Cyber-attacks, hacks and breaches are in the news now more than ever. And like any other business, dispensaries, grow warehouses, testing labs and other cannabis businesses need to be properly protected. Failure to protect your company can result in a tarnished public image, fines and even criminal charges. 

The key to a successful cybersecurity plan is to balance security and usability. If you implement policies that are too restrictive then it may be too difficult to be functional.  

Most of all, security should be constructed in a layered approach. One system itself, may not be able to prevent hackers from breaching your company. But when stacked and layered with multiple mechanisms, these build on each other to create a strong and secure system. 

There are many factors to consider when building your cybersecurity policies and not all of these may be applicable to your business. It’s all about managing risk and consulting with security professionals to tailor a solution that works best for your cannabis business. 

1. Passwords & MFA (Multifactor Authentication) 

• Implement a password manager and use unique and strong passwords for everything.
• Multi-factor authentication should be turned on when possible. 
• Avoid using SMS and text messages for MFA/2FA, and instead use an authenticator app (google authenticator) or physical key like YubiKey. 

2. Website Security 

• Use a Web Application Firewall (WAF) like Wordfence or Sucuri for Wordpress. Or AWS WAF, Azure WAF and Cloudflare.  
• Configure daily backups of at least two types, and use a host that takes security seriously. 
• Test your backups regularly by restoring them to a staging site.
• Verify that your SSL/TLS certificate (aka the Green Padlock) is setup properly. 

3. Segment and or Separate your Network  

• Design your network with segmentations and separations. This makes it more difficult for a hacker to move to other parts of your network and further compromise additional machines. 
• Cameras, Point of Sale terminals (POS) and IOT devices all need to be isolated. Many of these devices are insecure, do not have available updates and are easy attack vectors.   
• VLANs logically segment networks and can be used across multiple physical locations. While subnetting physically separates devices on the same LAN. A combination of these technologies can be used for secure network architecture.

4. Protect Customer and Company Data 

• Data Loss Prevention (DLP) tools can help prevent an insider threat or hacker from exfiltrating or stealing and moving data away from your network.  
• DLP Solutions can help protect trade secrets, customer data and employee records from theft. 
• There are many DLP solutions available and they may be easier to implement than you expect. Both Microsoft 365 and Google’s G Suite have DLP mechanisms that can be configured.
• You may also consider encrypting “in house” email communications. Although email is usually encrypted in transit with SSL/TLS, the message itself is not usually encrypted by default. Further steps can be taken to ensure integrity and confidentiality so that you can trust an email was sent and or received by a colleague and that it’s contents are encrypted. 

5. Least Privilege

• A basic tenet of cybersecurity is the concept of Least Privilege. This simply means not giving more access or privilege to users who do not need it.  
• Does a bud-tender need to have administrative access to the POS system? Do five employees need administrative access to your WordPress website? Probably not. Structure employee and vendor access only with the privileges that they need to do their jobs.  
• This helps prevent hackers from gaining further access if a user account is compromised. 

6. Employee Training  

• Social engineering attacks involve attackers scamming employees by email, phone or even in person methods. This can lead to data theft, malware infection or even theft of physical property. 
• Security Awareness Training can help employees be knowledgeable in basic security procedures and can help them to detect social engineering, phishing and other attacks.  
• A proper Training program will then follow-up with simulated attacks like sending fake emails (phishing emails) and checking if employees click on these fraudulent links. Security team members and or automated software will then be alerted, and employees can get feedback on how better to protect themselves.  

7. Use Full Disk Encryption

• Full Disk Encryption (FDE) helps prevent data theft by physical attacks.  If a criminal physically breaks into your business they may be able to steal hard drives and then easily look at the contents. If an employee looses a company laptop or phone this can lead to data theft. 
• Most Operating systems like Windows, OSX, and Android have this capability out of the box but are disabled by default.

8. Secure your WIFI 

• WIFI can be an attack vector into your network. Hackers could access your network from their car or after hours. If your password is not strong, this could allow them to gain access and then move laterally into other parts of your network.  
• As mentioned earlier, Guest WIFI should be subnetted from the main network 
• Use strong passwords both for your router and your access password and make sure that router firmware is updated.
• Are employees connecting to WIFI with a shared password?  Consider upgrading to a router that supports RADIUS or similar protocols in which each employee is assigned a unique username and password. 

9. Protect Against Employee Personal Devices 

• Another potential risk is allowing employees to use personal devices like laptops and phones on your office network. This is referred to Bring Your Own Device (BYOD) and can be a risky policy.
• This can allow devastating attacks to occur if an employee device could introduce malware and other targeted attacks.
• If you do allow BYOD, you may consider using a Mobile Device Management (MDM) solution to help protect your network.   

10. Use an Enterprise Grade Firewall and verify that it is Configured Properly 

• Make sure that your firewall is high quality and that it Is configured properly.
• Proper firewall rules are important to be configured correctly to keep hackers out.
• It’s also critical that firewalls are maintained and updated regularly.  

11. Email protection 

• Email can be one of the easiest ways hackers use to compromise your company. It’s extremely important that you organization use a reputable email client that it has solid malware and Spam protection.
• As already mentioned, it can be important to have Data Loss Protection (DLP) and phishing protection plugins or integrations  

12. Backups 

• If something goes wrong, your cannabis company needs to have solid backups that are easy to restore. A backup is worthless if it is mis-configured or broken. Too many companies wait until a disaster to learn that their backups don’t work. That’s why it’s critical to test backups on a regular basis.
• It is advisable to have Offsite or Cloud backups in cases of fire or other natural disasters. 
• It can also be a good idea to have different types of backups with different providers.

13. Scan and Hack your Own Systems 

• Vulnerability scans look at your network, devices and even websites for security bugs and vulnerabilities. This helps alert System Administrators for holes and weaknesses that need to be fixed for patched. These scans should be conducted on a regular basis.
• Penetration tests go a step further and are conducted by security professionals where they attempt to hack into your network and websites. This also helps system administrators patch holes and fix any potential problems. This can also include social engineering simulations to test employee preparedness. 
• Physical Penetration Tests can be conducted to test physical building security. These tests can test your buildings security systems like key card access, cameras, fencing, and security guards.

14. Ransomware Protection

• A ransomware attack can cripple a company in a very short amount of time. These attacks have grown more widespread in recent years and have damaged major US cities and Fortune 500 companies.
• There are a number of solutions you can implement to help protect against ransomware including special backup solutions, behavioral based firewalls and appliances. Both Windows and OSX have ransomware solutions built in that can be configured.
• Use backup file versioning. If your system backs up ransomware corrupted and encrypted files then you’re not going to be able to restore from that backup. File versioning, saves multiple versions of files and allows you to restore from older versions of files.
• Isolate your recovery and backup systems so that it is more difficult for ransomware infected files to spread to backup systems.

15. Create an Employee Off-boarding Policy

• When an employee leaves the company or is fired it’s critical that you have Standard Operating Procedures (SOP) in place to off-board employees. This includes deleting accounts like emails, software accounts or website access and more.

16. Cannabis ERP / POS 

• Review your current Enterprise Resource Planning (ERP) and Point of Sale (POS) solution and verify that they are following standard security policies and compliance requirements. Since these devices may use both customer health information and credit card processing information it can be a serious attack vector.
• These devices should be segmented or separated from your main network. 

17. Consider Purchasing Cyber Security Insurance

• When all else fails, it can be important to have some liability assistance and financial help after an incident.  It can be used to help pay for forensic examination, public relations, legal fees and more.