0
Shares
0
0
0
0


Along with new efficiencies and growth opportunities, the cannabis industry’s digital transformation is creating a new challenge for operators: cybersecurity.

For instance, retailers’ increasing reliance on integrated digital platforms for key functions like point-of-sale transactions and customer loyalty programs is also making them prime targets for sophisticated hackers.

With vast amounts of customer data at stake, the potential for costly and damaging data breaches has never been higher, underscoring an industry-wide need for proactive security measures, operators and security experts say,

“Retail in general continues to be a very big target for cybercriminals,” said Ben Taylor, executive director of the Virginia-based Cannabis Information Sharing & Analysis Organization, a non-profit organization that offers resources to support the cannabis industry’s security.

“For cannabis businesses, the biggest thing to focus on as they’re adopting more digital solutions is that their attack surface – the avenues that a threat actor could breach their network – is expanding,” he added.

Cannabis’ digital transformation creates efficiencies – and risks

The cannabis industry has operated in a cash-based, brick-and-mortar world for years, but the modern dispensary is a hub of digital activity.

E-commerce platforms, online ordering, digital payment systems and data-driven marketing tools are now standard – a shift that’s unlocked new levels of efficiency and customer engagement.

But it’s also opened the door to significant digital risks.

Every transaction and customer interaction generates valuable data, from purchase history and personal identification to contact information – prime targets for cyber criminals.

Earlier this year, for example, Los Angeles-based cannabis operator Stiiizy sent a data breach notification to the Maine Attorney General noting that about 380,000 users were potentially impacted by a cyberattack against a point-of-sale software vendor.

While details are scant, observers suspected a ransomware attack.

In a separate incident, an Ohio company that handles medical cannabis recommendations appears to have left nearly 1 million records that contained sensitive personal information in a publicly accessible database.

That’s led to a state investigation and federal lawsuits.

Beyond the financial and reputational damage any business would face, a breach could expose customers’ personal information related to a federally illegal substance.

This could lead to severe privacy violations, legal liabilities for the business and a loss of customer trust that is difficult to regain.

A new frontier in cannabis security

Recognizing the growing threat, some technology leaders in the cannabis industry are taking steps to fortify their defenses.

Sweed, a retail technology platform, recently launched a “bug bounty” program in which ethical hackers and security researchers from around the globe are invited to test its core web services and retail data infrastructure for vulnerabilities.

In return for disclosing any security flaws they discover, the researchers receive financial rewards of up to $2,000, with the payout amount determined by the severity of the identified issues.

The hope, according to Sweed co-founder Rocco Del Priore, is that bug bounty program will help Sweed build stronger software and build trust among its customers.

He noted that as the industry matures, it’s becoming more corporate, involves more public companies and relies more heavily on processes.

“We’re mature enough and confident enough in our platform that we’re inviting anyone anywhere in the world to come break it,” Del Priore said.

Actionable steps for marijuana operators

Retail operators also have a role to play in protecting their businesses and customers.

Taylor has been vocal about the vulnerabilities facing cannabis retailers today.

“You can have the most robust compliance in the world, but if your network is vulnerable or your POS can be breached, your entire business and customer trust are on the line,” he said.

Taylor notes that the increase in e-commerce and digital ordering has attracted more sophisticated threat actors, and even one exploit can have consequences far beyond a stolen credit card – potentially exposing sensitive health information, customer identities or operational data.

According to Taylor, bug bounty programs like Sweed’s improve transparency and signal to both regulators and customers that operators are taking data security seriously.

“Speed to market is so important for these software companies,” Taylor said. “That bottom line is really pushing things, and security can fall by the wayside.”

What retailers can do to protect themselves

Eric LaForce, head of engineering at cannabis wholesale platform LeafLink, said as the industry matures, cybersecurity will become more important than ever.

One challenge for multistate operators is navigating varying state regulations surrounding operations and cybersecurity – an issue LaForce says can be rectified developing a set of standards that are uniform throughout the company.

“It makes it easier to know what you’re supposed to do,” he said.

Subscribe to the MJBiz Factbook  

Exclusive industry data and analysis to help you make informed business decisions and avoid costly missteps. All the facts, none of the hype. 

What you will get: 

  • Monthly and quarterly updates, with new data & insights
  • Financial forecasts + capital investment trends
  • State-by-state guide to regulations, taxes & market opportunities
  • Annual survey of cannabis businesses
  • Consumer insights
  • And more!

Among the measures cybersecurity experts such as LaForce and Taylor say cannabis retailers should are:

  • Prioritizing employee training: Your staff is the first line of defense. Training on recognizing phishing scams, using strong passwords and understanding data privacy policies can prevent many security issues.
  • Choose secure technology partners: Vet your technology vendors thoroughly. Ask potential POS, e-commerce and marketing about their security protocols. Do they have a dedicated security team and conduct regular penetration testing?
  • Develop an incident response plan: No system is impenetrable, so it’s important to have a clear, actionable plan in place for what to do in the event of a breach. The plan should outline steps for isolating the affected systems, notifying customers and regulatory bodies and recovering operations as quickly as possible.

“A lot of folks just don’t think about cybersecurity,” LaForce said. “You have to be having these kinds of conversations – talk to your staff, make sure they understand the types of attacks that are possible.

“Those things have real consequences, and raising awareness is really critical.”

Margaret Jackson can be reached at margaret.jackson@mjbizdaily.com.

 



Source link

Medical Disclaimer:

The information provided in these blog posts is intended for general informational and educational purposes only. It is not a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified healthcare provider with any questions you may have regarding a medical condition. The use of any information provided in these blog posts is solely at your own risk. The authors and the website do not recommend or endorse any specific products, treatments, or procedures mentioned. Reliance on any information in these blog posts is solely at your own discretion.

0 Shares:
Share 0
Tweet 0
Pin it 0
— Previous article

Cannabis company pays out $3 million after asthma attack as risk grows

You May Also Like