We need to make sure the highly regulated world of cannabis business knows how to protect its data, customer and otherwise, yet also control access to it without too much hassle.
As an insurgent breed, hackers are savvy and will seek out the path of least resistance. When your defenses are good, the weak link is often your employees.
Data breaches are most likely to be the result of employee error or an inside job, says the ACC Foundation: State of Cybersecurity Report.
Of course you want to maintain normal operations around your firewalls, malware defenses and data protection. But all too often employees are an afterthought.
Don’t Let Sleeping Dogs Sleep
Some unscrupulous former employees may see an opportunity to profit.
Inactive user accounts are ripe for exploitation by attackers. By using legitimate, but inactive, accounts, a former employee can easily impersonate legitimate users and mask their nefarious activity.
There’s also serious potential risk involved when accounts associated with former employees or temporary contractors are not deleted when employment ends. They may be left with unauthorized access to sensitive data, which is especially dangerous if the split wasn’t amicable.
Simple Rules for Sleeping Dogs
There are a few simple rules you can put in place to ensure inactive accounts aren’t a potential route in for attackers or a potential route out for sensitive data.
- Account access should be revoked immediately when an employee or contractor is terminated or leaves for any reason. You may prefer to disable access rather than delete accounts.
- Accounts should be monitored and flagged if they don’t have an associated business process and owner.
- Automatically log off users after a period of inactivity and use screen locks to guard against access via unattended computers.
- Be vigilant for failed log-ins and attempts to access deactivated accounts.
- Profile user behavior so that log-ins at odd times of the day or night, or log-ins from new devices, are flagged.
You’ll also want to enforce multi-factor authentication wherever possible, ensure that passwords and user names are fully encrypted, and configure and authenticate centrally.
Careful account monitoring is especially important at large organizations where breaches are more than twice as likely, according to that same ACC Foundation report.
Gap Analysis and Training to Fill Gaps
It’s easy to focus in on the technology that you need to employ to bolster your cyber security defenses and forget that people can neatly sidestep all your efforts by taking the wrong action.
Perhaps your IT staff isn’t quick enough to patch or review logs. Maybe your security policies are not enforced in any meaningful way, or your employees don’t know any better than to click on a malicious link in a phishing email.
Attackers will go to great lengths to exploit any weaknesses or gaps here, and in many cases, they can persuade people to effectively lower the defenses and let them in.
The first thing to do here is to perform gap analysis and find where employees lack the skills required to implement your cyber security plans and policies. You have to know where they are going wrong before you can steer things rights.
Provide relevant training via outside experts, or even conferences and online courses. Make learning modules bite-sized and easy to understand. They must be updated to reflect the latest threats, and employees should complete them every few months. No one should be immune from this.
Senior management may be resistant, but they actually pose the greatest risk if a phishing attack is successful. They should complete the same training.
Putting the Fox in the Hen House
As a way to test how porous employees could be, the largest bank in the country tested staff with a fake phishing email after it suffered a data theft just a few weeks prior. Despite increasing their cyber security spend, 20 percent of these employees clicked on the bogus email. Had it been real, that action would have downloaded a malicious payload onto the bank’s network.
If you don’t take some time out to spend resources on awareness for employees and specific training where necessary, then you can unroll all your good efforts to improve your security and keep your business intact.
As you can imagine, the disruption to business from an attack is no picnic.