eric Schlissel, cybersecurity specialist, president and chief executive officer of GeekTek, is giving a talk focused on IT infrastructure. “My presentation will center around the actions cannabis businesses need to take right now to repel cybercrime and potential federal seizure,” says Schlissel. “As cannabis operators build their businesses and develop their security strategies, they often focus exclusively on the physical portion of their business – the merchandise and the cash in particular – and overlook the importance of designing and fortifying a secure IT infrastructure. I will discuss the importance of a holistic security strategy that embraces both and how you can both create one and prepare it for expansion into other states or even globally from the very start.” Schlissel’s discussion is one example of just how all-encompassing CannaGrow intends to be.

De Palma and his team leave few stones unturned as the show truly delivers vital information for cannabis cultivators in every area. Some things we are looking forward to? Seeing old friends and learning everything under the sun about cannabis science, growing and extraction. “People get to know each other, and with everyone sharing a core passion for cultivation and extraction, lifelong friendships are made,” says De Palma.

To check out the agenda, speakers and exhibitors, click here.

March 22, 2018

Soapbox

Paradox Or Paragon? A Non-Techie Look At Blockchain and Cannabis: Part III

By Marguerite Arnold

1 Comment

Disclaimer: Marguerite Arnold has just raised the first funds for her blockchain-based company, MedPayRx in Germany (and via traditional investment funding, not an ICO). She will also be speaking about the impact of blockchain on the cannabis industry in Berlin in April at the International Cannabis Business Conference.

Part I of this series was an overview discussion of blockchain, cryptocurrencies and cannabis and Part II dove into some of the pitfalls of ICOs in the cannabis space. This is the third and final piece of this series.

Beyond raising money or tying a tradable altcoin to cannaproduct, there are many places where blockchain technology can (and will) be used to great effect in the cannabis industry.

In fact, ICOs and cryptocurrency are only part of the blockchain discussion for the cannabis industry. In general, the technology will disrupt the vertical just like it is upending other businesses right now. However, for the moment at least, it will prove most useful in the most complicated and challenging technical and regulatory areas – supply chain product tracking being the lowest hanging fruit (which is still fairly high off the ground for a number of reasons). If evaluating blockchain tech is too onerous (which it usually is for the average investor or even senior cannabis exec), there are other options. Look for innovative mobile DApps (distributed apps that use blockchain for a specific purpose) and smart business cases.

The fascinating reality is that where there are service models that can be adapted to regulatory guidelines, blockchain promises, in fact, to remove the red tape and paperwork holding the industry back internationally. The impact on research and testing will also be huge.The rules are certainly changing with regards to public companies and cannabis.

The technology, or even the regulations, in other words, is not necessarily all to blame for the many issues budding blockchain entrepreneurs currently face. This space-age techie stuff, no matter how mind-blowing, is still “just” a tool. As the late Peter Drucker famously said, the raison d’etre of every successful business is one that solves a critical need for their customer. Find one for the industry that happens to use the technology, and you might just retire early. But there is a lot of road between that reality and now. And there probably will not be an ICO on that path. Not in most jurisdictions, and certainly not without complications in every one of them.

With an internationally stock-listed Canadian cannabis business now developing, the rules are certainly changing with regards to public companies and cannabis. For all the press that Cronos recently received for getting listed on the NASDAQ, AbCann got (relatively quietly) listed in Frankfurt last summer. Canopy and Aurora have also just become two of the hottest stocks in Sweden.

That said, these are public companies with regular stock issuances. What that means for ICO issuances related to the cannabis industry in Canada specifically is anyone’s guess at the moment. In Germany presently, this is mine-strewn territory. But even here, that will be driven as much if not more by banking law than canna-reform, just like everywhere else.

Not to mention this of course: Given the choice of investing in a public cannabis company already in business with its stock conveniently listed and purchasable via a regular exchange, what would most people choose? It’s just a whole lot easier than taking a flier on a cannabis-themed ICO offering for a concept that may be a great idea, but will never materialize. Or find a bank. Even in Europe or Canada.

The End Game Is Rosy Even If The Path Is Unclear

Despite all the caveats, the impact on the cannabis industry of this technology will be large – far beyond finance in other words – and in ways that are not necessarily all understood even now. The potential impacts on research, compliance and even further reform, however, are already clear. And for the most part, potentially very positive.

For that reason, there is no such thing as a blanket “yes” or “no” at any part of this discussion. Regulatory environments regarding both cannabis and blockchain are changing everywhere. Go slow and with caution is the watchword of the day. Look for interesting beta projects and track them.This is a rapidly changing territory in every direction.

Mentioning cannabis and blockchain if not cryptocurrency in the same breath is also legit, now. As little as 2 years ago, the idea or any combination of the two terms in fact, for whatever reason, was widely dismissed as just another iteration of Silk Road.

When combining this technology and cannabis, in other words, expect either amazing results or fantastic explosions that create a lot of heat and noise but go nowhere. There is more room, in other words, for a cannabis.io to become the industry’s NextGen Pets.com than Google or Facebook. That said, there are experiments going on now, in several countries where the banking and insurance questions are being addressed early (Germany, Canada, Australia and Israel all being such locales) where such issues have begun to be addressed up front.

In summary? Stay tuned and watch this space. This is a rapidly changing territory in every direction.