In this post, we will expand on the security guidance and dig further into the details for securing the people, operations, and technology of your cannabis business. Our work for a cannabis investor included assessing security practices and potential investment risk.
Although information security has a rapidly evolving, complex landscape, core protections remain consistent across size, stage, and technology platform.
Cannabis business owners and investors need to consider digital security and business continuity, not just physical security. The questions below are from a summarized information security assessment.
As your read through these 21 questions, write down your answers, e.g., Always, Most of the Time, Some of the Time, and Never.
Grab a coffee. Set your phone aside for 30 minutes. Here are the questions:
Category
Question
Comments
Employees
Are the information security policy and procedures monitored and tested? Are employees tested and instructed not to give out personal or business information to untrusted parties?
Policies do not prevent a loss or breach by themselves. They establish acceptable behavior and a support channel for help.
Is there annual training regarding computer usage, email usage, internet usage, data handling and disposal, cyber incident reporting and handling, and other cyber security best practices?
Culture isn’t established with boring videos. Talk about security regularly, particularly recent attacks or successful defenses.
Does organizational culture encourage and reward employees for reporting suspicious cyber behavior?
Reward, rather than shame. Ashamed employees will hide mistakes instead of report them.
Are employees required to use strong passwords or multifactor authentication on all devices and business applications?
It takes ~64 years to crack a password of 5 random words using today’s quantum computers (it’s a thing).
Do you randomly test employees to determine if they are susceptible to phishing scams?
If your IT staff can’t handle this task, there are a number of providers that will run a test for free.
Financials
Are two authorized signatures required to approve a funds transfer?
Impersonating two financial officers rather than one is not impossible, but significantly more difficult.
Is verification through phone call or address on file required for requested funds transfers?
Business email compromise (BEC) is rampant. Voice confirmation protects you from fraud.
Is there confirmation that the vendor is in fact owed such requested amounts?
Fake invoices are common. You may pay an attacker impersonating a supplier.
Do policies and procedures for approving funds include verification of any changes in vendor’s bank account through a call back to a telephone # on record or an email to an address on record of an authorized user?
Make this a standard with your key vendors and suppliers. If a partner in your value chain identifies a possible attack, set up a way to alert everyone in the chain.
Are funds transfer request policies and procedures consistent globally?
Differences between offices, warehouses, or state regulations create opportunity. Follow procedures consistently.
Have employees been made aware of the risks of fraudulently induced payment scams such as “CEO Fraud”, “Fake Presidents”, “Business Email Compromise” and fraudulent vendor invoices and vendor payment diversion?
Administrative staff are often targeted with fake requests that appear to be urgent or time sensitive. Allow them to verify the request quickly, e.g., SMS or safeword.
Technology
Are individual user accounts required for each employee or contractor?
Sharing user accounts and access makes auditing user history impossible. Proactively keep a few licenses open in case of a hiring wave or temporary license need.
Are anti-virus, anti-spyware and other anti-malware programs installed and updated daily?
Focus on Macs and Windows machines, although vendors offer mobile device security solutions as well as laptop and desktop solutions.
Are web browsers kept up to date by forcing the use of secure connections (HTTPS or VPN), by automatically clearing web browser history, cache etc., and by requiring the use of dedicated systems for highly sensitive business operations?
Attackers can use a phishing message to get you to download a browser plugin or extension that lets them hijack older browsers.
Are web and email filters enabled to block malware infected email, attachments within email, unapproved or inappropriate websites, and blacklisted websites?
In parallel with an acceptable use policy, actively suspicious sites and sites that create a hostile work environment.
Are full and incremental backups of important business information made weekly/daily?
The key here is to apply the same solution consistently, rather than spreading your data across the internet or applications, e.g., Drive, SharePoint, Dropbox, Box.
Is restoring from backup tested at least twice per year?
Make a plan. Test it. Share the results and make improvements.
Are you able to remotely wipe lost or stolen devices?
In parallel to a bring your own device policy (BYOD), select a tool that lets you delete email and business documents if a personal or business device is lost.
Is encryption used for sensitive business information, which includes the use of full disk encryption on all critical and end user systems, the use of encrypted emails when sending sensitive information, and the use of encrypted offline media when storing sensitive information?
If a laptop is stolen from the trunk of your car, what is lost? In financial services, the data on a laptop is worth approximately $500K. The actual laptop? $500.
Are employees blocked from connecting personal and untrusted storage devices (such as USB sticks) into work computers?
USB drives with malicious software may come home from a conference to your office.
Are user’s access to data and information restricted? Are users with access to business information identified and controlled ?
Start with your financial systems and listing the people with access. Do they need it? Why? Start to clarify what tools are needed vs. tools that are optional for your employees.
Protection and Architecture
Are wireless access points and networks secured by changing the default administrator password, and by enabling WPA-2?
Would you leave your front door open to the warehouse? Why would you let someone access your inventory or financial systems from the parking lot?
Was that so bad? Based on your answers, talk with your finance lead and technology lead to prioritize your improvement actions.
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Comment *
Notify me of follow-up comments by email.
Notify me of new posts by email.
Δ
Saturday marks marijuana culture’s high holiday, 4/20, when college students gather — at 4:20 p.m. — in clouds of smoke on campus quads and pot shops in legal-weed states thank…
The state budget that’s expected to be adopted in the coming days calls for repealing the potency tax on marijuana products as well as new regulations intended to give local municipalities, including…
SEATTLE (AP) — Saturday marks marijuana culture’s high holiday, 4/20, when college students gather — at 4:20 p.m. — in clouds of smoke on campus quads and pot shops in…
Significant adjustments have been made to Connecticut House Bill No. 5150, the omnibus cannabis/hemp legislation that is waiting to be taken up by the full House. An amended version of…