Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.
Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.
Distributor Risk = A Customer’s PII
Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:
- Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
- Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
- Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.
Grower Risk = Crop Trade Secrets
For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:
- Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
- Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.
Cyber coverage is now ripe for picking
Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.
Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.