Tag Archives: secure

3 Ways IP Security Cameras Can Help Cannabusinesses Comply with COVID-19 Health Requirements

By Jeremy White
No Comments

The cannabis industry, like many others, felt the effects of the stay-at-home orders issued in March in response to the COVID-19 healthcare crisis. While medical cannabis companies were considered “essential” in most states, many recreational dispensaries had to close their doors, or pivot to a curbside pickup operations model. According to the State of the Cannabis Industry 2020 report, following a two-week spike in mid-March, as consumers stockpiled product ahead of stay-at-home mandates, sales took a temporary downturn.

The industry rebounded in a big way, however. The report notes that, since April 20, cannabis sales have steadily increased, and are, in fact, up approximately 40% from 2019. But while medical and recreational dispensaries are now open to the public and thriving, it’s far from business as usual.

Like any other retail store, cannabusinesses must follow local- and state-issued health and safety mandates designed to prevent the spread of COVID-19. Complying with these new requirements can be difficult for business owners and management teams on a normal business day – never mind in today’s climate, where demand for cannabis products continues to soar.

Turning to Technology

With more health regulations to follow than ever before and stores experiencing a consistent increase in daily foot traffic, it’s no longer realistic to expect managers to manually monitor every employee and customer to make sure guidelines are met. For example, it’s difficult to manage social distancing within the store – but there are commonly lines outside of cannabusinesses, where social distancing and mask-wearing precautions also need to be followed. Wouldn’t you rather have managers spend their time on customer service and initiatives that will deliver business value, rather than spending time making sure people are following safety protocols?

Technology can help mitigate these new health compliance challenges – and you may even already have the solution deployed: Internet Protocol (IP) security cameras. Often implemented by businesses as a security tool, IP cameras are now also an effective way to ensure employees and customers are following health and safety protocols.

Most IP cameras are equipped with artificial intelligence (AI) that can analyze information in real-time and make split-second response decisions. In the context of health compliance, they can be trained over time to recognize when requirements are not being followed and immediately alert the appropriate managers. This means managers only need to address violations, rather than observing everyone all the time, and they can resolve compliance gaps as they’re happening. In other words, AI takes on the compliance burden for you. And, as an added bonus, many AI-enabled surveillance systems give managers the ability to pull up live video feeds from their smartphone, so they can conduct compliance checks remotely, at any time. This is especially helpful to managers covering multiple stores (suddenly, they can be in more than one place at a time!).

Here are three specific ways IP security cameras can help dispensaries and other cannabusinesses ensure compliance with COVID-19-prompted health guidelines:

  1. Social distance monitoring

Six-feet social distancing rules are now the norm across the U.S., and IP security cameras are able to measure the space around employees and customers to detect when the six-foot rule is violated. For example, some systems place a ring around each person, and the ring’s color changes when people come within six feet of each other. This capability can be helpful when trying to do things such as supervise the line to get into your store, manage your checkout queue, or monitor the distance between customers browsing in store aisles.You can use IP security cameras to create a healthier and safer work environment

  1. Occupancy management

In many states, organizations must follow orders that restrict occupancy to 50% capacity. Rather than having an employee at your front door tallying the number of people going into and out of your store, IP security cameras can do the counting for you. With this capability, you can control foot traffic and keep the number of shoppers within defined occupancy requirements – without having to allocate personnel to do the task manually.

  1. Face mask detection

AI-enabled IP security cameras can also help businesses comply with mandatory face mask orders. The technology can be trained to detect employees and customers who aren’t wearing face masks or other required personal protective equipment, and then alert appropriate management personnel.

A Dual Purpose – Security and Compliance

IP security cameras now have a dual purpose. Beyond simply helping organizations protect their premises from crime, they now also empower them to ensure compliance with health and safety requirements. You can leverage the technology to remediate compliance issues in real-time and demonstrate to public officials that your business remains in compliance with all health mandates. Most importantly, you can use IP security cameras to create a healthier and safer work environment – and, in these uncertain times, this is a certainty you can count on.

Processes, Protocols and Layers of Protection: Essential Security Measures for the Medical Cannabis and Hemp Industries

By Joshua Wall
No Comments

As legalization of cannabis products from hemp to medical cannabis takes root across the U.S., there’s a growing need to understand and build good security practices. While many think of security as safeguarding assets like facilities and product, effective security does much more. It protects a business’ workers, providing them secure workplaces and incomes. Ideally, it reaches from supply chain to customers by ensuring consistently safe products.

To truly understand the value of this for a brand or for the industry as a whole, consider the opposite: the destructive effect – on a brand and on the industry at large – of unsafe or tampered product reaching customers, or of crimes occurring, just as the industry seeks to demonstrate its validity and benefits. Security is vital not only to individual farmers, processors or customers but to all who value what the industry brings to those who rely on CBD or medical cannabis products for their wellbeing.

Know the Threats.

Part of the learning process involves understanding the value of the product.Security is all about anticipating and reducing risks. These can include physical threats from natural sources – think flood, fire, tornado or crop fail – or from human threats. Human threats can arise from organized criminals, hackers, amateur thieves, vandals – or insiders.

As regulated industries, hemp and cannabis businesses also face risk of losses, which can be significant, from penalties ranging from fines to being shut down for non-compliance. While rules vary from state to state and continue to change, a disciplined approach to security is foundational to reducing risk at many levels. Rigorous operational processes must incorporate security that addresses risks at multiple points of access, transport and sale of products.

Learn the Rules.

In a rapidly evolving industry, one of the most important things producers can do is to learn. Security requirements vary by region and providers need to be aware of what is available. Get to know your state, local and federal resources for your operating area. California law, for example, specifies use of high-resolution video surveillance in dispensaries, while others do not.

Joshua Wall, Chief Operating Officer at Harvest Connect LLC

Part of the learning process involves understanding the value of the product. With medicinal cannabis, it’s helpful to grasp both its commodity value and the street value that could make it attractive to thieves. In “Why Marijuana Plant Value is So Important for Adjusters,” Canadian Underwriter Magazine gave examples that indicate the size of losses that may occur in growing and processing operations:

“In the medical marijuana space, ClaimsPro has already seen losses primarily between $150,000 and $750,000. These losses, mostly on Vancouver Island, were for fire and water damage, as well as boiler machinery issues, physical damage to buildings and specialized greenhouse equipment, as well as extra expense and business interruption.”

The same article notes a claim over $20 million at another single flower greenhouse. Security needs to reflect what’s present on our premises.

Educating the community can reduce risk as well. Producers of industrial hemp may need to inform would-be thieves that what they are looking at is not street-valued product. To protect the crops, which are generally grown outdoors and do not require a full security detail, a best practice is simply posting signs on the property that say explicitly “No THC.” 

Begin with a Risk Assessment.

Security begins with a professional evaluation of site vulnerabilities, examining key weaknesses that could be exploited by attackers. These include:

  • Monitoring access to the site is a foundational principle of security.
  • Design limited access points into the facility as well as prepare for possible facility breaches with perimeter access control, technological redundancies and ballistic glass for defensive architecture measures.
  • Look at route vulnerabilities as well.
  • Hedge site risk by not limiting your operation to a single site where one incident could wipe out an entire year’s crop.

The nature of threats is always changing. A 2018 Newsweek article described the struggles of legal cannabis farmers against illegal and potentially cartel-backed and violent operations in California. While a 2020 Business Insider report described indications that legalization was prompting some cartels to leave cannabis alone and move on to fentanyl and meth. “While Mexican drug cartels made their money predominantly from marijuana in past decades, the market has somewhat dissipated with the state-level legalization of cannabis in dozens of states across the US.”

Define Levels of Risk and Access.

The best security matches spending to risk in a commonsense way. Are you more at risk from the occasional smash and grab incident or is there reason to anticipate an organized assault? As in many industries, the greatest risk often comes from employee fraud or theft. Hiring carefully, paying fairly and training staff well are important to long term security.

Iron Protection Group in a training session
Image credit: Tampa Bay Times

How will the product be moved around within the facility and beyond it – and what staff are responsible for each part of the journey? Who can enter the cultivation areas and what protocols must they follow? On site staff should be trained on what to look for if they observe a security breach. Consider biometrics such as retinal scans, fingerprint scans or similar.

In cases where valuable product or cash is present, guards can play an important role. Harvest Connect uses only high-level former military or police officers in these roles, an approach recognized by many. Hunter Garth of Iron Protection Group notes they have “the ability to de-escalate a potentially harmful situation and the fortitude to see a mission through to completion, no matter what external circumstances may arise.”

Inventory and Transaction Controls

Inside threats from sloppy processes can be just as insidious as attacks. Poor tracking of inventory by Oregon’s legal cannabis producers made headlines in 2018 as The Oregonian reported, “U.S. Attorney Billy Williams told a large gathering that included Gov. Kate Brown, law enforcement officials and representatives of the cannabis industry that Oregon has an ‘identifiable and formidable overproduction and diversion problem.’’ Discipline, applied by state pressure but carried out by producers themselves, has begun to reduce the diversion of untracked product into the black market a year later.

Cannabis businesses need a professional approach to monitoring all product and money that moves through its systems. These operational processes can include time, date and attendance stamps on all inventory. Similarly, accounting systems and software must follow the highest professional standards. Lastly, when breaches occur, it is essential that fraud and theft are caught, eliminated and prosecuted as appropriate.

Nurturing an Emerging Industry

Security resources are an integral part of maintaining the integrity of a business’ supply chain. As the product moves from the fields to processing centers to consumers, purity assurance becomes an operational objective. Ultimately, protecting the product through secure and professional practices is the optimal way to serve customers, build a brand, and sustain the industry.

Soapbox

Cannabis Growers and Distributors: Your Cyber Risk is Growing Like Weeds

By Emily Selck
No Comments

Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.

Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.

Distributor Risk = A Customer’s PII

Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:

  • Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
  • Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
  • Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.

Grower Risk = Crop Trade Secrets

For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:

  • Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
  • Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.

Cyber coverage is now ripe for picking

Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.

Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?