Fundamentals of Cannabis Cybersecurity
by Joshua Silberman, IT/Cyber Security Consultant, MGO Technology Group
Emerging industries are prime candidates for cyberattacks and criminal hacking. That's because as an industry matures companies quickly scale operations to meet the rising demand. With the focus on generating revenue, the implementation of appropriate security protocols is too often overlooked. A hallmark of a sophisticated and successful organization is robust cyber and information systems and processes that protect intellectual property, customer information, and other valuable data, or risk losing the market share you've fought so hard to win.
Cannabis faces nearly all of the same cyber security challenges of other industries of equivalent size and maturity. This includes, but is far from limited to, service disruptions through natural disasters, regulatory compliance, online based attacks, and especially offline based attacked such as phishing.
Understanding phishing attacks
Phishing holds a unique place in the cyber security sphere as unlike active attacks against a company’s information technology infrastructure, phishing seeks to gain access via user vulnerability. No matter how good your electronic defenses may be, a single well placed phishing scheme can compromise your data. This is why user education must be a part of any cybersecurity program and cannabis is no different. It does not matter if your cannabis operation is involved in cultivation, distribution, or retail. If your employees handle information that is important to your business they must be educated on best practices regarding phishing. The data your business holds is a valuable commodity and must be treated accordingly.
The emerging threat of ransomware
While phishing is the most common culprit of data breaches, ransomware has emerged as a less common, but just as threatening cyber risk. Ransomware is a type of attack that, rather than attempt to steal your data, will deny you access to it typically by encrypting your files. This will render your businesses inoperable until, in theory, you pay the ransom to your attacker to regain access to your data. Ransomware was prominent in the news in 2019 for various high profile attacks on mid-tier cites that simply did not have the financial resources to combat and undo the consequences of ransomware. Such a patterns is crucial for the cannabis industry to recognize. A result of these trends in 2019 shows us that ransomware attackers will often chose their victims carefully in the hope that the victim not have the willpower or resources to combat the attacker.
Since cannabis is a relatively new industry, with most resources dedicated to production development and company growth, most companies will not have the resources available to dedicate to combating ransomware attacks. Industry players should be aware of a simple fact of life when it comes to cyber security: prevention is always more cost-effective than recovery. Resources may be tight, but even a basic offsite data backup strategy could go a long way towards mitigating an attack that compromises data access.
IT asset inventory is a strong first step
This period of early growth is the perfect time for industry leaders and business owners to cultivate cyber security strategies. The relatively early-stage of the cannabis industry provides an opportunity in that companies are not unencumbered by legacy software and processes. Cyber security software and processes may not need to be stacked on or integrated into existing operations. Rather, it can be ‘backed into’ the company at an early stage. This will make the inevitable need to scale up cyber security operations within your company that much easier. It is also a good time to start your IT asset inventory processes, which will allow for a more robust IT security posture down the road. There are companies that have been around for decades that still do not have a handle on what equipment they actually have. In this regard, the cannabis industry has an advantage.
Smalls steps produce big results
The examples of phishing, ransomware, and asset management are just three core topics within the broader world of cyber security. While cyber security may seem to be a large, complex, and costly endeavor, even small and recently founded companies can effectively tackle the problems at hand. For example, as phishing constitutes the vast majority of data breach starting points, instituting a phishing awareness campaign at your company could go a long way towards reducing vulnerability to potential threats. Secondly, a small firm need not pay for real time data replication. Even a simple and cost-effective off-site backup can go a long way towards mitigating the effects of a ransomware attack. Sure, it might take longer to restore your data in the event of an emergency, but a slow restoration is better than none at all.