Features Security
Taking a risk-based approach to cybersecurity

Due to their business model and operating environment, members of the cannabis industry are uniquely vulnerable to cyberattack.

Cannabis companies tend to favour outsourcing and other rapidly deployed approaches over traditional IT infrastructures. By the first half of 2019, multiple breaches had been reported in the Canadian cannabis industry; a survey of clients indicated that although 50 per cent of cannabis companies had reported a cyber security incident, 80 per cent did not feel that they were capable of identifying an attack. In fact, the cannabis industry as a whole is not fully aware of the extent of the threat.

Recognizing the Threat
Cultivators, manufacturers, packagers, transportation and logistics firms, and dispensaries are all potential targets of an attacker. Cyber risk is not related to the size of the organization. Traditionally, organizations have focused on physical security first, and then on securing patient data and payment information. Both these data types tend to be regulated and can add a significant burden onto any company. The work effort is increased with additional regulatory burdens, such as emerging regulations requiring security breaches to be reported.

The unique aspects of the cannabis industry also require other information to be protected. These include:

• Employee information, including salary and other contractual agreements;
• Intellectual property and research and development related to strain development, growing conditions, partner and market relationships;
• Transport information pertaining to product shipments;
• Access to the industrial control systems used to automate greenhouses and other production systems.

This data must be protected from regular cyber criminals, organized crime and malicious insiders. The insiders could be non-malicious (employees who accidentally release client information via a misconfigured website), or they may be employees looking to gain information to start a competing business.

There have been some instances reported of companies placing employees within a competitor’s organization in order to gain access to critical data, particularly client data and pricing information.

Furthermore, data is not just at risk of exposure. Cyber attacks could also result in making data unavailable to the affected organization by deletion, or causing a “denial of service” attack. These could have a significant impact on a company, and give a competitor a significant business advantage.

An incident response plan will help an organization prepare for the worst possible breach event. It should outline the responsibilities of both business and technical responders. Photo: AdobeStock

An attack as simple as accessing and resetting greenhouse control systems to alter a crop’s growth conditions could have a significant impact on a grower’s success, and give a competing firm an advantage.

In such a hostile environment, how do you minimize your cyber risks?

Like all start-up organizations, members of the cannabis industry must adopt a risk-based approach to cybersecurity – identify the information that is truly important, and then protect it in a rational manner dependent on its value. Because start-up companies, especially in the nascent cannabis industry, may lack experience and expertise, it is best to engage third-parties to provide needed support. The organization must employ a comprehensive program that includes:

1. Securing the people
2. Securing the data and network
3. Securing the logistics chain
4. Implementing an incident response program

Securing the people
The primary means of attacking any organization is through the people – employees, contractors, visitors, or any other person who can access the network and its data. To minimize the attacker’s success, all organizations must remember to:

• Make cybersecurity a priority across the organization; reinforce this with an information security and acceptable use policy, acknowledged and signed by all employees.
• Provide security awareness training to engage employees in security, and recognizing and responding to identified risks, such as phishing, social engineering and ransomware.
• Validate the training by conducting regular phishing tests; send simulated phishing emails and provide additional training to persons who fail to recognize the emails.

Securing data and the network
Attackers test the security of your network on a constant basis – you should be doing the same. Assess the security of remote access, the wired and wireless networks, and network and data components that are hosted in the cloud. Pay attention to:

• Basic security principles (assigning least privilege, use of unique passwords for each person, two-factor authentication for access to important systems, encryption of data during storage, and when it is transmitted, detecting and managing vulnerabilities, and intrusion detection);
• Use of personally-owned devices on the corporate network. Imagine that a malicious insider has copied proprietary data to a personally-owned device. Because it is personally-owned, you have little recourse in collecting the evidence to reduce corporate liability. Policies around use of personally-owned devices must be developed in each corporate setting;
• Logging of all significant events. This is especially important in determine what happened during an attack, what data was compromised, and attributing responsibility for the incident.

Securing the logistics chain
When sharing information or network resources with a third party (hosting a sever in the cloud, or vendor’s application software on your premises), ensure that the contract:

• Formerly establishes and maintains ownership of your data;
• Limits access to, and use of, your data by members of the third party;
• Requires the third party to secure your data – either to your security standard, or to that of an accepted international standard;
• Allows you to audit the third party to ensure compliance;
• Defines what will be done with your data when it is no longer required by the third party.

Implement an incident response program
Finally, always start a security program by preparing for the worst possible event – how will you respond to a breach of information in your care? As they say. assume the best, but prepare for the worst.

An incident response program will include:

• A formal incident response plan, endorsed in advance by senior management, that outlines the roles and responsibilities of both business and technical responders;
• A playbook of prepared responses to common incidents such as a phishing attack, ransomware, loss or theft of a device containing sensitive information, or other events;
• Sufficient tools and training for responders to respond, or engage third parties to provide supplementary support;
• Validation of preparedness with active tests, such as tabletop exercises;
• A cyberinsurance policy to account for the remaining residual risk.

This program will not change the environment in which the cannabis industry operates – if the rewards are significant, so are the risks. However, it will reduce the cyber risk component, and provide the initial steps needed to secure all aspects of the cannabis industry.

Robert Beggs is a security practitioner with more than 15 years of experience in the security industry. He is the founder and CEO of DigitalDefence, a Canadian company that specializes in preventing and responding to information security incidents.