In the past year, the increased frequency and impact of cyberattacks have made headlines across the world. Everyone from Fortune 500 companies to local businesses seem to be at risk of having their network breached, compromising delicate operational, financial, and personal information.

The burgeoning cannabis industry appears to be particularly at risk, as new organizations are developing and implementing new IT systems, and many businesses lack dedicated IT and cybersecurity resources. Some of the largest and most sophisticated systems in the cannabis industry have suffered recent attacks, including the state of Washington’s “seed-to-sale” system, Nevada’s medical marijuana database, and additional attacks on a major cannabis industry software provider, including a cyberattack that exposed the company’s source code, and an earlier breach that resulted in major outages and lost data for their point-of-sale system, causing many operational issues for clients as well as delays in timely regulatory filings.

Seemingly set upon by all sides, cannabis business owners must do whatever they can to combat the increasingly sophisticated, stealthy, and coordinated cyberattacks. While there is no impenetrable defense, there are a number of strategic, easy-to-do steps every business should consider to protect value.

Consequences for Victims of Cyberattacks

Companies that suffer a cyberattack have more at risk than simply the lost revenue of an ecommerce interruption. The aftermath of a public hack can have a long list of negative potential outcomes, some of which include:

  • Loss of customer trust/value – A company that exposes sensitive or protected customer information, thereby making the customer a victim of the hack, is likely to experience significant customer attrition. It will be an uphill, perhaps unwinnable, battle to earn consumer confidence back.
  • Fines – Depending on the extent of the hack and resulting response, companies may face fines if they were not in compliance with state cybersecurity laws and protections.
  • Loss of intellectual property – A company hacked by ransomware might not lose immediate revenue if they choose not to pay the ransom. But the cost of the plans, research, and other intellectual property lost could undermine a company’s entire operation.
  • Lowered credit rating – A company that has proven vulnerable to cyberattacks could see a downgrading of their credit rating. For example, after Target was hacked in March 2014, Standard & Poor’s downgraded the company from “A+” to “A”.

There are many other potential downfalls as a result of breaches. Companies need to not only be vigilant, but build robust cybersecurity programs to address the risks posed by operating in an ever more connected digital ecosystem.

How Cannabis Businesses Can Protect Themselves

Technology seems to evolve at the speed of light and there are no guarantees when it comes to cybersecurity. The best a company can do is institute a diligent system of checks-and-balances that limits exposures and shores up any potential gaps.

Companies should analyze their own situation and risks. The following are some key steps companies could follow to maintain basic cybersecurity protections:

  • Require regular software upgrades and patches: Companies that were up-to-date on the latest Microsoft updates were not affected by the WannaCry ransomeware attack, and countless other viruses. Establishing a regular protocol that REQUIRES system administrators and employees to upgrade their machines will provide an essential barrier to all but the most sophisticated cyberattacks.
  • Purge old and unused software and hardware: Many companies have back-logs of outdated software, unused laptops, or trial programs. Because these are not used daily, it is likely they are not updated and are therefore vulnerable to attack. Maintaining and reconciling invoices of all hardware and software can help minimize the risk of cyberattack.
  • Regularly test and update recovery plans: All companies should have an extensive recovery plan active on all networks. It is essential to perform regular tests to ensure that software updates or changes in hardware don’t create an unexpected disruption. Again, prevention is the best defense, and an optimized recovery plan could save a company in the event of any catastrophe.
  • Maintain up-to-date user access lists and system admins: Schedule regular reviews of both user access lists and system administrators to clean out any inactive users. Often, during training or after job turnover, old or temporary IDs can linger in a system. The user may be gone, but the ID retains potentially disastrous access to essential systems.
  • Implement and/or update breach response plans and insurance: The fast-moving nature of technology, security, and hacking makes total defense nearly impossible. To make sure your organization is ready for the worst, you should implement, practice, and annually update your breach response tactics. System administrators should know every step to follow should a breach be identified, and those steps should be updated on a regular basis to account for new threats and developments.
  • Implement the right IT solution for your business: There are currently dozens of third-party API (“Application Programming Interface”) systems on the market specifically suited to the cannabis industry. Not only do they interface with your state’s required track-and-trace system, but they can be optimized to provide other benefits, including advanced metrics that track yield, customer loyalty programs and more. They can also provide additional cybersecurity measures. Choosing the right IT system is important step in a business’s future and should account for current needs and future goals. If you need help identifying, optimizing or implementing a system, the team at ELLO can help.

Should all else fail, breach insurance is a sound risk mitigation strategy. Insurance must also be maintained to ensure that underwriting assumptions and clauses meet the needs of the modern environment.

Following the guidelines above is simply the first, and most basic, step toward preventing cyberattacks and minimizing the risks of breaches. To get a holistic view of your system’s vulnerabilities, and practical insight on shoring up holes in your defenses, professional services firms like ELLO provide comprehensive IT assessment, planning, and implementation solutions.

If you are ready for an IT consultation, please contact the ELLO team here.

About the author(s)

Evan Eneman
Evan has more than 18 years of experience assisting private and public companies in a variety of industries including Cannabis, Financial Services, Healthcare, Technology, Media, and Entertainment. His areas of expertise include: strategy, compliance, enterprise risk management, business process, internal controls, audit, governance, and IPO readiness. Evan also has experience founding and running an early stage venture capital firm and a branding and marketing agency dedicated to the cannabis industry. Prior to his involvement in the cannabis industry, Evan spent 12 years with a Big Four firm, advising Fortune 100 and emerging growth companies on various aspects of governance, risk, compliance, operations and strategy.