Many cannabis companies are “green” when it comes to cybersecurity. Like most startups in a fast-growing market, it’s easy for businesses to fall short when instituting even basic cybersecurity protections, leaving them increasingly vulnerable to cyberattacks.
What makes cannabis companies especially attractive to hackers is the vast amount of personally identifiable and protected health information they’re required to collect and the huge amounts of cash pouring into the industry. The best way to protect against these risks is by implementing cyber-defense strategies and securing the right levels of insurance coverage in the event of a data breach.
When an Ontario, Canada, cannabis distributor was attacked in August, what should have been a simple cyber issue quickly snowballed into a major disruption of the local supply chain. Product deliveries were delayed, and the business temporarily was unable to process orders. It’s critical to take a comprehensive look at cyber-risk management to protect against potential exposures.
6 defensive tactics to help ward off cyberattacks
Examine potential vulnerabilities
Organizations should study potential cybersecurity risks, considering all possible paths for an attack in order to avoid having important data and information held hostage for ransom. This includes phishing and social engineering scams, where a hacker sends a wire transfer or general business request to an employee who may open it and expose the company to a potential data breach. Organizations also should be aware of threats that may come from a third-party vendor or subcontractor. Savvy cybercriminals could use this backdoor approach into an organization’s information technology (IT) systems.
Train employees to recognize suspicious behavior
Most ransomware attempts start with a staff member inadvertently clicking on a phishing link. According to Cisco, 86 percent of organizations say they’ve had at least one worker click on a phishing link. As a result, it’s crucial to implement employee awareness training and in-house educational campaigns about the importance of cybersecurity. To ensure employees retain the information imparted, organizations can send simulated phishing emails and track performance to determine whether their training hit the mark. If it didn’t, regroup or redouble efforts.
Establish policies and procedures for cyber protection
A proactive approach is the best means of safeguarding vital company assets, so establishing an official framework or set of guidelines for cybersecurity is key. This includes developing corporate policy about passwords that drives password management from the top down, such as requirements for password content and change frequency. It’s also important to have a chief security officer, chief information officer, or other IT expert on staff or on contract. A downloadable framework is available from the National Institute of Standards and Technology for reference.
Implement authentication
Multi-factor authentication (MFA) should be used for email and other large applications, particularly for remote access to the network and all user accounts. Endpoint detection and response (EDR) allows for active monitoring of devices connecting to the network, providing an opportunity to react immediately to active threats. That being said, proper tools and a response team must be in place to fully realize the benefits of EDR.
Have a backup plan
Companies are less susceptible to any type of cyberattack if they have a good backup plan that allows them to recover stolen data quickly and ease disruptions. Perform frequent backups—every day if possible—and store the backups off-site and off-network. Determine how and by whom backups will be accessed, and seriously consider using MFA in conjunction with backups.
Build an incident response plan
The cornerstone of cyber-risk management is a company’s ability to respond to an attack, validate what happened, engage the proper resources to fight back, and remediate any damage.
Many companies aren’t fully prepared to handle cyberattacks, no matter the industry. This is why all organizations should require the development of a cybersecurity defense mechanism. Leverage the expertise of cyber policy underwriters, who can provide due diligence beyond the typical policy application to help an organization protect its data and avoid a cyberattack.
Remember, if a cyber breach occurs, transparent communication is essential—not only with law enforcement but also with customers and your insurance carrier. Use an attorney or cyber-breach coach—check with your insurance company to see if that’s included—to help answer any concerns associated with a cyberattack.
Jay Virdi, chief sales officer at HUB International, connects clients with a team of experts to achieve their business goals while protecting them from expected and unexpected risks in a highly scrutinized industry. He is a Chartered Insurance Professional under the Insurance Institute of Canada and holds an Honors Bachelor of Arts degree in Economics and Business Management from the University of Toronto.