How to Prepare for the Ticking Time Bomb of Cyber Liability in Cannabis

A breach has the potential to ruin a company, large or small, but especially one in a newer and high-risk industry like cannabis.

Cyber Liability Cannabis Businesses
ipopba/Adobe Stock

In July 2017, the personal data of 143 million Americans was hacked from consumer credit reporting agency Equifax -- including social security numbers, birth dates, home addresses and credit card numbers. The Equifax breach is now considered the largest in U.S. history and the company is still working to clean up the mess, secure data and earn back consumer confidence. According to Wired Magazine, Equifax has recently invested over $200 million over the coming years to beef up cyber security and prevent another catastrophic breach.

A breach has the potential to ruin a company, large or small, but especially one in a newer and high-risk industry like cannabis, where medical records and private HIPAA-compliant information often comes into play with business data collection. The average cost of a data breach  to a business runs in the millions. Robert Gillette, an IT specialist with Berkeley, California-based Endsight says Equifax’s big mistake was to reduce resources to the IT department.

 

Endsight is an outsourced IT provider that currently works with hundreds of businesses in the Bay Area, including some in the cannabis industry.

RELATED: Why Cannabis Investors Should Focus on Risk Management

“Simple things were missed, and that is how that happened… When the organization does not consider IT to be the oxygen of their Maslow’s hierarchy of needs, if they think it is not important or not a foundation of their business, they make compromises. That’s when we see these compounding problems that end in a single big noticeable breach,” said Gillette.

Gillette says the cyber-security problems he sees in the cannabis industry are the same ones seen in the broader business community, but due to federal prohibition, the mistakes can be that much more complex to address and the consequences much more catastrophic.

According to research done by IBM, 95 percent of business hacks are a result of human error. Gillette says that if a business really wants to make sure they are doing everything possible to be secure, especially in the emerging legal cannabis industry, what they need is a business process with a technology mindset that is anticipating and addressing the shifts in the industry itself, and instituting best practices.

“When most people think of cyber security what they want and what they are looking for is a piece of software, a single simple process piece of hardware that they can implement that is going to layer in the security they are looking for. This is the real challenge,” he says. “Unfortunately, there are thousands of ways to break into a castle. I can talk until I am blue in the face about appropriate password policies and dual authentication, but at the end of the day, if someone is writing down their password on a post-it note, that is a greater security breach than can be accommodated or mitigated by those types of solutions.”

Endsight works with its cannabis clients to pick the right processes and make sure that, from the top down, the best practices and policies are in place to build and maintain a secure network. Gillette says that oftentimes the solutions businesses have put in place aren’t actually appropriate because they are overlooking the risk of not taking the time to create well-managed internal controls. This includes everything from policies about employees joining and leaving the organization and evaluating what he calls “acceptable risk.” He says the challenge is that these businesses are not thinking about security until it is too late.

“They simply implement [security software] and assume because they haven’t felt the pain, their measures were appropriate,” he said. 

Gillette points out that a lot of cannabis businesses are using point-of-sale software systems that are 100% hosted in the cloud. If the service provider goes down for any period of time, the business would have no recourse to challenge it. If these businesses decided that the loss of revenue from any outage would be too high to be considered an acceptable risk, they need to prepare for the worst now by putting a control in place to minimize it.

Gillette says the investment up front prevents the possibility of an Equifax-style disaster.

“If a CEO or the venture capital group has a mindset right out of the gate of investing in security tools as a business practice, all levels of the organization will be more secure and reduce their cyber liability. The challenge is when a business thinks of their IT as an ...operational overhead to be minimized, that’s where we see compromises that lead to individual issues,” Gillette says.

Page 1 of 183
Next Page