Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

By Brian J. Schnese

May 3, 2023

Categories: Uncategorized

The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.

Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.

Safeguard your corporate networks and internet connections by encrypting information and using a firewall.

Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.

A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.

While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.

Six hallmarks of a strong cyber-defense program:

Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
Engage protective tools. In addition to using antivirus software and keeping all software updated and patched, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

What if a breach occurs?

Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients? When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.

In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.

About The Author

Brian J. Schnese

Senior Risk Consultant

HUB International

Brian J. Schnese is a Senior Risk Consultant with HUB International’s Risk Services Division and a member of the Division’s Organizational Resilience consulting team. Brian has over 15 years of professional experience in regulatory compliance and managing risk in state and federal government agencies, and in private industry operations including brick and mortar and online retail, supply chain, transportation, healthcare, and the financial industry.

Brian is a former federal investigator and was most recently a Senior Manager in the National Investigations Center of a Fortune 50 corporation. He has extensive training and experience in functional areas related to theft and fraud, law enforcement, crisis management, intelligence gathering/production, money laundering, organized retail crime, safety and security risk, non-violent intervention, assets protection, and investigations. He brings deep subject matter expertise in assessing and implementing internal controls, conducting complex financial fraud investigations, and building internal fraud prevention and resolution strategies.

Brian is a former Fulbright Scholar and was previously awarded three United States Department of Justice Awards for his leadership, commitment, and service. He is an active member of the Association of Certified Fraud Examiners and ASIS International.

Brian specializes in developing and delivering fraud prevention and preparedness focused solutions in addition to Enterprise Security Risk Management, Business Continuity Management, Cyber Risk Management, and Critical Incident Response Management solutions. He earned a BA, Business Management and German, Saint John’s University (MN) and is an FBI Academy Graduate from Quantico, VA.

Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

Six hallmarks of a strong cyber-defense program:

What if a breach occurs?

Share this:

About The Author