When thinking of the industries that face cybersecurity threats, cannabis may not immediately come to mind. However, even this up-and-coming industry is not immune to the detrimental impact of a data breach. Earlier this year, the Ontario Provincial Police (OPP) began investigating a major data breach that affected over 1,200 regulated cannabis stores located in the Canadian province. It is believed that the government-run Ontario Cannabis Store, which acts as the province’s legal adult-use marijuana wholesaler, had leaked data that included detailed sales information of every cannabis store in the province. The potential fallout includes unfair competitive advantages, predatory takeover bids, and escalated security risks stemming from criminals knowing how much inventory each store carries.

In addition to point of sale and back-office computers, cannabis cultivators should fortify their automation systems to help mitigate potential vulnerabilities. For example, administering the environment in which the cannabis is being grown is dependent on sensors that provide the information needed to automate watering levels, temperature, and lighting. While this technology has made growing less labor-intensive and resulted in consistent results, it also makes cultivators more prone to cyberattacks. Imagine if a malicious competitor could hack the sensors, intentionally sending erroneous information that triggers a reduction in water or increase in temperature, thus damaging or even destroying a cultivator’s crop.

To help strengthen their cyber defenses, a cannabis business should establish both preventative and responsive processes, both of which will significantly reduce the chance of a successful cyberattack. Here are a few key examples:

Best Practices: Preventative

• Perhaps most important of all best practices is instituting a robust security awareness training program. Since most attacks arrive via our inboxes, it is critically important that every employee is trained to detect and avoid spear phishing attacks so that they form a virtual human firewall to keep the business safe and secure.
• Keeping on top of the onslaught of constantly evolving cyber threats can be daunting, as many businesses struggle with where to begin becoming more secure. One of the best ways to start getting a hold of the security needs of your business is to go through the process of a cyber risk assessment, as it not only identifies the areas of concern but also provides a strategic plan to address them.
• Mandating the use of two-factor authentication for email and remote computing is another critical step to counter password-stealing strategies used by hackers.
• Running backups on a regular basis will provide resiliency in the event an attack occurs. And while having backups is crucial, testing them on a regular basis will ensure they are viable in the event they are needed for data restoration.
• Establishing protocols to keep systems and applications updated with the latest patches and password requirements is critically important, as hackers often leverage unpatched hardware and software to gain access to targeted systems.

Best Practices: Responsive

• Should the worst-case scenario become reality and your business is compromised, it is imperative that a business can quickly respond and recover. In the event a breach occurs, having incident response and disaster recovery plans in place are critical to quickly responding and recovering from a cyberattack while also reducing the cost of a breach. These plans should be tested on a periodic basis to keep them up to date and so that management is familiar with roles and responsibilities.
• A company should also have a cyber insurance policy in place, as the cost of a breach or attack can be catastrophic. Examples of the costs resulting from a cyberattack include fines and penalties, technology expenditures to replace compromised hardware and software, forensic and legal costs, and the downtime during the recovery process.
• One final consideration is to have a reliable expert standing by to supplement your IT resources who can immediately step in when an attack occurs to help stop the bleeding, restore operations, and prevent the issue from happening again in the future. Every minute spent scrambling to find a response resource means that the attack is not being contained, resulting in an attack that is exponentially more costly.

For more information on securing your cannabis business or questions on this article, please contact Kevin Ricci at kricci@citrincooperman.com or Mitzi Keating at mkeating@citrincooperman.com.