Cannabis Industry Cybersecurity threats are on the rise, and organizations that don’t take a proactive approach to information security may see themselves increasingly targeted. In this blog, members of National Cannabis Industry Association’s Risk Management & Insurance (RMIC) details key considerations to help cannabis organizations enhance their network security. Throughout the blog there are hyperlinks for further information on certain topics, and for those organizations just getting started on their cannabis industry cybersecurity journey, two free resources to consider investigating are the Small Business Administration’s (SBA) Cybersecurity Guide and the Cybersecurity & Infrastructure Security Agency’s (CISA) Cyber Essentials Starter Kit.

A Business Case for Cybersecurity Investment.

Like with any business investment, increasing cyber defense resources must provide a sufficient ROI for the business. When considering cybersecurity, it may be best to define that as Regret Of Inaction. Consider that according to IBM’s 2023 Cost of a Data Breach Report the average cost of a breach has reached an all-time high of $4.45M. The old adage, “an ounce of prevention is worth a pound of cure” is certainly applicable to security measures.

Cybersecurity risks are not just applicable to large enterprises, Accenture’s Cybercrime study reveals that nearly 43% of cyber-attacks are targeted at small and medium-sized businesses (SMBs), and 60% of small businesses close within 6 months of being hacked.

Cannabis Industry Cybersecurity Starts with People

Any cultural shift at an organization needs to start from the top, and that includes security. Security culture needs to be driven from the top. Adopting proper policies and procedures to properly safeguard organization networks and personnel is key. This includes regular employee training. As many as 95% of attacks are caused by human error.

Being a Victim Stinks- Elevate Your Basic Cyber Hygiene

The National Cybersecurity Alliance just completed Cybersecurity Awareness Month, where they stressed four of the key principles which can help better secure organizations. We’ll touch on each below, and for additional best practices check out the Cannabis Information Sharing & Analysis Organization’s (Cannabis ISAO) blog from 420 where they asked 4 cybersecurity experts to compile 20 tips for the cannabis industry.

• Use Strong Passwords or Password Managers. If your password is on this list, it’s probably time for a change.
• Turn on Multifactor Authentication. Not all MFA is created the same, do your research and make sure your solution provides sufficient protections.
• Recognize and Report Phishing. A best practice is to set up a channel in your organization’s chat platform where employees can share screenshots of phishing attempts to raise awareness.
• Update software. Don’t forget to include all of the connected Internet of Things (IoT) devices throughout the organization

Navigating Cyber Insurance

The world of business insurance, especially in the cannabis sector, can be quite complex. However, with the insights provided here, you can navigate your policy purchasing process with confidence and ensure your business is fortified against potential risks. By understanding policy forms, adhering to safeguards, and adapting to local regulations, you can lay a resilient foundation for your business’s growth and success.

“In Cannabis, we don’t get many options when it comes to cyber insurance providers, so it’s important we put our best foot forward when seeking or renewing cyber insurance policies. Work with your broker early to understand any changes upcoming to policies and the expectations being set by your insurers. When you can, hire a dedicated team that is focused on securing your digital estate, and leverage well known guidance frameworks such as NIST CSF, CIS Top 20, and HIPAA, and work with an independent party to verify your progress, which help keep your premium costs down long-term and reduce the risk of you having an incident that requires you to file a claim in the first place.”- Chris Clai, Director of Information Security, Green Thumb Industries

Stay up to date on Cannabis Industry Cybersecurity threats and trends

Cyber criminals are opportunistic and will look for any advantage to beat cannabis industry cybersecurity systems or trick employees. Holidays can be a prime time for attacks because of employees taking time off and being more distracted than usual. Holidays and major newsworthy events can also lead to a spike in phishing and other scam activities. In the same way FEMA often warns people to look out for scams after natural disasters, consider what industry news may cause a lot of buzz that could also be used in phishing campaigns. Announcements related to a new state legalizing adult use, or legislative updates around SAFER Banking could all be hiding malicious links.

Being involved in communities that actively sharing information about ongoing threats can be very beneficial. A member of the Cannabis ISAO recently shared details of cash management company who had been a victim of a Business Email Compromise (BEC) which led to fraudulent wire transfer requests being sent out. Days later MJBizDaily reported a similar incident which resulted in the loss of funds totalling nearly $650K for MariMed. Keeping up to date on these types of incidents can help inform employees of the current threat landscape, and boost organizational resilience.

Incident Response

Responding to a cybersecurity incident is not the first time you want to be considering what your response processes are. In response to the recent high profile MGM and Caesars ransomware incidents, National Cyber Security Alliance Executive Director Lisa Plaggemier stated “the best way to deal with a ransomware attack is to practice having one, to do tabletop exercises.” Having plans and procedures in place are important, but it’s equally important to test and validate those plans.

In the event of an incident, it may be necessary to utilize a digital forensic vendor. Consider having one on retainer, or at least establishing a relationship ahead of time to enable a speedy response. In some cases your cyber insurance company may have preferred vendors for this type of work.

Conclusion

The RMIC advocates for a proactive approach to risk management that emphasizes the importance of informed decision-making. By evaluating an insurer’s claims experience, comprehending legal nuances, and staying attuned to the evolving threat landscape, you can empower your business with robust protection, ensuring a resilient foundation for growth and success.

Published by NCIA’s Risk Management & Insurance Committee (RMIC)

Contributors: 

Ben Taylor, Executive Director of the Cannabis Information Sharing & Analysis Organization

Matthew Johnson, Risk Consultant at AssuredPartners