Tag Archives: black market

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

Cannabis Reform Comes To Africa

By Marguerite Arnold
No Comments

For those familiar with the tragic history of apartheid in South Africa up until the end of the 1980’s, Lesotho is a country long associated with terrible political and economic repression. Also known as the “Kingdom in the Sky” because of its stunning geography, the tiny, landlocked country is literally inside and completely surrounded by South Africa. During the apartheid regime, Lesotho was a place where “vice industries” like prostitution and gambling were allowed to flourish by a much more conservative surrounding political regime. Much like Indian reservations in the U.S., in fact.

Even today, diamonds and water are the country’s top exports although tourism, including skiing, is still a major underpinning of the country’s domestic economy.

Moving forward into the 21st century and much like American Indians, the mountainous, impoverished country is looking at the cannabis trade to create a national income of global worth. In 2017, the country became the first on the African continent to actually legalize cultivation for medical purposes, as well as export. Illicit cultivation, mostly bound for the black market, however, has boomed since the end of the apartheid regime.

The country’s high altitude and fertile soils untainted with pesticides, makes Lesotho an ideal place to grow even outdoor crops. And as a result, the country has also begun to attract foreign capital interested in the production and export of finished products rather than the raw plant material. Several big Canadian producers, in fact, have already established commercial operations.

2018 Was The “Year For Cannabis” In South Africa

As a result of Lesotho’s lead, neighboring countries are now also following suit on the legalization front. Zimbabwe, just to the north of South Africa, has also legalized cultivation for medical purposes although local farmers have been slow to seize the opportunity. Malawi is also moving towards some kind of cannabis reform along with NigeriaGhana and Swaziland. And of course, to the north, Morocco, already established globally for illicit cannabis and hashish production (much of it making its way into Europe as it has for literally hundreds of years at this point) is also teetering on some kind of reform.

In South Africa itself, the economic powerhouse of the continent, the personal cultivation and smoking of cannabis (for both medicinal and recreational reasons) was enshrined as a constitutional right as of September 2018. That said, commercial production and sales for recreational use remains illegal. As in other places, the licensing process in South Africa has held up the medicinal and recreational market already on the table if not in the room. And most locals cannot afford the licensing fees.

That said, there is already a commercial cannabis beer brewing company called Durban Poison which rushed into the space as soon as the constitutional question changed in South Africa. The country is the biggest beer market in Africa. And there are competitors already lining up for similar opportunities of both the medical and recreational kind.

Including South Africa, according to estimates, there are already 10,000 tons of product produced (mostly illicitly) across the continent. Much as in other places, this “green gold” has financed many of the regional wars of the last sixty years. For this reason, apart from the economic benefits that legalization brings, it may well be that the first big continental competition on the cannabis front that enters first world markets, will be African rather than Latin American (or even Chinese).

Legalization and regulation will help stamp out the illicit financing of guerrilla wars and devastation, bringing more political and economic stability. It may also provide one of the best regional economic incentives to stop rare wildlife poaching.

Medical and Recreational Opportunities Loom Large- But So Do Liabilities

But for all the potential of the future, now comes the hard part (as in other regions of the world where reform has come). Stamping out the black market and establishing licencing and other regulations (of all kinds, starting with GMP). Plus of course, because this is Africa, attracting capital at reasonable rates, and establishing legitimate distribution domestically, plus trade routes for global export. Including of course, both to Europe and Australia.

Medical research in Africa is also likely to be an interesting question especially given the impact of cannabis on infection. Africa is home to some of the more dire contagious natural diseases known to man. This plant, in other words, produced locally, might also be applied locally to help manage everything from Malaria to Ebola. If not become a staple in the medical kits distributed by foreign aid organizations. That of course, will take reform at the UN level. But even this conversation, at this point, is now moving.

That said, as 2019 gets underway, there is not a single continent of the world, much less a region, where cannabis reform has not touched.

Why Comply: A Closer Look At Traceability For California’s Cannabis Businesses

By Scott Hinerfeld
3 Comments

Compliance should be top of mind for California’s cannabis operators. As the state works to implement regulations in the rapidly-growing cannabis industry, business owners need to be aware of what’s required to stay in good standing. As of January 1, 2019, that means reporting data to the state’s new track-and-trace system, Metrc.

What Is Track-and-Trace?

Track-and-Trace programs enable government oversight of commercial cannabis throughout its lifecycle—from “seed-to-sale.” Regulators can track a product’s journey from grower to processor to distributor to consumer, through data points captured at each step of the supply chain. Track-and-trace systems are practical for a number of reasons:

  • Taxation: ensure businesses pay their share of owed taxes
  • Quality assurance & safety: ensure cannabis products are safe to consume, coordinate product recalls
  • Account for cannabis grown vs. cannabis sold: curb inventory disappearing to the black market
  • Helps government get a macro view of the cannabis industry

The California Cannabis Track-and-Trace system (CCTT) gives state officials the ability to supervise and regulate the burgeoning cannabis industry in the golden state.

What Is Metrc?

Metrc is the platform California cannabis operators must use to record, track and maintain detailed information about their product for reporting. Metrc compiles this data and pushes it to the state.

Who Is Required To Use Metrc?

Starting January 1, 2019, all California state cannabis licensees are required to use Metrc. This includes licenses for cannabis: Proper tagging ensures that regulators can quickly trace inventory back to a particular plant or place of origin.

  • Cultivation
  • Manufacturing
  • Retail
  • Distribution
  • Testing labs
  • Microbusinesses

How Does Metrc Work?

Metrc uses a system of tagging and unique ID numbers to categorize and track cannabis from seed to sale. Tagged inventory in Metrc is sorted into 2 categories: plants and packages. Plants are further categorized as either immature or flowering. All plants are required to enter Metrc through immature plant lots of up to 100/plants per lot. Each lot is assigned a lot unique ID (UID), and each plant in the lot gets a unique Identifier plant tag. Immature plants are labeled with the lot UID, while flowering plants get a plant tag. Metrc generates these ID numbers and they cannot be reused. In addition to the UID, tags include a facility name, facility license number, application identifier (medical or recreational), and order dates for the tag. Proper tagging ensures that regulators can quickly trace inventory back to a particular plant or place of origin.

Packages are formed from immature plants, harvest batches, or other packages. Package tags are important for tracking inventory through processing, as the product changes form and changes hands. Each package receives a UID package tag, and as packages are refined and/or combined, they receive a new ID number, which holds all the other ID numbers in it and tells that package’s unique story.

Do I Have To Enter Data Into Metrc Manually?

You certainly can enter data into Metrc manually, but you probably won’t want to, and thankfully, you don’t have to. Metrc’s API allows for seamless communication between the system and many of your company’s existing tracking and reporting tools used for inventory, production, POS, invoices, orders, etc. These integrations automate the data entry process in many areas.As California operators work to get their ducks in a row, some ambiguity and confusion around Metrc’s roll out remains. 

Adopting and implementing cannabis ERP software is another way operators can automate compliance. These platforms combine software for point of sale, cultivation, distribution, processing and ecommerce into one unified system, which tracks everything and pushes it automatically to Metrc via the API. Since they’ve been developed specifically for the cannabis industry, they’re designed with cannabis supply chain and regulatory demands in mind.

As California operators work to get their ducks in a row, some ambiguity and confusion around Metrc’s roll out remains. Only businesses with full annual licenses are required to comply, leaving some temporary licensees unsure of how to proceed. Others are simply reluctant to transition from an off-the-grid, off-the-cuff model to digitally tracking and reporting everything down to the gram. But the stakes of non-compliance are high— the prospect of fines or loss of business is causing fear and concern for many. Integrated cannabis ERP software can simplify operations and offer continual, automated compliance, which should give operators peace of mind.

WSLCB

Washington State Regulators Crack Down On Diversion

By Aaron G. Biros
No Comments
WSLCB

For the second time in six months, the Washington State Liquor and Cannabis Board (WSLCB) took swift and severe action on a cannabis business licensee operating in the black market. The regulatory agency issued an emergency license suspension for Port Angeles’ North Coast Concentrates, which are effective for 180 days, during which time regulators plan on revoking the license altogether.

WSLCBAccording to a release emailed last week, the violation was uncovered during a routine traffic stop. “On September 20, 2018 an employee of North Coast Concentrates was pulled over by Lower Elwha Police, during the course of the traffic stop officers found 112 grams of traceable marijuana concentrates, three large jars and a large tote bin of untraced dried marijuana flower,” reads the release. “The products were not manifested in the state traceability system. Subsequent investigation by WSLCB officers revealed that the untraced product had been removed from the licensees grow operation and that the traced concentrates were returned from a marijuana retailer in Tacoma several weeks earlier.”

The release goes on to add that when regulators investigated the matter, they found text messages indicating the license holder’s complicity in the act. When the WSLCB suspended the license, officers seized “556 pounds of marijuana flower product, 24 pounds of marijuana oil and 204 plants from both locations.” Regulators say, “the severity of these violations and the risk of diversion” is the reason for the emergency suspension and product seizures.

According to the end of the release, The WSLCB issued one emergency suspension in 2017, and six in 2018. One of those was roughly six months ago in July when regulators issued an emergency suspension for a Tacoma-based cannabis business for the same reason as the most recent one- diversion.

The WSLCB release email from July
The WSLCB release email from July

The enforcement branch of the WSLCB acted on a complaint and inspected Refined Cannabinoids where they found “numerous and substantial violations including full rooms of untagged plants, clones and finished product,” reads a release emailed back in July. “During the course of the inspection officers discovered and seized 2,569 marijuana plants, 1,216 marijuana plant clones, 375.8 lbs. of frozen marijuana flower stored in 11 freezer chests, 3,423 0.5 gram marijuana cigarettes, and 97.5 lbs. of bulk marijuana flower without the requisite traceability identifiers.”

That July release also states that enforcement officers found evidence of diversion to the black market, in addition to the company not tracking their product. “Traceability is a core component of Washington’s system and essential for licensee compliance,” says Justin Nordhorn, WSLCB chief of enforcement. “If our licensees fail to track their product they put their license in jeopardy.”

Dr. Ed Askew
From The Lab

Quality Plans for Lab Services: Managing Risks as a Grower, Processor or Dispensary, Part 5

By Dr. Edward F. Askew
No Comments
Dr. Ed Askew

Protection in the Court of Public Opinion

In the last four articles, I have outlined areas that impact your operations as they apply to laboratory quality programs. But this article will take a different path. It will focus on protecting your crop and brand along with any business that utilizes your crop, such as dispensaries or edible manufactures in the court of public opinion.

Now, the elephant in the room for cannabis companies is the difference between rules written by the state and their enforcement by the state. There are many anecdotal stories out there that can be used as case studies in identifying ways to protect your brand. Remember, consumers and the media caught them, not the regulators.

Cheating in the cannabis industry: growers, dispensaries, edibles manufactures, etc. This includes:

  1. Finding laboratories that will produce results that the client wants (higher potency numbers)
  2. Not testing for a particular contaminant that may be present in the cannabis product.
  3. Selling failed crops on the gray or black market.
  4. Claiming to regulators that the state rules are unclear and cannot be followed (e.g. So, give me another chance, officer)

So why should you be worried? Because, even if the state where you operate fails to enforce its own rules, the final end-user of your product will hold you accountable! If you produce any cannabis product and fail to consider these end-users, you will be found out in the court of public opinion by either the media or by the even more effective word of mouth (e.g. Social Media).

So, let’s take a look at some recent examples of these problems:

  1. “Fungus In Medical Marijuana Eyed As Possible Cause In California Man’s Death”
  2. “Pesticides and Pot: What’s California Smoking?”
  3. Buyers beware: California cannabis sold Jan. 1 could be tainted”

Each of these reports lists contamination by microbial stains or pesticides as being rampant within the California market whose products are used for medical or recreational use. Just imagine the monetary losses these cannabis businesses faced for their recalled cannabis product when they got caught. Remember, consumers and the media caught them, not the regulators.Institute a quality program in your business immediately.

How can you be caught? There are many different ways:

  1. Consumer complaints to the media
  2. Secret shopper campaigns (more to come on that in the next article)
  3. Media investigations
  4. Social media campaigns

What are the effects on your business? Product recalls such as these two to hit the California market recently.

So, what should you do to produce an acceptable product and provide reasonable protection to your cannabis business? Institute a quality program in your business immediately. This quality program will include areas of quality assurance and quality control for at least these areas.

  1. Growing
  2. Processing or formulating
  3. Shipping
  4. Dispensing
  5. Security
  6. Training of staff
  7. Laboratory services

Setting up and supporting these programs requires that your upper management impose both a rigorous training program and make employee compliance mandatory. Otherwise, your business will have an unreasonable risk of failure in the future.

Further information on preparing and instituting these types of quality assurance and quality control programs within your business can be found at the author’s website.