A common misconception is that only certain industries, such as healthcare and finance, are associated with elevated cybersecurity threats. However, the unfortunate truth is that no sector is immune from a catastrophic data breach or insidious cybercriminals and their ever-evolving schemes to wreak havoc for profit. Even relatively young industries, such as cannabis, are not immune to these potentially disastrous threats. As cannabis businesses continue to experience significant growth, the looming threats of a cyberattack or data breach have begun to cast their dark shadows over this industry. Here are just a few instances of how cannabis businesses have been impacted:
- Medical cannabis producer, Aurora Cannabis, suffered a cyberattack that compromised its customers’ and employees’ personally identifiable information, including medical diagnoses, credit card data, banking details, and other sensitive documents.
- An unsecured cloud database belonging to THSuite, a point-of-sale system utilized in the cannabis industry, was discovered online without any security or authentication in place. Over 85,000 files and 30,000 records with sensitive personally identifiable information (PII) were leaked from marijuana dispensaries throughout the United States.
- One of the logistics partners of the Ontario Cannabis Store suffered a cyberattack that left the provincial pot distributor unable to process or deliver orders to marijuana shops and customers. The impact was felt throughout the supply chain, including smaller operators who were unable to stock their shelves.
- To avoid these devastating scenarios, cannabis businesses must put a premium on fortifying their cybersecurity defenses to help mitigate potential incidents. To achieve this goal, a cannabis business should establish both preventative and responsive best practices, both of which will significantly reduce the chance of a successful cyberattack. Here are a few key best practices:
Click here to read more content from Citrin Cooperman
Prevention
- Keeping on top of the onslaught of constantly evolving cyber threats can be daunting, as many businesses struggle with where to begin in their journey to becoming more secure. One of the best ways to start getting your hands around the security needs of your business is to go through the process of a cyber risk assessment, as it not only identifies the areas of concern but also provides a strategic plan to address them.
- Mandating the use of two-factor authentication for email and remote computing is another critical step to counteract password-stealing strategies used by hackers.
- Running backups on a regular basis will provide resiliency in the event at attack occurs. And while having backups is crucial, testing them on a regular basis will ensure they are viable in the event they are needed to for data restoration. Establishing protocols to keep systems and applications updated with the latest patches and lacking password requirements is critically important, as hackers often leverage unpatched hardware and software to gain access to their victim’s systems.
- Perhaps most important of all best practices is instituting a robust security awareness training program. Since most attacks arrive via our inboxes, it is critically important that every employee is trained to detect and avoid spear phishing attacks. This will convert employees, often the weakest link in the security chain, into a virtual human firewall, capable of keeping the business safe and secure.
Responsiveness
- In the event a breach occurs, having incident response and disaster recovery plans in place are critical to quickly responding and recovering from a cyberattack while also reducing the cost of a breach. These plans should be tested on a periodic basis to keep them up to date and so that all key members of management (and not just IT) are familiar with their roles and responsibilities.
- A company should also have a cyber insurance policy in place, as the cost of a breach or attack can be catastrophic. Examples of the costs resulting from a cyberattack include fines and penalties, technology expenditures to replace compromised hardware and software, forensic and legal costs, and the downtime during the recovery process.
- One final consideration is to have a reliable expert standing by to supplement your IT resource that can immediately step in when an attack occurs, restore operations, and prevent the issue from happening again in the future. Every minute spent scrambling to find a qualified resource means that the attack is not being contained, resulting in an outcome that is exponentially more costly.
As cannabis is becoming a major industry, threats will only grow more voluminous and sophisticated. The prioritization of a strong cybersecurity foundation could be the difference between success and going up in smoke.
For more information on securing your cannabis business, contact Kevin Ricci at kricci@citrincooperman.com or Mitzi Keating at mkeating@citrincooperman.com.
“Citrin Cooperman” is the brand under which Citrin Cooperman & Company, LLP, a licensed independent CPA firm, and Citrin Cooperman Advisors LLC serve clients’ business needs. The two firms operate as separate legal entities in an alternative practice structure. Citrin Cooperman is an independent member of Moore North America, which is itself a regional member of Moore Global Network Limited (MGNL).
500 Exchange Street, Suite 9-100 | Providence, RI 02903 | 401-421-4800 | citrincooperman.com
