skip to Main Content
When It Comes to Cyber Security, The Weakest Link is Still Employees

We need to make sure the highly regulated world of cannabis business knows how to protect its data, customer and otherwise, yet also control access to it without too much hassle.

As an insurgent breed, hackers are savvy and will seek out the path of least resistance. When your defenses are good, the weak link is often your employees.

Data breaches are most likely to be the result of employee error or an inside job, says the ACC Foundation: State of Cybersecurity Report.

Of course you want to maintain normal operations around your firewalls, malware defenses and data protection. But all too often employees are an afterthought.

Don’t Let Sleeping Dogs Sleep

Some unscrupulous former employees may see an opportunity to profit.

Inactive user accounts are ripe for exploitation by attackers. By using legitimate, but inactive, accounts, a former employee can easily impersonate legitimate users and mask their nefarious activity.

There’s also serious potential risk involved when accounts associated with former employees or temporary contractors are not deleted when employment ends. They may be left with unauthorized access to sensitive data, which is especially dangerous if the split wasn’t amicable.

Simple Rules for Sleeping Dogs

There are a few simple rules you can put in place to ensure inactive accounts aren’t a potential route in for attackers or a potential route out for sensitive data.

  • Account access should be revoked immediately when an employee or contractor is terminated or leaves for any reason. You may prefer to disable access rather than delete accounts.
  • Accounts should be monitored and flagged if they don’t have an associated business process and owner.
  • Automatically log off users after a period of inactivity and use screen locks to guard against access via unattended computers.
  • Be vigilant for failed log-ins and attempts to access deactivated accounts.
  • Profile user behavior so that log-ins at odd times of the day or night, or log-ins from new devices, are flagged.

You’ll also want to enforce multi-factor authentication wherever possible, ensure that passwords and user names are fully encrypted, and configure and authenticate centrally.

Careful account monitoring is especially important at large organizations where breaches are more than twice as likely, according to that same ACC Foundation report.

Gap Analysis and Training to Fill Gaps

It’s easy to focus in on the technology that you need to employ to bolster your cyber security defenses and forget that people can neatly sidestep all your efforts by taking the wrong action.

Perhaps your IT staff isn’t quick enough to patch or review logs. Maybe your security policies are not enforced in any meaningful way, or your employees don’t know any better than to click on a malicious link in a phishing email.

Attackers will go to great lengths to exploit any weaknesses or gaps here, and in many cases, they can persuade people to effectively lower the defenses and let them in.

The first thing to do here is to perform gap analysis and find where employees lack the skills required to implement your cyber security plans and policies. You have to know where they are going wrong before you can steer things rights.

Provide relevant training via outside experts, or even conferences and online courses. Make learning modules bite-sized and easy to understand. They must be updated to reflect the latest threats, and employees should complete them every few months. No one should be immune from this.

Senior management may be resistant, but they actually pose the greatest risk if a phishing attack is successful. They should complete the same training.

Putting the Fox in the Hen House

As a way to test how porous employees could be, the largest bank in the country tested staff with a fake phishing email after it suffered a data theft just a few weeks prior. Despite increasing their cyber security spend, 20 percent of these employees clicked on the bogus email. Had it been real, that action would have downloaded a malicious payload onto the bank’s network.

If you don’t take some time out to spend resources on awareness for employees and specific training where necessary, then you can unroll all your good efforts to improve your security and keep your business intact.

As you can imagine, the disruption to business from an attack is no picnic.

Michelle DroletMichelle Drolet

Michelle Drolet

Michelle Drolet is founder of Towerwall, a woman-owned cybersecurity and cannabis compliance services provider in Framingham, Mass., with clients such as CannaCare, Smith & Wesson, Covenant Healthcare and many mid-size organizations. She can be reached at [email protected].

 

 

This Post Has One Comment

Leave a Reply

Your email address will not be published.

Recent Stories

Canopy shares plunge as pot producer posts another loss

Canopy Growth Corp (WEED.TO), posted another core loss on Thursday, denting investor hopes that the cannabis producer would turn profitable anytime soon, sending its U.S.-listed shares down 10%. The company’s quarterly gross margin was impacted by a decline in production, lower prices in the Canadian recreational business, a shift in business mix and fall in…

Is marijuana legal in Delaware? What you need to know about the state’s efforts

This year, Delaware advocates and lawmakers came the closest they ever have to legalizing recreational marijuana in the state. But Gov. John Carney’s refusal to support recreational marijuana ultimately crushed the dream of legalization, landing the bill amongst the countless other failed attempts over the past several years. Here’s what happened. This year’s first effort…

Connecticut Legislates Equity, But Not a Share of the Profits for Marijuana

In an effort to open the newly legal marijuana market to those most harmed during the years it was criminalized, Connecticut lawmakers set strict standards for who may own the emerging businesses. But they didn’t legislate anything about profits. Last month the state’s Social Equity Council approved the applications of 16 marijuana growers and disqualified…

Marijuana seizures down as cartels turn to alternate cash ‘crops’

With three months left in 2022 fiscal year, average daily seizures of pot, cocaine and heroin plummet; fentanyl still going strong EL PASO, Texas (Border Report) – Border agents are reporting a 25 percent increase in illicit drug seizures at ports of entry, highway checkpoints and along the international boundary last June compared to May. However, seizures…

More Categories

Back To Top
×Close search
Search