In this blog series, our Executive Director Ben Taylor highlights a selection of  cybersecurity, physical security, health or natural threat related stories from the past week.

Cybersecurity

Colonial Pipeline Hack leads Department of Homeland Security (DHS) to Issue First Cybersecurity Regulations

After the Colonial Pipeline hack, DHS will issue the first cybersecurity regulations. According to reports, the DHS Transportation Security Administration will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past. The new rules, expected in the coming weeks, will require companies to correct any problems and address shortcomings or face financial penalties, officials said. They will represent a marked shift for TSA, which has relied on collaboration with, rather than mandatory requirements on, pipeline companies. The anticipated new regulations are a strong reminder of the increasing scrutiny being given to cybersecurity and the importance of proactive risk management and security. For the cannabis industry, it will be important to approach this issue on the front foot before it leads to the potential for additional, government mandated regulations.

Insider threats: If it can Happen to the FBI, it can Happen to You

A federal grand jury has charged a former FBI intelligence analyst with stealing confidential files from 2004 to 2017. The story should serve as a great reminder that if insider threats can happen to the FBI, it can happen to any organization. For additional reading, this article digs into “usual suspects and red flags”, including employees who don’t follow best practices and unwittingly aid an attacker. As the cannabis industry grows, and competition rises and investments increase, the likelihood for insider threats and corporate espionage will grow as well. Here is an FBI article which explains how to detect and deter insider spies.

A Retailer’s Guide to Protecting Customer Data

Retail establishments collect and maintain a wealth of confidential data, not the least of which is credit and debit card information of customers which makes retail establishments particularly likely to be targeted by hackers; this industry has been one of the top five targeted industries for the past several years. With that in mind, JD Supra provided a list of areas that a retail establishment’s organization-wide security program should include. Storage of customer or vendor sensitive information should always be done safely and securely. Of course, for any business that also accommodates medical marijuana patients, storing any protected health information increases the risk. The full list has 12 areas, but for the purposes of this report, only the top 5 were included. The full list can be found here.

  1. A written information security policy made available online to all customers (and employees upon hiring and annually thereafter, with required acknowledgment of receipt and defined disciplinary steps for violations.)
  2. Annual training of employees with regard to the importance of data security and implementation of the information security policy.
  3. Classification of data stored by the retail establishment by degree of confidentiality, and access controls limiting employees from viewing or downloading data not within their level of access or necessary purview.
  4. A data breach response plan, designating the responsible persons within the company to be notified of any potential breach, identifying pre-screened IT vendors and outside counsel to assist in the response, and outlining the requisite steps to be followed by the team, including remediation of the breach, identification of affected records, and notification in accordance with applicable state or country’s laws to customers and other individuals whose personally-identifiable information was included in those records.
  5. Third-party outside audits by independent vendors conducting risk assessments, security audits, and penetration testing on some regular basis (frequency determined by the degree of risk created by the nature of the retail establishment’s practices, customers, and operations.)
Cyber Insurance is Not a Substitute for Cybersecurity

Overall, attacks are increasing in frequency, ransom demands are rising and the cyber insurance industry has reached a crossroad where cyber insurance cannot be used by victims of a ransomware attack as a substitute for inadequate cybersecurity solutions and practices. The next generation of cybersecurity solutions can prevent these types of ransomware attacks and insureds will need to show the insurance carriers that they are doing their part to prevent such attacks or risk a substantial increase in their cyber insurance premium or even non-renewal of their policy. Cyber insurers are being more diligent and requiring more transparency from the insureds that they are taking reasonable steps to protect themselves against a cyber breach, such as deploying next-generation antivirus and heuristic endpoint detection and response (EDR), implementing multifactor authentication (MFA), creating regular and offline/offsite backups, regularly patching critical systems and software, and educating their employees on cyber risks and training them in anticipation of a breach. Cannabis companies should not rely solely on managed services to handle their cybersecurity issues. It is important that a culture of cybersecurity is established within the organization in order to minimize the potential for future attacks.

Physical Security

The US Cannabis Industry’s One Big Problem: Too Much Cash 

With the COVID-19 pandemic and increasing legalization driving a surge in cannabis use, the sector’s producers, manufacturers and retailers are awash in cash, adding risk and costs to the most basic business transactions from paying employees and filing taxes to finding somewhere to store their income. “All this cash flowing around is just a recipe for disaster,” said Smoke Wallin, chief executive of hemp health products maker Vertical Wellness Inc. “How do you account for it? Where do you keep it? How do you move it? Even in a safe, it’s a security risk for employees.” During the last weekend of May 2020, when protests erupted across the US against police brutality and racism after the murder of George Floyd, there were at least 43 attacks on dispensaries along the West Coast, according to Cannabis media site Leafly’s review of police reports and business owners’ statements. As protests have led to property damage at a number of retail operations across the US, organizations are encouraged to coordinate with groups such as the Major Cities Chiefs Association Intelligence Commanders Group that can provide the most up to date information on local activity.

 

Be sure to check back every Tuesday as we publish our Library Card Series where we highlight one of the resources available in our library!

Check out the latest blog!