CyberSecurity & Cannabis Cos. 101

April 4, 2022
by Ajay Chawla

Computer circuit

When we meet with Cannabis business owners, including dispensaries, growers, labs, processing and transportation, I’ll ask them “What are you doing for security?” And invariably, we get a response along the lines of “Did you notice the guy in outfront with the machine gun?” Or “Let me show you my camera room,” which sometimes has more cameras than a NASA launch center. I tell the owners, this is great, but the person who is going to rob your business is not going to walk in the door with a gun. He’s going to do it from a coffee shop in Eastern Europe. Cyber breaches are the most common, and damaging, threat a Cannabis owner needs to look out for. This article will give a primer on the basics so you can get started to protect your interest now or, preferably, long before you open.

How are you protecting your devices on the Internet?

From a cyber standpoint, the first security protocol you need to shore up is endpoint protection. How are your devices that are linked to the Internet protected? This could be your POS system, laptops, employee phones, tablets or your access points (routers). And then, one step up stream on the network from the endpoints are your switches, which manage all hardwired traffic and your landline telephone. Your main source of telecom to your business is coming into the switch and providing that Internet access to the entire location over the LAN and WAN. Your Access Points (routers) go out of the switch. And then if any of your POS systems are hardwired, or printers and computers are hard wired, those are all plugged into the switch. A lot of important business functions roll through these end-points, access points and switches so you need robust protection.

Is your smartphone safe?

Interestingly, employee smartphones are a large risk that is often overlooked because we often don’t think of employee phones as an end point on the network, but they are. Remember that employees have access to the private network, while versus your guest network which has its own access and operates like a walled garden, which is important. You want your customers on your network – not just because it’s a nice in store experience but as dispensaries start using Geotagging and Bluetooth technology you’ll be able to know who is walking into your store and your staff can be alerted and you can also start marketing to the visitor more intelligently. Endpoint protection is pivotal. And there are multiple players in that market. We work with Helix, Sentinel, Crowd Stripe – to name a few. There are many different endpoint protection providers depending on what you want to do (requirements) and budget. You may want to seek outside help when making this important decision.

Have you trained your team enough?

Within endpoint protection is the practice of proper employee knowledge. Knowledge transfer and employee education is a low cost way to shore up the biggest security holes on your network. Believe it or not, most cybersecurity hacks start with an employee getting phished, giving out a password or sending money. So employee knowledge and training are critically important. Some software like Proofpoint, can help you improve your employee readiness. There are other training softwares that require employees to take quarterly tests. Think, what do you do if you get an email from the CEO that says, “send me $1,000 worth of gift cards.” Or the CEO asks to please wire funds to an account that looks almost identical to one you routinely wire to. Another common phishing tactic is to send an email from a vendor that says we’ve changed banks or are using a different account at the same bank and only one number has changed. All of these examples could be very costly mistakes for your company. And you’d be surprised how often this happens. Companies like Backcross can perform the training and/or help to select the right software, implement it, and help institute it a policy across an organization and make it a priority.

How bad is your cyber hygiene?

And then the final area of risk to cyber security is what we’ll call “cyber hygiene.” And you’d be surprised how bad it is. These are simple business housekeeping tasks that are often overlooked especially when business is booming. For example, how is your employee directory taken care of and all your rights granted? If John Smith quits tomorrow, how quickly do you lock him out of the system? You’d be surprised how many businesses either don’t update their directories when an employee leaves or if they do, they don’t have a consistent policy. Many businesses forget to take away email access. Many forget to take away access to the POS, to the financial system. How do you cut off his access to an old entry card? It’s all electronic now and many owners don’t know. Does the former employee have access to the video cameras?

John quit, now what?

It’s important to have a directory of all of your employees and what accesses they have, so the second they exit you cut off their rights to everything. This is easy to do, but much easier said than done. When you’re running two, three dispensaries and have to work with 40 – 50 employees and John Smith quits. the last thing you’re thinking about is, “oh, my God, I have to go down now and look at everything that he has access to and cut John out of everything!” Instead, you’re thinking, “how do I cover his shift?” When we work with customers we go straight to training and hygiene and generally the overall security improves dramatically.

Interested to see how we do that? Backcross offers a free Alignment call for businesses looking to assess fit. To learn more about our process check out our services page and our resources page for all things cannabis IT related. We hope this article has been helpful. Best of luck!