Tag Archives: IT

Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

By Brian J. Schnese
No Comments

The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.

Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.

Safeguard your corporate networks and internet connections by encrypting information and using a firewall.

Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.

A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.

While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.

Six hallmarks of a strong cyber-defense program:

  1. Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
  2. Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
  3. Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
  4. Engage protective tools. In addition to using antivirus software and keeping all software updated and patched, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
  5. Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
  6. Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

What if a breach occurs?

Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients?  When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.

In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.

Leaders in Infused Products Manufacturing: Part 3

By Aaron Green
No Comments

Cannabis infused products manufacturing is quickly becoming a massive new market. With companies producing everything from gummies to lotions, there is a lot of room for growth as consumer data is showing a larger shift away from smokable products to ingestible or infused products.

This is the third article in a series where we interview leaders in the national infused products market. In this third piece, we talk with Liz Conway, Regional President of Florida at Parallel. Liz started with Parallel in 2019 after transitioning from her healthcare IT consulting practice. She now heads up Florida operations for Parallel which runs the Surterra Wellness brand.

Next week, well sit down with Stephanie Gorecki, vice president of product development at Cresco Labs. Stay tuned for more!

Aaron Green: Liz, very nice to meet you. Can you tell me how did you get involved at Parallel?

Liz Conway: Well, I’ll give a little bit of background. Previously, I was working in healthcare technology and in that field, really coming out of health care reform. I was also living in Northern California and so was conscious of a bunch of startups that needed help with highly regulated spaces and policy and how to navigate both the today and the tomorrow of “Hey, we’re trying to build something super fast, but we’re not interfacing with government well enough to know how to build what we’re building and not be set back again.”

And so cannabis actually came to me. I started working with some early stage cannabis IT companies and I was the principal where I founded a firm to do this very thing, which was to help highly regulated companies get through what is today, what is tomorrow, and what can we change. I was really fortunate to be living in Northern California, and I started to help them navigate the California rules.

Then in 2016, when California went adult use, that was just a major time to turn everything on its head and see what we could get. From there, it was history. I started to work with companies, both nationally and in Canada, and met some of the folks with Parallel and was a consultant with them for a while and then joined the team.

Liz Conway, Regional President of Florida at Parallel

Aaron: So, are you in Florida now?

Liz: I relocated to Florida in January 2019.

Aaron: At Parallel, how do you think about differentiating in the market?

Liz: I think that we differentiate in terms of the quality of our product, of course, and I will speak specifically to Florida where our focus is still a medical market. Every day we are trying to manage the vertical from end-to-end so that we can get the products that our people want as quickly as possible over a vast territory. Well-being is such a critical ethos that everything we do comes down to, “alright, what does this mean for well-being and how are we delivering that both in the customer experience as well as in the product?”

Aaron: With regards to differentiation, can you speak to any products in particular that you feel are differentiated in the Florida market?

Liz: In the Florida market, I think that we were the first to launch thera-gels, and the thera-gels really are medicated jelly. You can use it sublingually, or take it as an oral to swallow. From that we developed thera-chews. That line, it’s really great tasting, it’s long lasting, and the effects are getting great reviews from the patients. So that’s one area that I think we distinguish ourselves and we’re a forerunner in the Florida market.

Aaron: So, if you take one of those products as an example, can you walk us through your process for creating a new product like that?

Liz: Well, so remembering that we’re part of companies in other states, because Parallel operates in Nevada, Massachusetts and in Texas. So, we’re not developing products on our own, but we certainly are doing Florida market analysis to say, what should come next, we are listening to our customers, we listen to our people, we’ve got 39 stores across the state. We have a number of employees who are always listening. We also have employees who are part of the medical program who are using the products to address different needs and they are looking at our competitors.

So, we’re doing some competitive analysis. We’re also knowing what it is that we’re really good at, and we take it through a product development lifecycle that involves testing because we are fully vertical. In Florida, we have to always ask ourselves are we able to do this end-to-end and thus far, we’ve been fortunate enough to either build or buy that capability.

Aaron: You mentioned there’s 39 stores in Florida? Are those dispensaries?

Liz: Yeah, they are our stores. There are other stores that other companies have, but we’re the second largest footprint in the state and all over from the very edges of Pensacola down to the Florida Keys, and then over to Miami and up through Tallahassee. So, covering really all corners in the state.

Aaron: Now, with those stores do you also market your products in other people’s stores?

Liz: No. The vertical really means that our stores only carry our own products. We’re marketed in Florida as Surterra Wellness and that’s the name of our stores. Anywhere you go that there’s a Surterra Wellness, you have the same product sets and we’re not allowed to sell other folks’ products. It’s a big difference between Florida and other states.

I’ll tell you one of the nice things is, when I have a product, I know that we grew it. I know every single quality step along the way. I don’t have to go and then look at other vendors and constantly monitor their quality. Everything that we do, we touched it from the very first moment hitting the ground. So it’s nice.

Aaron: Can you walk me through one of your most recent product launches? And if you can, the full lifecycle from the initial marketing briefing up to commercialization?

Liz: Well, I can do some of that. Speaking specifically about those thera-chews – that oral dosing mechanism – we’ve got it in a couple of different flavors. We said to ourselves, “hey, there’s a real need in this market for people to experience something that was like an edible, because Florida just launched edibles.” But we didn’t consider this as an edible because they weren’t allowed at that point. We knew from other states that particularly patients like to dose, you know, with something that is long lasting and flavorful. And so we said, “how can we bring this to market as an oral-dosing product?” And so we conceived the machinery that was able to do it. We had to do quite a bit of tooling.

Prior to that, we did some market testing from our customers and our associates as well as our brand team to say “is this going to be right? Can we bring it to market?” We did the projections around anticipated demand and program growth as well as the cost. We had to figure out what it would it take to adjust the machinery. Will it work? We did some pretty significant testing on that machinery and a lot of flavor testing.

We’re fortunate enough to have one of only four licensed kitchens that can do this kind of R&D in Florida. We’re licensed by the Department of Health for cannabis R&D on an edibles-type kitchen. So we were really fortunate to be able to do that to bring it to market. And from there, it really took on a life of its own. The flavors were tested across all of us (non-dosed flavors, obviously) and we voted on the best products to hit the shelves.

Aaron: When you’re making that decision, how much of the decision was weighted by market demand from your existing customers, and just observing other markets and seeing how products perform in other markets?

Liz: Data is not as prolific as I’d like it to be in cannabis. When you hit the edge of that state line, your consumer is very different, your stores are very different, your marketing capability is very different. So we really had to look across the US and say, “how are products like this performing? Is that how Florida is going to perform?” We did use that state-by-state evidence as well as our own evidence — the response to therapy gels — if we have thera-gels, what type are we selling in terms of dosage and flavors. There are slight differences there in effect-states. And so it was a little bit of both.

Aaron: Next question gets more into like the supply chain. How do you go about sourcing ingredients for your products?

Liz: So again, in a fully verticalized state, we have to source 100% of the active cannabinoid ingredients. Then we have an authorized vendor list that we’ve worked with for other things in terms of flavors and terpenes. Then we have to go back to the DoH to make sure that the other ingredients, whether that be sweeteners, or the kind of wrapping on those thera-gels are okay — the gelatin elements in particular.

“The Florida environment all day long is the biggest hurdle that I think we face.”We use an authorized vendor list. One of the great things that we’ve done recently is to focus our vendor list on minority women and veteran-owned businesses, and so really looking deep in the supply chain to source whatever we can from a diversity of suppliers. I love that original ethos of cannabis to be of the people, by the people and for the people, as well homegrown.

Aaron: Can you give me an example of a challenge that you run into frequently?

Liz: Well, I’ll say in Florida, if you’re growing your own cannabis, it’s way different than if you’re growing it in Colorado or California. So, I’m going to start there. The great news is that after Florida allowed us to start selling smokable flower last fall, we’ve come such a long way. We’ve got new indoor grow facilities. It’s making the environmental issues much, much lower.

“I think that the best thing that we can do is try to look five years ahead and ask what could this look like?”Bringing those on-line is going to bring a much more consistent consumer experience because while I know consumers have a lot of tolerance for variations in their cannabis, but as the industry matures, they’re going to treat us much more like other CPG companies. They’re not going to want that variation. Between that and then Florida’s new testing regulations which also are making sure that the product that’s delivered only meets what’s on the label.

The Florida environment all day long is the biggest hurdle that I think we face. The humidity is much higher here than in other states.

We’re also looking at live resin. What I am watching is the next generation. A lot of live products get us really close to the plant. We’ve done so much to pull out of the plant but where are we going to preserve that original plant in all of its most original formats without having to necessarily smoke the flower itself. We’re working with the Florida Department of Health to help them understand live resin products from a health standpoint.

Aaron: What trends are you following in the industry?

Liz: As you can imagine, as the regional president of a division that goes really end-to-end on monitoring trends in edibles and infused products, medical and recreational, I’m watching the election pretty closely. It will impact banking. It could potentially impact interstate commerce and it could potentially impact research.

I’m also watching things like HR trends, what’s happening in who we employ, our leadership, and how we deal with some of the emerging union issues around the country. I think that the best thing that we can do is try to look five years ahead and ask what could this look like? Where do we put our investment dollars now to meet the future, as well as where do we put our regulatory efforts for the best public policy to have the outcomes that we want consumers to trust us with? I know that’s a really broad answer, but from where I sit, it really is what I’m looking at, across a universe of excitement, but it includes challenges also.

Aaron: The last question is, what would you like to learn more about in the cannabis industry?

Liz: Well, of course, if I had a crystal ball, that would be great. I think the data is always missing. The more data that we could get, there’s so much out there that people are using cannabis for and we just don’t understand the impacts on how is this wonderful well-being product helping so many people because a lot of people don’t like to talk about it. So the more data about our consumers and what they like and what they don’t like, even across state lines, as we could aggregate that in a uniform way. I think it would help a lot of the people who are fearful of cannabis and it would help a lot of us who are in the business, get the consumers exactly spot on what they want, which at the end of the day is why we’re all here.

Aaron: Thank you Liz, that’s the end of the interview.

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

canna grow
Soapbox

CannaGrow Expo Heads to Palm Springs

By Aaron G. Biros
No Comments
canna grow

We’ve covered the CannaGrow Expo previously, but this time around we catch up with Joseph De Palma, founder of CannaGrow, to talk about the genesis of his conference and what makes the event so special. This year’s CannaGrow Expo heads to Palm Springs, California, a new location for the event, on May 19thand 20th.

We’ve watched De Palma’s conference grow over the years, moving around the country and becoming the tight-knit community we know it as today. The meat and potatoes of the show are definitely the educational sessions, panel discussions, roundtables and the expo hall. But covering it year after year we’ve noticed a real sense of community develop, one where genuine idea sharing, collaboration and inclusivity are preached. There are no dumb questions at the CannaGrow Expo.

Tom Lauerman speaks to a room full of attendees at CannaGrow San Diego

According to Joseph De Palma, CannaGrow started in 2014, when the original event was held in Denver. “From the beginning, we wanted to create an event specifically for growers, where the focus was always on education and ‘becoming a better grower’,” says De Palma. “We had experienced the existing events in the marketplace, and almost all fit into two categories at the time, festival, or generic tradeshow. Those were fine for their purpose, but they didn’t foster an environment of education, and that’s what we believed was most important to the emerging cannabis industry.” Back in 2014, their show only had 10 sessions and 30 exhibitors. “Passionate growers from around the country had 2 days of grow-focused sharing and learning, and you could see the energy and excitement,” De Palma says. “Discussions would dive deep, people made new friends, and it really elevated the conversation around cultivation.”

Attendees gather at a lighting exhibit at CannaGrow San Diego

Since the show’s debut, it’s grown substantially. The 7th CannaGrow Expo is fast approaching, and this upcoming conference has four separate tracks and roughly 100 exhibitors. But it still keeps its sense of community, one where you don’t feel crowded, where everyone has time to chat and network, without the overwhelming feeling that can come with larger trade shows. “That inclusivity and open dialog is built in,” says De Palma. “If you go to an event that’s tradeshow dominant, most people are there to walk, shop, and leave. At CannaGrow, growers and extractors come together with a plan for the weekend, remaining in a constant state of engagement with others at the show.”

This year’s show has some exciting additions to look out for. The agenda covers a wide range of topics, including everything from an introduction to growing with living soil to a discussion of cyber security. The Extraction Summit, new to this year’s event and held on Day 2, is their response to the massive rise in popularity and demand of extracts.

Eric Schlissel
Eric Schlissel, president and chief executive officer of GeekTek

Eric Schlissel, cybersecurity specialist, president and chief executive officer of GeekTek, is giving a talk focused on IT infrastructure. “My presentation will center around the actions cannabis businesses need to take right now to repel cybercrime and potential federal seizure,” says Schlissel. “As cannabis operators build their businesses and develop their security strategies, they often focus exclusively on the physical portion of their business – the merchandise and the cash in particular – and overlook the importance of designing and fortifying a secure IT infrastructure. I will discuss the importance of a holistic security strategy that embraces both and how you can both create one and prepare it for expansion into other states or even globally from the very start.” Schlissel’s discussion is one example of just how all-encompassing CannaGrow intends to be.

De Palma and his team leave few stones unturned as the show truly delivers vital information for cannabis cultivators in every area. Some things we are looking forward to? Seeing old friends and learning everything under the sun about cannabis science, growing and extraction. “People get to know each other, and with everyone sharing a core passion for cultivation and extraction, lifelong friendships are made,” says De Palma.


To check out the agenda, speakers and exhibitors, click here.