Tag Archives: VPN

Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

By Brian J. Schnese
No Comments

The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.

Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.

Safeguard your corporate networks and internet connections by encrypting information and using a firewall.

Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.

A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.

While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.

Six hallmarks of a strong cyber-defense program:

  1. Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
  2. Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
  3. Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
  4. Engage protective tools. In addition to using antivirus software and keeping all software updated and patched, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
  5. Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
  6. Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

What if a breach occurs?

Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients?  When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.

In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.