Many cannabis businesses are starting to take a closer look at their IT security for a variety of reasons, including the ongoing ransomware epidemic, the need to show sophisticated internal controls and operations to investors and acquiring businesses, and more people coming into the industry from other sectors (retail, manufacturing, finance, etc.) that already understand the importance of a mature, well-structured approach to IT.
If you’re one of these businesses and aren’t tech-savvy, the first step is understanding the basics of IT security and how to protect your business from cyber attacks. Here’s our advice as an IT company serving the cannabis industry on how to approach it.
Principles to Follow
Defense in depth
Similar to the way prisons don’t have just one fence, but a series of interlocking security measures, procedures, and controls, you don’t want to depend on one security feature to protect your data. You want your IT to have both vertical and horizontal depth – so it’s difficult to both break into initially and move around in once you’re inside. The most basic example of this is having both a firewall and antivirus software on your PC. Firewalls block threats from getting onto your PC in the first place, while antivirus software blocks malware from running and quarantines and deletes it.
Zero trust / deny all
There are a million ways for hackers to get into your network. It’s best to just block everything by default and only give people and assets access to what they genuinely need.
You’re only as secure as your weakest point. You have to consider security holistically and ensure you have an equal level of security throughout your organization and at all levels of your networks.
Cannabis businesses, if they think about IT security, usually focus on endpoints, but networks are as important or if not important. Networks are the entry point into your company from the public internet, and if you have a “flat” network with no segmentation it’s easy for hackers to access more accounts and data beyond their initial foothold into your systems.
Install a network-level firewall at each location
Your network’s security guard. Blocks blacklisted domains and unused ports. Restricts to only approved IP addresses. Scans and filters traffic for malware and hacking attempts. Alerts you of suspected intrusions.
Segment your networks
Divide your networks to keep secure and insecure traffic separate and make it difficult for hackers to move around (“move laterally”) inside your networks. Create a Guest WiFi network for that purpose; don’t let clients connect to your company’s internal network. Make sure your POS is on its own network if you have one.
Make sure everyone on your team has a unique account so any issues can be tracked to a specific person. Also, make sure you have a process for adding and removing users as soon as they’re onboarded and offboarded.
Enforce strong password policies, requiring users to select passwords that are at least 12 characters long and include uppercase and lowercase letters, numbers, and special characters. You can do this in Windows Active Directory and/or your software’s admin panel. This protects you from brute force attacks and from people guessing your passwords.
Multi-factor authentication (MFA)
Multi-factor authentication is when you enter in a code sent to your smartphone when logging in to confirm it’s you. It keeps you secure even if a hacker gets their hands on one of your passwords. Your software may include this feature or you can set it up separately.
“Endpoint” is a fancy nerd term for devices that people directly use like desktops, laptops, and tablets, as opposed to centralized, shared resources like servers, switches, and wireless access points.
Install antivirus on all your Windows devices. Mac and mobile devices don’t need antivirus in most cases. Make sure your antivirus is always up-to-date and you get alerts if they’re disabled. Business-grade security suites let you monitor and manage all your antivirus installations remotely in a centralized way.
Mobile device management (MDM)
Software that lets you manage all your mobile devices remotely. Lets you restrict these devices to using only designated apps and visiting only approved websites. Lets you remotely update apps, troubleshoot, and wipe data.
Most hacks and malware specifically target known vulnerabilities in outdated software, especially the Windows operating system. Make sure you keep all your software up-to-date. You can use Active Directory and other management software to push updates to a large number of machines at once.
Encrypting your devices prevents people that have physically stolen one of your devices from easily logging into it and accessing your data. Most mobile devices include encryption by default as long as they’re password-protected. Windows Pro PCs are encryption-ready. Network-based storage has a form of encryption called data at rest encryption (DARE) that ensures data can only be accessed from that specific machine or storage array.
Make sure your users understand the basics of IT security. It’s difficult to protect your IT if your users keep clicking on links and email attachments that steal their credentials or contain malware. Teach them about:
- Selecting strong passwords
- Enabling MFA
- Allowing antivirus scans to complete
- Recognizing and reporting phishing emails
- Avoiding dangerous websites when on work devices
- Reporting suspected intrusions / data breaches to managers
Backups aren’t always lumped into IT security, but they can come in handy in a few situations:
- If your data is encrypted by ransomware and you have to restore it from backups
- If your data is deleted accidentally or on purpose (by a disgruntled ex-employee perhaps, for example), you can restore it
- If one of your devices is infected with malware, you can factory wipe it and restore a clean version of the device’s backups
You have to take care to secure your backups and keep them separate from some extent from your “production” or active files and data.
Most cannabis industry-specific software is cloud- or web-based. In most cases this means that you have limited control over the security of these applications, aside from things like the passwords you choose, making sure your employees don’t leave logged-in devices unattended, and whatever features or customizations the vendors offer.
The good news is that these software firms have talented people working for them and have a pretty strong track record for securing client data, aside from a few incidents involving MJ Freeway (Akerna) some years back.
But go ahead and do your due diligence if you haven’t already. Ask them in broad terms how they secure your data or see if this info is available on their website. They may have a SOC or PCI audit report for you to review to get a sense of the controls they have in place. They may be a little reluctant to share specific information, but that’s a good thing – you don’t want them to be publicly advertising exactly how they’re protecting your data, which would be like publishing instructions on how best to hack them.
Also try to get details on how they’re backing your data. If possible see if you can get that data exported or sent to you so you can back it up separately. If your data gets lost for whatever reason, it’s you that’s going to be in trouble for not retaining your records for the required period, not the cloud provider.
Now that you know what secure cannabis IT looks like, compare it to your own. Perform a gap analysis to determine where you are and what you need to do to get your IT security where you want it to be. You may want to bring in an IT pro to help you with this if you don’t have a background in IT.