Cannabis Industry Cybersecurity Threats are on the Rise. Organizations that do not take a proactive stance towards information security could find themselves targeted more often. Members of National Cannabis Industry Association’s Risk Management & Insurance detail key considerations for cannabis organizations to enhance their network security. There are links to further information about certain topics throughout the blog. For organizations that are just starting out on their cannabis cybersecurity journey, the Small Business Administration (SBA) Cybersecurity Guide, as well as the Cybersecurity & Infrastructure Security Agency (CISA), Cyber Essentials Starter Kit, are two resources worth investigating.
A Business case for Cybersecurity Investment.
As with any investment in business, an increase in cyber defense resources should provide a return on investment that is sufficient for the company. It may be better to consider cybersecurity as regret of inaction. IBM’s Cost of a Data Breach Report for 2023 shows that the average cost per breach is now $4.45M. It is true that “an ounce is worth a penny” when it comes to security.
Accenture’s Cybercrime Study reveals that cybercrime is not only a threat to large corporations. Nearly 43% of cyber attacks are directed at small and mid-sized businesses, and 60% of these businesses shut down within six months after being hacked.
Cybersecurity in the Cannabis Industry Starts with people
Security is no exception. Any change in culture at an organisation must start at the top. The top-down approach to security culture is essential. The key is to adopt policies and procedures that will protect your organization’s networks and employees. Regular employee training is a must. As many as<a href="https://securitytoday.com/articles/2022/07/30/just-why-are-so-many-cyber-breaches-due-to-human-error.aspx#:~:text=A%20joint%20study%20by%20Stanford,the%20number%20at%2095%20percent. As many asa href="https://securitytoday.com/articles/2022/07/30/just-why-are so-many cyber breaches due to human error.aspx#::text=A%20joint%20study%20by%20Stanford,the%20number%20at%2095%20percent.
Being a victim stinks – Improve Your Basic Cyber Hygiene
The National Cybersecurity Alliance has just finished Cybersecurity Awareness monthspan size=”font weight: 400 ;”>,, where they stressed four key principles that can help secure organizations. For more information on these topics, check out the Cannabis Information Sharing & Analysis Organization (Cannabis ISAO), a blog that was published by 420. They asked four cybersecurity experts to provide 20 tips specific to the cannabis industry.
- Use strong passwords or password managersspan size=”font-weight 400 ;”>. If your password appears on this list, you should probably change it.
- Enable Multifactor Authenticationspan font-weight=”400 ;”>. Do your research to ensure that your MFA solution offers adequate protection.
- Recognize Phishing and Report Itspan size=”font weight: 400 ;”>. Set up a channel on your chat platform for employees to share screenshots to help raise awareness.
- Update your softwarespan size=”font-weight 400 ;”>. Do not forget to include the Internet of Things devices (IoTs) throughout your organization.
Cyber Insurance: A Guide
Business insurance can be complex, particularly in the cannabis industry. With the information provided, you will be able to navigate the policy buying process confidently and protect your business against potential risks. Understanding policy forms, adhering safeguards and adapting local regulations will help you build a solid foundation for the growth and success of your business.
It’s crucial to be proactive when renewing or obtaining cyber insurance in Cannabis. Early communication with your broker is key to understanding any changes to your policy and expectations from your insurer. Hire a team dedicated to securing your digital assets. Use well-known guidance frameworks like NIST CSF and CIS Top 20. Work with an independent third party to verify progress. This will help you keep premiums down and reduce the likelihood of an incident that would require you to file a claims.
Keep up-to-date on Cybersecurity trends and threats in the Cannabis Industry
Cyber criminals will use any trick or advantage they can to get around cannabis industry cybersecurity systems. Attacks are more likely to occur during holidays, when employees take time off or become distracted. The holidays and newsworthy events may also cause a surge in phishing activities and other scams. Consider how FEMA warns the public to be on guard for scams following natural disasters. Also, think about what industry news could cause a buzz and then be used as part of phishing campaigns. An announcement about a new state that legalizes adult use or legislative updates regarding SAFER Banking may all hide malicious links.
It can be beneficial to join communities that actively share information about current threats. A member of Cannabis ISAO shared the details of a cash management company that had been a victim to a Business Email Compromise. This led to fraudulent wire transfers being sent. MJBizDaily then reported a similar event that resulted in MariMed losing funds worth $650K. Keep up-to-date on incidents of this nature to inform your employees and improve organizational resilience.
Incident Response
When you are responding to a cyber-incident, it is important to consider your response process. Lisa Plaggemier, Executive Director of the National Cyber Security Alliance, stated that “the best method to deal with ransomware attacks is to practice them, to perform tabletop exercises.”
It may be necessary to use a digital forensics vendor in the event of an accident. You may want to consider putting one on retainer or at least establish a relationship in advance. This will allow for a quick response. Your cyber insurance provider may have preferred vendors who specialize in this type of work.
Conclusion
RMIC promotes a proactive risk management approach that stresses the importance of making informed decisions. You can provide your business with robust security by evaluating the claims experience of an insurer, understanding legal nuances and remaining attuned with the changing threat landscape.
Published by NCIA’s Risk Management & Insurance Committee
Contributors:
Ben Taylor is Executive Director of the Cannabis Information Sharing & Analysis Organization
Matthew Johnson, Risk Consultant at AssuredPartners
The first time , The National Cannabis Industry Association published the post : Committee Blog: Navigating Cybersecurity in the Cannabis Industry.
