Tag Archives: secure

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?