Tag Archives: security

Retail Shrinkage and Navigating Loss Prevention in the Cannabis Industry

By Dawne Morris
No Comments

In the regulated cannabis sector, retail shrinkage is a concern as business owners must navigate tight regulations in an often cash-only environment combined with the usual causes of retail shrinkage, including theft and inefficient operations.

Retail shrinkage occurs when a company loses inventory from causes other than sales—and it’s a problem that costs companies $100 billion annually, according to the National Retail Federation’s (NRF) 2022 National Retail Security Survey (NRSS). The cannabis industry is not immune.

Utilizing Technology to Combat Retail Shrinkage

The 2022 survey estimates that 65% of inventory loss is due to theft, a trend that is expected to continue with the rising cost of goods. Other factors may include administrative and human error. Nearly half of the retail respondents reported an increase in technology spending to combat these threats.

In Q1 of 2023, Proteus 420, an online enterprise resource planning (ERP) system for highly regulated industries, including alcohol and cannabis, saw a substantial uptick in POS software requests, in part attributed to the need for additional automation and auditing tools in order to more easily and accurately monitor and control inventory.

Physical security measures can aid in loss prevention

In the cannabis industry, along with a challenging regulatory environment, retail businesses are facing declining sales. Loss prevention is where dispensaries can protect their bottom line with a targeted approach and the right system in place.

How can cannabis businesses do this? By avoiding antiquated spreadsheets and by having the ability to quickly analyze vast amounts of data. Business owners should be proactive and utilize technology, such as a quality ERP system, to mitigate risk and safeguard inventory.

When choosing a software provider, cannabis retailers should focus on systems that offer day-to-day support and emergency assistance, and systems that can seamlessly monitor employees, cash and inventory. Software, and employees who work with it, should also be able to track and trace compliance, identify suspicious transactions and look at data from multiple locations. Detailed reporting is crucial from a compliance perspective.

Loss Prevention Practices

Because cannabis is a heavy cash-only industry, having the right tools to monitor the physical cash as it moves through your business is necessary to prevent loss. This is done with cash drawer-specific transaction tracking, employee module access, and the ability to open and close drawers at the employee level.

Here are some of our top loss-prevention tips:

  • There should always be multiple eyes on cash and products. Managers and assistant managers should always verify counts of cash and products as a check and balance measure.
  • Make sure employee access to your POS or operational system is granulated. This means that different positions have varying levels of access and capabilities.
  • Have a solid inventory auditing process. To stay on top of this, make sure that your staff and system can do spot inventory audits and can track the audits long-term.
  • Have physical security measures in place. This can include security cameras and alarm systems and a dispensary designed to keep inventory strategically placed.
  • Build a workplace culture that empowers employees to feel ownership in their work and feel accountable for loss prevention in their This includes emphasizing the policies and procedures needed for loss prevention, including consequences for theft. This culture is not an overnight process but develops over time.

The Right Employees Make a Difference

The first line of defense against product or cash loss is your employees

In addition to the right technology and prevention practices, the first line of defense against product or cash loss is your employees. From your budtender to your general manager, you need to make sure the right people are in place in the correct positions for fair compensation.

Some questions you can ask yourself during the hiring process include:

  • Do they have the right experience for the position?
  • Are they motivated, flexible, detail-oriented, team players?
  • Are they passionate about cannabis and want a future in the industry?
  • Have you checked their references?
  • Things move fast in the cannabis sector – are they willing to learn new skills?

Once you have the right people, do they have the standard operating procedures (SOPs) needed to do their jobs? If not, it’s time to create them.

When it comes to loss-prevention, you must trust that your cannabis point-of-sale and operations ERP system will monitor and provide the needed reports. You can also make sure there are additional measures in place to prevent retail shrinkages, such as empowered employees and solid loss prevention practices so that your inventory and cash stay right where they belong until sold.

Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

By Brian J. Schnese
No Comments

The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.

Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.

Safeguard your corporate networks and internet connections by encrypting information and using a firewall.

Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.

A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.

While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.

Six hallmarks of a strong cyber-defense program:

  1. Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
  2. Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
  3. Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
  4. Engage protective tools. In addition to using antivirus software and keeping all software updated and patched, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
  5. Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
  6. Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

What if a breach occurs?

Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients?  When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.

In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.

Risk Management Considerations for Cannabis Retailers in New Jersey

By Eric Schneider
No Comments

Despite the US making cannabis regulations challenging to navigate, the industry is snowballing toward profitability. New Jersey legalized adult use cannabis on April 21 this year. One month earlier, The Garden State began accepting applications for Class 5: Retailers, Dispensing and Delivery.

Although New Jersey isn’t shy about its licensing requirements and standards, many people want to know how retailers can stay in the game for the long run. So, let’s talk about risk management considerations New Jersey retailers need to know.

Top Risks Cannabis Retailers Face in New Jersey

Regardless of what kind of retailer you operate —medical or adult use — it’s critical to know what you’re up against. The following are the most common risks we’ve watched cannabis retailers face daily in New Jersey, making a customized risk management strategy necessary.

Theft

Like other retailers, New Jersey cannabis retailers are vulnerable to theft. Unfortunately, theft can come from various angles, such as in-store, in-transit and insider crime. Besides cannabis retailers typically having a well-stocked inventory, it’s not uncommon for them to have more cash on hand than most other businesses.

Although the SAFE Banking Act could positively impact the cannabis industry, it’s in a notorious stall yet again. Briefly, the SAFE Banking Act would no longer allow financial institutions, such as banks and credit card companies, to refuse to do business with cannabis companies. However, cannabis retailers must operate in a cash-only environment, for now, forcing them to make bank runs multiple times a day. We probably don’t have to explain how enticing a significant inventory and fat bank bags look to criminals.

Cybersecurity

Since the onset of the global health crisis, the cyber liability landscape has nearly spun into a death spiral. In other words, cybercriminals sat on the edge of their seats during the pandemic, waiting to pounce on anything that looked slightly vulnerable. Remote workers, small businesses, and emerging industries were hard-hit.

It’s no surprise that New Jersey cannabis retailers face many cybersecurity risks through their point of sale (POS) systems. Additionally, retailers often gather and store personal information, such as email addresses, credit card numbers, shipping addresses, etc. Hackers and cybercriminals gravitate to this vital data rapidly.

Property Damage

In addition to the risk of theft, as mentioned above, cannabis retailers must protect their property from losses. Without adequate protection, damage to equipment or buildings could add up to high out-of-pocket costs. Consider the damage a weekend office fire or late-night vandalism would cause. If property damage occurs, retailers must figure out how to sustain business operations while recovering from the loss simultaneously. As a result, New Jersey retailers must protect their property and maintain business continuity.

How to Customize a Risk Management Strategy

Watch or listen to any news reports and there’s a decent chance that you’ll feel some slight sense of doom and gloom. And sure, a lot is going wrong in our world; however, that doesn’t need to impact how you perceive your businesses. Instead of casting a massive net over every possible risk that you can imagine, we recommend trying the following 5-step approach. Here’s the gist:

  1. Identify: Pinpoint high-level risks that are specific to the cannabis industry. Then, let the process trickle down to focus on company-specific exposures.
  2. Analyze: Determine how badly a particular risk could harm your retail company. How much will this hurt should the “what-ifs” play out?
  3. Evaluate: Categorize risks according to how risk tolerant your company is. Will you avoid, transfer, mitigate or accept the risk?
  4. Track: Use your history or the stats from a similar retailer to map out how you’ve handled the risk over time. Older retailers have an advantage over younger retailers, of course, but you can still get a feel for your risk management style.
  5. Treat: Make good on your evaluation promises by avoiding, transferring, mitigating, or accepting the various risks you identified.

Recommended Insurance for New Jersey Retailers

Sales totals in the first month of New Jersey’s adult use market

The New Jersey Cannabis Regulatory Commission issued detailed requirements for new cannabis businesses. That said, part of the application requirements considered is the plan for companies to obtain liability insurance. Many new retailers opted for a “letter of commitment” as opposed to a certificate of insurance (COI), stating their plans for obtaining the following coverages:

  • Commercial general liability: Protects cannabis companies against basic business risks.
  • Product liability: Protects against claims alleging your product or service caused injury or damage.
  • Property: Reimburses cannabis companies for direct property losses.
  • Workers’ compensation: Covers employees if they are injured on the job and can no longer work.

In addition to the required insurance coverages, we recommend New Jersey retailers customize their risk management package with these policies:

  • Crime: Protects your cannabis company against specific money theft crimes.
  • Cyber: Protects your cannabis company against damages from specific electronic activities.
  • Directors & officers: Protects corporate directors’ and officers’ personal assets if they are sued.
  • Employment practices liability: Protects cannabis companies against employment-related lawsuits.
  • Professional liability: Protects cannabis companies against lawsuits of inferior work or service.

With more states in the US entering the marketplace soon, New Jersey is doing its fair share of the heavy lifting by spearheading the onboarding process. Remember, doing your due diligence at the start pays off in the long run — New Jersey retailers are proving that. Consider teaming with a commercial insurance broker calibrated to the cannabis industry, so you get the most out of your broker, marketplace and the cannabis industry as a whole.

The CLIMB Act: How the Cannabis Industry Could Benefit

By Zachary Kobrin
No Comments

Like this article and want to see more? Subscribe to our free newsletter here
The cannabis industry could receive a significant boost if the recently introduced Capital Lending and Investment for Marijuana Businesses (CLIMB) Act passes Congress. The bipartisan bill was introduced by Rep. Troy A. Carter, Sr., a Democrat from Louisiana, and Rep. Guy Reschenthaler, a Republican from Pennsylvania. It is intended to boost the cannabis industry by creating greater access to capital, banking insurance and other business services. Unlike the SAFE Banking Act (which specifically addresses banking services for the cannabis industry), the CLIMB Act was introduced “to permit access to community development, small business, minority development and any other public or private financial capital sources for investment in and financing or cannabis-related legitimate businesses.”

Rep. Troy A. Carter, Sr.

Currently, the cannabis industry faces a serious dilemma with regard to accessing not only traditional banking services, but also essential capital and financing sources. The latest member of the cannabis bill alphabet soup attempts to remedy this by addressing two key issues.

First, the CLIMB Act would permit access to key “business assistance” programs from various financial institutions by prohibiting any federal agency from bringing any civil, criminal, regulatory or administrative actions against a business or a person simply because they provide “business assistance” to a cannabis state-legal company. The CLIMB Act defines “business assistance” broadly to include, among other things, management consulting work, accounting, real estate services, insurance or surety products, advertising, IT and other communication services, debt or equity capital services, banking or credit card services and other financial services.

This provision of the CLIMB Act would immediately create more access to traditional insurance, lending and credit. This broad protection would not only apply to private entities providing “business assistance,” but arguably means that the U.S. Small Business Administration (SBA) could not be penalized by Congress or another government agency for providing loans to state-legal cannabis companies. Moreover, currently the cannabis industry does not have access to use credit cards, as major credit card companies refuse to permit such transactions. The CLIMB Act could pave the way for major credit card providers to begin permitting cannabis transactions. Permitting the use of major credit cards like American Express, Mastercard and Visa could result in an increase in sales for cannabis retailers.

The second, and possibly the most important, aspect of the CLIMB Act is that it would amend the Securities and Exchange Act of 1934 to create a “safe harbor” for national securities exchanges like Nasdaq and the New York Stock Exchange (NYSE) to list cannabis companies and would permit the trading of these cannabis businesses stock. Currently, plant-touching cannabis companies with operations in the U.S. can only be listed on a Canadian-based exchange and can also only be traded in the U.S. via the over-the-counter (OTC) markets. Trading securities on the OTC markets does not provide the same level of security as securities traded on a national exchange like Nasdaq or NYSE. Specifically, the CLIMB Act delineates that the federal illegality of cannabis is not a bar to listing or trading of securities for legitimate cannabis-related businesses.

Rep. Guy Reschenthaler

This provision of the CLIMB Act has two immediate effects. First, the CLIMB Act would allow for U.S. cannabis companies currently listed in Canada to list on the Nasdaq or NYSE. Second, this provision would allow more traditional, “blue-chip” industry companies currently listed on Nasdaq or the NYSE who haven’t been able to operate within the cannabis industry as a plant-touching entity, to enter the cannabis industry as an active participant.

In announcing the CLIMB Act, Representative Reschenthaler stated that “American cannabis companies are currently restricted from receiving traditional lending and financing, making it difficult to compete with larger, global competitors. The CLIMB Act will eliminate these barriers to entry, and provide state-legal American cannabis companies, including small, minority, and veteran-owned businesses, with access to the financial tools necessary for success.”

It is important to note that the CLIMB Act, like the SAFE Banking Act, only represents one small, but important step toward cannabis reforms. Neither proposal would legalize, de-schedule or reschedule cannabis. Rather, the CLIMB Act addresses very real-world, operational issues facing the cannabis industry. With that in mind, the CLIMB Act would certainly provide much needed clarity for issues facing all cannabis companies.

Passage of the CLIMB Act is not a forgone conclusion, but rather is quite uncertain. Other pieces of cannabis-related legislation, like the SAFE Banking Act, have passed the House of Representatives multiple times without the U.S. Senate taking any action. Moreover, the CLIMB Act was introduced with only two legislative supporters.

Cannabis Dispensary Displays: What’s Trending in 2022

By Ray Ko
1 Comment

As additional states around the country legalize cannabis – New Jersey, Arizona, South Dakota and Montana, to name a few– more and more medical and adult use dispensaries are popping up. Business owners are looking for ways to stand out from their competition. Enter dispensary displays, cost-effective hot commodities and a trending topic in 2022. Cannabis displays have become the vehicle to not only house merchandise but can also be a customized branding tool unique to the company’s aesthetic and marketing messaging.

Before we delve into the dispensary display trends disrupting the cannabis industry, let’s start at the very beginning: the basics. The basics include retail space, dispensary layout, cannabis inventory, complementary accessories and of course, budget. Decorating a unique space with a signature aesthetic can be as easy as mixing-and-matching the displays and ideas discussed in this article.

A Well-Lighted, Clean and Simple Space is In

Whether your dispensary is for medical or adult use, a clean design aesthetic is always a good choice. This never-fail approach to decorating conveys a crisp, modern, hygienic feel and a neutral palette like clear, white and black cannabis display cases support this look.

Store lighting plays heavily in dispensary décor, too. According to the lighting experts at Stanpro Lighting Systems, there are three basic types of lighting: ambient, task, and accent and all play a unique role. In short, ambient lighting lights up an entire room or space – outdoor too – to safely facilitate traffic. Task lighting, as the name suggests, is used for a given task such as reading and the like. Directional recessed fixtures, pendant and desk lamps all fall into this category. Light is directed to a focal point and shouldn’t be too bright or harsh. Accent lighting directs attention to a point of interest. Think track lighting, undercabinet or recessed lighting – perfect for dispensaries. When mapping your lighting layout, consider pod holder placement. Place a multi-shelf locking cannabis cabinet under bright lights so customers can see and smell, if appropriate, the merchandise. Alternatively, if lighting is an issue, use a lighted display riser to showcase your pod assortment. A pop of color via custom color pod picks like these from shopPOPdisplays, placed inside a clear cannabis display pod holder on the lighted display riser grabs attention and can be easily switched out depending on the product promotion. It’s versatile, cost-efficient and eye catching.

Make It Marketable

Cannabis displays come in all shapes, sizes, styles and colors. Organize your cannabis, CBD, vape and other merchandise like nitro tins to keep clutter at bay, but make it work for your brand as well. Double-duty dispensary displays like tube holders provide the functionality of neatly presenting products with the bonus of brand recognition through a customization option. If decorating your dispensary business and building your brand on a budget – and who isn’t – customizing key pieces like locking displays and cabinets, may be the solution. Placing products in and on customized cannabis dispensary displays with your logo, brand and/or company color scheme brings instant recognition as well as consumer confidence that your dispensary is not a fly-by-night company. Strategic customization might be the savvy investment option in the long run.

Protecting Your Employees: Health and Otherwise

Security means different things to different people. Physical, financial – you name it – people want to feel safe and protection of others, oneself and properties is at the forefront. Like all business owners, dispensary entrepreneurs invest time, money and sweat equity to get their business up and running. According to cannabis software specialist TRYM, by the year 2025, the cannabis industry is estimated to reach $30 billion dollars. Ensuring the safety and security of staff and inventory investment is a top priority. Cameras, security personnel and alarm systems are all factors, plus practically shatter-resistant plexiglass counters and displays are the new must-have trend. Acrylic sheets don’t end at the counter either. The health of staff members, especially during these times mean plexiglass sheets, clear acrylic barriers and sneezeguards are being implemented in dispensaries across the country. In compact or limited retail space these protective panels ensure social distancing and help ease customer anxiety.

The cost of dispensary inventory is significant, protecting it doesn’t have to be. Many states require cannabis, CBD and vape merchandise be stored in locking display cases and locking cabinets, behind counters, and more depending on the state. Sidestep specific regulations and instead opt for securing all cannabis and high-ticket items in both countertop and locking wall mount displays as well as wall pedestals, lighted pedestals (with acrylic cover or without) with the lock option. These display cases promote waist- and eye-level optimization without taking up valuable retail space.

Color Me Green This Year and Next

As mentioned, in 2022 clean is in, but so is green. In The Psychology of Design: The Color Green, Christi Wharton says, “Green evokes a feeling of abundance and is associated with refreshment and peace, rest and security.” Therefore, it only makes sense to include green when decorating your dispensary. Add planters with greenery to odd corners, break up a white space with a verdant splash of color to bring attention to products. Consider custom green acrylic display risers with company name, brand or logo to literally elevate merchandise or use a LED cannabis display and a showcase is born!

With these current and classic display trends; a well-designed dispensary doesn’t need tricks and a large budget to succeed. Quality merchandise, great customer service as well as classic in-stock and custom dispensary displays never go out of style.

2022 Cannabis Industry Outlook: Your Business’ Future Depends on its Risk Management

Cannabis risks have always outpaced the availability of insurance, in large part because of its status as a federally illegal substance and the dangers in extraction and production. But it now shares many of the same risks as other industries — catastrophic crop damage, cyber risk and a shortage of skilled workers.

With legalization becoming more common, the industry is positioned for enormous growth despite these challenges. However, enterprises that will benefit the most are those best positioned to manage risk.

Here are four obstacles to growth in the industry in 2022 and how enterprises can combat them:

Cybercrime will be the top manufacturing risk

Both cybercrime and cannabis have experienced major booms since the start of the COVID-19 pandemic. Cannabis companies watched as healthcare and pharmaceutical organizations were hit hard by cybercriminals in 2020, and now the threat could be headed their way.

For retailers, the vulnerability often lies in their POS tech

For cannabis retailers, the vulnerability lies in their dependence on point-of-sale tech, while the threat for cultivators exists within their strong use of intelligent automation to manage the grow environment. Across the industry, the lack of sophisticated IT security systems is like a beacon for bad actors.

Nearly 60% of cannabis businesses say they haven’t taken the necessary steps to prevent cyberattack, but the winds are changing. Due to these concerns and the growing attention on cybercrime in the industry, cyber coverage is expected to rise 30% or more in 2022, which puts the onus on risk management practices that will help prevent cyberattacks and ensure coverage from insurers concerned about risk.

Barriers to business growth may result in more M&A

As of summer 2021, 18 U.S. states have legalized adult use and 37 states have legalized medical cannabis.

While this is opening opportunities for many cannabis businesses, the U.S. remains a complicated market. Federal regulations continue to hinder even more cannabis industry growth by restricting lending to the industry from traditional banking and financial institutions. While it’s not illegal to do service with the cannabis industry, many institutions stay away due to its high risk.

Smaller cannabis companies are impacted most heavily by this barrier and await passage of the Secure and Fair Enforcement (SAFE) Banking and Clarifying Law Around Insurance of Marijuana (CLAIM) Acts to allow easier access to capital. Together, these two acts of legislation will provide guidelines on how to work lawfully with legal cannabis businesses and prohibit penalizing or discouraging institutions from working with them.

In the meantime, M&A activity is expected to increase in 2022 as large cannabis businesses have the means to access capital and acquire these small companies. This includes Canadian cannabis companies, unburdened by federal restrictions, who are expected to increase their cross-border mergers and acquisitions.

Severe weather isn’t easing up

Extreme natural catastrophes are no longer rare, and they have only added greater uncertainty to the industry which has always had difficulties securing crop insurance.

NASA’s Aqua satellite took this picture of the smoke over California in 2017
Photo: NASA

For example, policies that transfer wind and hurricane damage risk in Florida or wildfire and smoke taint in California are virtually non-existent for cannabis — and for outdoor growers, a single weather event can wipe out an entire crop with no recourse.

One possible solution for cannabis companies that cannot secure traditional crop insurance is parametric insurance, which pays out in full when a weather element reaches a threshold, regardless of the actual damage.

Growers with indoor operations, or those considering moving that way, must cope with energy conservation initiatives. Measures like the one in California that would require indoor growers to use LED lighting by 2023 could cost the industry millions and present a direct threat to small operations’ viability. This makes it important for cannabis producers to institute conservation measures and undertake risk mitigation measures like improved safety measures at indoor growth facilities ahead of 2022 renewals.

As a continually emerging market, cannabis risks are great. Adding to these pressures is the growing impacts of climate change and cybercrime raising the bar even further. Growth for the cannabis industry in 2022 will depend upon strong risk management solutions and the ability for cannabis companies to implement them.

Keep ‘em Safe: Cash, Records, Products, People – Technology Helps Cannabis Businesses Succeed

By Dede Perkins
No Comments

It wasnt that long ago that cannabis was underground, sometimes literally, and operators protected what was theirs any way they knew how. Before legalization, cannabis operators needed to secure their plants, cash, supplies and equipment not just from people who wanted to steal them, but also from law enforcement. The legacy cannabis market is now transitioning into a legal one, and licensed operators are joining the industry at an incredible rate, but security is still part of the success equation. Like before, operators need to protect plants, products, equipment and cash, but they now also need to protect records, privacy and data, and do so in a manner that complies with state regulations.

Cannabis regulatory authorities set security guidelines that cannabis business owners must follow in order to obtain and renew operational licenses. For instance, there are state-specific security regulations regarding video surveillance, camera placement, safes, ID verification, and more. While security measures help protect the business, they also protect the public. Its a win-win for everyone involved. Here are five best practices and techniques to protect cash, records, products and people.

Hybrid cloud storage

State regulations call for reliable video surveillance footage that is accessible, in most cases, 24/7 and upon demand by cannabis regulatory authorities and local law enforcement acting within the limits of their jurisdiction. SecurityInfoWatch.com reports that video data is the industrys next big investment, meaning there will be an increased demand and need to store video surveillance footage. Most states require video surveillance footage to be retained for a specific amount of time, often 45-90 days or longer if there is an ongoing investigation or case that requires the footage. While some businesses only retain video data for the state-required length of time, others choose to keep it longer.

Storing data on-site can become expensive and precarious. Best practices call for a hybrid cloud storage solution model as it provides on-site and both public and private cloud data storage solutions. This model provides users with the ability to choose which files are stored on-site and which files live in the cloud. Doing so improves file accessibility without impacting or compromising on-premises storage. In addition, its helpful to have two methods of digitizing data, for safetys sake. In the event an on-site storage method crashes—though hopefully this wont ever happen—theres a version available off-site via the cloud. That said, with cloud-based storage solutions come cybersecurity threats that must be managed.

Cybersecurity

Dispensaries are prime targets for burglary. Defending a storefront requires a comprehensive security plan

Due to the ongoing COVID-19 pandemic, more businesses are online than ever before. Unsurprisingly, cyberthreats are on an upward trend, including in the cannabis industry. Earlier this year, MJBizDaily reported that a data breach exposed personal information of current and former employees of Aurora Cannabis. The incident involved unauthorized parties [accessing] data in (Microsoft cloud software) SharePoint and OneDrive”. Although this breach involved only employees, confidential customer information is also at risk of being compromised during a data breach. 

On a separate occasion, an unsecured Amazon S3 data storage bucket caused a large-scale database breach that impacted almost 30,000 people across the industry, according to the National Cannabis Industry Association. The breach included scanned versions of government-issued ID cards, purchase dates, customer history and purchase quantities. Unlike the Aurora Cannabis breach, this one included customer data. 

Just like other more established industries, the cannabis industry needs to protect and secure confidential data. If you dont have a cybersecurity expert on your team, consider hiring a consultant to evaluate your risk or partnering with a credible cybersecurity technology company to implement proactive solutions. Before signing a contract, do your due diligence. Does the consultant and/or technology company understand the compliance regulations specific to the cannabis industry? Do their solutions meet the regulations in the state(s) where your facility operates? Taking the time to protect your companys data before a breach occurs is proactive, smart business.

Smart Safes 

A smart safe like this one can helps secure cash handling

Smart safes help secure cash handling, which given the difficult banking environment for cannabis companies, means theyre on the list of best practice security technology products. What is a smart safe? A smart safe is a device that securely accepts, validates, records and stores cash and connects to the other cash management technology solutions such as point of sale systems. They connect to the internet and provide off-site stakeholders visibility into a facilitys cash position.

A high-speed smart safe counts cash by hand faster than a human and is an overall more secure way to deliver cash bank deposits. At the end of the night, making a deposit at a physical bank location can be dangerous, exposing your cash and the individuals responsible for making the deposit to unsecured threats. Using a smart safe reduces that threat and also helps cannabis operators comply with financial recordkeeping and documentation requirements. Due to federal cannabis prohibition, many cannabis businesses lack enough insurance to fully cover their exposure to cash theft, which has led to a trending industry-wide investment in smart safes.

Advanced access control

Best practice access control means more than a ring of keys hanging off the facility managers belt. Advanced access control gives cannabis business owners and managers the ability to manage employee access remotely via the cloud. This feature can limit access areas within a facility, enabling an individual to revoke access instantly from a remote location making it a useful tool in the event of a facility lockdown or emergency. A mobile app and/or website can be used to lock or unlock secure doors, monitor access in real time and export access logs.

Advanced access control devices arent a standard in the industry yet. Although many state regulators dont require cannabis businesses to utilize advanced electronic access control, using this technology is a best practice and may be required in the future.

Compliance software 

Understanding the ramifications and keeping up with state-mandated compliance is challenging. While state regulations can be found online, theyre often in pieces, leaving operators unsure about whether or not they have them all. Once an operator is confident that they have the most current version of all the laws, rules, and regulations that apply to their cannabis business, making way through the dense legal jargon can be exhausting. Even after multiple readings, it can be unclear about how to apply these guidelines to the operators cannabis business, which is one reason cannabis businesses work with a trusted legal counsel to meet compliance requirements. For trusted advisors and cannabis business licensees and operators alike, cannabis compliance software solutions are designed to not just check boxes for a cannabis business, but to help everyone involved understand how the regulations apply to the operation. These solutions improve accessibility so that employees at all organizational levels understand the rules and requirements of their position and the products they work with.

In addition, compliance software can help licensees and operators establish and implement best practice SOPs to meet regulatory requirements. Because the cannabis industry is young and many operators are moving fast, many cannabis businesses are vulnerable to security breaches and threats. Prioritizing security and compliance can help cannabis leaders protect against potential threats. Investing in the latest and most innovative security technology solutions—beyond what is required by state regulations—can help operators outsmart those who seek to steal from them and position their companies as industry leaders that prioritize safety and compliance, protecting not just cash and products, but the people who work in their facilities and the customers who purchase their products.

ASTM Introduces Retail Cybersecurity Standard

By Cannabis Industry Journal Staff
No Comments

ASTM International, the international standards development organization, has proposed a cannabis standard for establishing retail cybersecurity protocols. Their D37 cannabis committee is currently working on the development of the standard.

The standard is designed to establish best practices for protecting critical databases in dispensaries, like inventory data, customer and patient information. The guide, developed by subcommittee D37.05, addresses “the company or government organizational need to mitigate the likelihood of cyberattacks and reduce the extent of potential cyberattacks, which can leave sensitive personal data, corporate information, and critical infrastructure vulnerable to attackers,” reads the scope of the project.

Technical Lead for the subcommittee and president of ezGreen Compliance, Michael Coner, says they hope to provide SOPs for retail operations to protect business data while staying compliant. “Cybersecurity is among the most prevailing issues concerning the cannabis industry as well as the global cannabis economy,” says Coner. “Establishing strong cybersecurity protocols for dispensary retail owners will help ensure the protection of data to maintain the integrity of cannabis consumers’ personal information.”

The ASTM committee is currently inviting stakeholders such as retailers and regulators to help with things like “identifying new data security issues that arise while operating active retail dispensary businesses.”

Growing the Seed of Sale: Integrating Security with Business Opportunity

By Ryan Schonfeld
No Comments

Anyone in the cannabis industry is well aware that theft of crops can economically devastate a grower. Security is critical, and thankfully, growers and dispensaries have many tools available to protect their investment. There is simply no excuse for not having a solid security posture to keep your business in compliance, from public-private partnerships to advanced security tools – in fact, it’s required in most jurisdictions.

In 2020, nationwide cannabis sales increased 67%, and support for legal marijuana reached an all-time high of 68%. New Frontier Data found that U.S. legal cannabis market is projected to double to $41.5 billion by 2025.

The industry’s advancement impacts numerous areas such as job and tax revenue creation and providing a wide variety of valuable opportunities. For cannabis facilities to keep up with the market expansion and experience success, they must face two significant challenges: achieving adequate security and efficient business operations. Though both can be seen as separate concerns, growers and producers must merge processes and solutions to tackle the issue as a whole.

Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan

Along with rapid growth, dispensaries face traditional security risks, such as workplace violence and retail theft, while cybersecurity risks have also become more prevalent. These potential issues make it clear that the stakes are high, and as the potential impact on a business rises, the need for real-time, predictive response increases. Insider threats are another issue plaguing the industry when you look at the rate of theft, diversion and burglary that is attributable to employees.

The cannabis market is complex: it’s expanding rapidly, has to meet essential regulatory requirements and faces high-security risks. Therefore, security needs to be looked at holistically since it can be challenging to determine where a potential threat may originate.

With security top of mind, it is critical to move away from responsive behaviors and seek ways to manage security in a manner that gets ahead of threats, prevent them before they happen and respond to them in real-time. But does a grower or retailer have the time and expertise to manage all this while keeping an eye on how security affects the business?

Remote Security Operations

The ability to comply with government regulations and protect a valuable cannabis crop at all stages of its journey from seed to sale makes security systems a mission-critical asset for cannabis growers. Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities. But some businesses in the cannabis market may not have the resources or space to have their centralized security operations, leading them to piece-meal security together or do the best with what they can afford at the time. Running these facilities can also be prohibitively expensive.

Security operations centers create a safer and more productive environment and provide state-of-the-art tools to protect employees, retail locations and grow facilities.

But new options take the process of security off the table. The business can focus on the growth of its core functions. Remote security operations services allow companies to take advantage of advanced security services typically only possible in larger enterprise environments. These services are offered on a subscription basis, delivered through the cloud, and are entirely customizable to detect risks unique to your business operations while saving each company significant expense.

Centralized security operations centers leverage intelligent tools, standard operating procedures and proven analytic methods to provide cannabis facilities with the information and guidance necessary to mitigate issues like retail or grow theft before they can have a significant impact.

The integrated, holistic response center staffed by experienced operators and security experts delivers a comprehensive security and regulatory compliance method. This approach is designed to provide complete data about what is happening across a cannabis business, from seed to sale, and how individual events can impact the company as a whole. As a result, stakeholders get the security intelligence they need, without the high overhead, personnel investments and complex daily management.

For those businesses in the cannabis market looking to supplement their security operations with other workforce but may not have the budget or infrastructure to do so, remote security operations services are something you should consider. With the experts handling all the heavy lifting, leaders can focus on growth. And, right now, in the cannabis industry, the sky is the limit in terms of opportunity.

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org