Many cannabis businesses are starting to take a closer look at their IT security for a variety of reasons, including the ongoing ransomware epidemic, the need to show sophisticated internal controls and operations to investors and acquiring businesses, and more people coming into the industry from other sectors (retail, manufacturing, finance, etc.) that already understand the importance of a mature, well-structured approach to IT.
If you’re one of these businesses and aren’t tech-savvy, the first step is understanding the basics of IT security and how to protect your business from cyber attacks. Here’s our advice as an IT company serving the cannabis industry on how to approach it.
Similar to the way prisons don’t have just one fence, but a series of interlocking security measures, procedures, and controls, you don’t want to depend on one security feature to protect your data. You want your IT to have both vertical and horizontal depth – so it’s difficult to both break into initially and move around in once you’re inside. The most basic example of this is having both a firewall and antivirus software on your PC. Firewalls block threats from getting onto your PC in the first place, while antivirus software blocks malware from running and quarantines and deletes it.
There are a million ways for hackers to get into your network. It’s best to just block everything by default and only give people and assets access to what they genuinely need.
You’re only as secure as your weakest point. You have to consider security holistically and ensure you have an equal level of security throughout your organization and at all levels of your networks.
Cannabis businesses, if they think about IT security, usually focus on endpoints, but networks are as important or if not important. Networks are the entry point into your company from the public internet, and if you have a “flat” network with no segmentation it’s easy for hackers to access more accounts and data beyond their initial foothold into your systems.
Your network’s security guard. Blocks blacklisted domains and unused ports. Restricts to only approved IP addresses. Scans and filters traffic for malware and hacking attempts. Alerts you of suspected intrusions.
Divide your networks to keep secure and insecure traffic separate and make it difficult for hackers to move around (“move laterally”) inside your networks. Create a Guest WiFi network for that purpose; don’t let clients connect to your company’s internal network. Make sure your POS is on its own network if you have one.
Make sure everyone on your team has a unique account so any issues can be tracked to a specific person. Also, make sure you have a process for adding and removing users as soon as they’re onboarded and offboarded.
Enforce strong password policies, requiring users to select passwords that are at least 12 characters long and include uppercase and lowercase letters, numbers, and special characters. You can do this in Windows Active Directory and/or your software’s admin panel. This protects you from brute force attacks and from people guessing your passwords.
Multi-factor authentication is when you enter in a code sent to your smartphone when logging in to confirm it’s you. It keeps you secure even if a hacker gets their hands on one of your passwords. Your software may include this feature or you can set it up separately.
“Endpoint” is a fancy nerd term for devices that people directly use like desktops, laptops, and tablets, as opposed to centralized, shared resources like servers, switches, and wireless access points.
Install antivirus on all your Windows devices. Mac and mobile devices don’t need antivirus in most cases. Make sure your antivirus is always up-to-date and you get alerts if they’re disabled. Business-grade security suites let you monitor and manage all your antivirus installations remotely in a centralized way.
Software that lets you manage all your mobile devices remotely. Lets you restrict these devices to using only designated apps and visiting only approved websites. Lets you remotely update apps, troubleshoot, and wipe data.
Most hacks and malware specifically target known vulnerabilities in outdated software, especially the Windows operating system. Make sure you keep all your software up-to-date. You can use Active Directory and other management software to push updates to a large number of machines at once.
Encrypting your devices prevents people that have physically stolen one of your devices from easily logging into it and accessing your data. Most mobile devices include encryption by default as long as they’re password-protected. Windows Pro PCs are encryption-ready. Network-based storage has a form of encryption called data at rest encryption (DARE) that ensures data can only be accessed from that specific machine or storage array.
Make sure your users understand the basics of IT security. It’s difficult to protect your IT if your users keep clicking on links and email attachments that steal their credentials or contain malware. Teach them about:
Backups aren’t always lumped into IT security, but they can come in handy in a few situations:
You have to take care to secure your backups and keep them separate from some extent from your “production” or active files and data.
Most cannabis industry-specific software is cloud- or web-based. In most cases this means that you have limited control over the security of these applications, aside from things like the passwords you choose, making sure your employees don’t leave logged-in devices unattended, and whatever features or customizations the vendors offer.
The good news is that these software firms have talented people working for them and have a pretty strong track record for securing client data, aside from a few incidents involving MJ Freeway (Akerna) some years back.
But go ahead and do your due diligence if you haven’t already. Ask them in broad terms how they secure your data or see if this info is available on their website. They may have a SOC or PCI audit report for you to review to get a sense of the controls they have in place. They may be a little reluctant to share specific information, but that’s a good thing – you don’t want them to be publicly advertising exactly how they’re protecting your data, which would be like publishing instructions on how best to hack them.
Also try to get details on how they’re backing your data. If possible see if you can get that data exported or sent to you so you can back it up separately. If your data gets lost for whatever reason, it’s you that’s going to be in trouble for not retaining your records for the required period, not the cloud provider.
Now that you know what secure cannabis IT looks like, compare it to your own. Perform a gap analysis to determine where you are and what you need to do to get your IT security where you want it to be. You may want to bring in an IT pro to help you with this if you don’t have a background in IT.
Eric Schlissel is the CEO/CTO of Cure8, one of the world’s leading cannabis IT services providers. His company helps dispensaries, distributors, manufacturers, and cultivators throughout the US and Canada to plan, install, secure, manage, and scale their IT.
He has been a featured panelist at many cannabis industry events, including those put on by the NCIA and CCIA. He’s also a respected IT thought leader outside of the cannabis industry, being quoted in publications such as Wired, the Los Angeles Times, InfoWorld, and Information Week. Outside of work, Eric can be found gardening with his two small children, trying to perfect the feat of growing a thriving basil plant and ripened tomatoes at the same time. He is currently developing in the fine art of bourbon tasting, enjoys travel, and is a foodie-wannabe.
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Comment *
Notify me of follow-up comments by email.
Notify me of new posts by email.
Δ
A bill to increase the amount of marijuana a person can possess before facing stiff criminal penalties failed 15-9 in the Hawaii Senate on Monday. It was the second defeat…
By Hannah King and Arin Aragona Plans for Kentucky’s medical cannabis program took a significant turn last week with the passage of House Bill 829 and the implementation of emergency…
By Steven Ascher and Anna M.Windemuth The unique status of the cannabis business — legal in a majority of states, but still illegal under federal law — creates a thorny…
By Courtney A. Hunter and Jessalyn H. Zeigler Demand for cannabidiol (CBD) products continues to climb, and the market has risen to the occasion. There is now a robust array…