To celebrate 420 Cannabis ISAO Executive Director Ben Taylor worked with four cybersecurity professionals to compile a list of 20 cyber best practices for the cannabis industry. This blog expands on their tips and includes additional insights and resources. Check out our Twitter thread on these tips.

Cybersecurity best practices graphic for the cannabis industry.
  1. Create a leadership-driven cyber culture that prioritizes security.
    • Culture needs to be reenforced from the highest levels of organizations, and that includes when we are talking about the importance of security. Cybersecurity is not just an “IT issue” but one that impacts the entire business and needs the attention of the most senior members of the organization.  This article highlights how a cyber incident elevated security for the board of directors. Forbes, and Harvard Business Review have recently written about the role of the board of directors in cybersecurity.
  2. Provide employee training, including complex simulations.
  3. Develop and test incident response and communications plans.
    • Going through a cybersecurity incident is stressful, and the last thing you want to do is be flying by the seat of your pants. Roles and responsibilities need to be determined ahead of time, and a plan isn’t even worth the paper it is written on if it hasn’t been properly exercised and validated. Several entities within the U.S. Government including the Cybersecurity & Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC) offer tools to help organizations write cybersecurity and incident response plans. Communications are also an important part of incident response. Recently, the SEC settled with an organization for $3M claiming when it was determined they made false statements about a ransomware attack.
  4. Enable MFA. SMS is not as secure and can lead to MFA fatigue.
  5. Keep software & hardware up to date. Patch ASAP!
    • Timely patching fixes vulnerabilities on your software and applications that are susceptible to cyberattacks, helping your organization reduce its security risk. Organizations should also phase out older products which vendors are no longer supporting with security updates. Learn more about patching and security updates here.
  6. Deploy Endpoint Detection & Response.
    • Endpoint detection and response (EDR) platforms help security teams find suspicious endpoint activity to eliminate threats quickly and minimize the impact of an attack. Endpoint detection and response refers to a category of tools used to detect and investigate threats on endpoints. Crowdstrike offers a comprehensive overview of EDR.
  7. Use a reputable VPN.
    • A Virtual Private Network (VPN) makes an internet connection more secure and offers both privacy and anonymity online. Altamira breaks down all of the benefits of VPNs in this blog post.
  8. Check links before you click them. Beware of phishing attacks.
    • Clicking on malicious links can lead to compromised accounts and can infect your devices with malware. Learning how to check if a link is safe, before clicking on it, is important to keeping you safe online. You can check if a link is safe by hovering over the link to see if it’s the URL it’s saying it is or by using a URL checker
  9. Create strict password policies that include password managers.
    • Password policies should require different and complex passwords and include the use of a password manager. Microsoft offers a few recommendations for keeping your organization as secure as possible. The top 10 most common passwords for 2023 can be found here (hint, yours shouldn’t be on this list). If you are worried about whether or not your information has already been included in a data breach, check out https://haveibeenpwned.com/ to enter your email or phone number to see if it is listed in any known data breaches.
  10. Use a secure file-sharing solution to encrypt data.
  11. Utilize Mobile Device Management.
    • In this post, IBM explains how with a mature MDM platform, IT and Security departments can manage all of a company’s devices, no matter their type or operating system. An effective MDM platform helps keep all devices secure while keeping the workforce flexible and productive.
  12. Backup data- this will be huge during a ransomware attack!
    • Backing up data is one way to lessen the severity of one of the major concerns of a ransomware attack. We have already seen cannabis operators targeted with ransomware this year, and the threat is not going anywhere. To learn more about ransomware mitigation and response, check out our blog post.
  13. Adopt Zero Trust.
    • As explained in this Zaronis blog, Zero Trust is a strategic cybersecurity model that protects critical systems and data. Systems operating under a Zero Trust framework do not initially trust access or transactions from anyone — including internal users behind the firewall — and limit data access to minimize the blast radius of a cyber attack.
  14. Change default passwords on IoT/ISC/OT systems.
  15. Develop an acceptable use policy and actively monitor users.
    • Contracts Counsel details how an acceptable use policy, also called an AUP, is an agreement between two or more parties that outlines the appropriate use of access to a corporate network or the internet. The National Institute of Stands and Technology (NIST) offers an example of an AUP.
  16. Enable firewall protection.
    • Firewalls serve as a first line of defense to external threats, malware, and hackers trying to gain access to your data and systems. Fortinet details the top 5 benefits of firewalls.
  17. Implement identity lifecycle management practices.
    • As employees join, or leave organizations, or have their responsibilities change within the organization, they may require more or less access within the network. Microsoft explains how Identity Lifecycle Management aims to automate and manage the entire digital identity lifecycle process. This also applies to physical access!
  18. Develop vendor risk management procedures.
  19. Perform asset inventory to include IoT Devices.
    • It is important to not only understand what is connected to your network, but also how those devices and systems interact with one another and the outside world, as well as what security posture is in place for each of those components. Integriti has published a SMB Cybersecurity Guide to Asset Inventory.
  20. Participate in information sharing communities.
    • Good, we were hoping you would make it this far. You’ve probably heard the saying “a rising tide lift all boats.” We like to add that there is no competition when it comes to security. As an industry, it is important that we effectively collaborate to build our collective resilience. As an example, our colleagues at Securing Cannabis have put together a couple threat actor profiles of groups currently targeting the cannabis industry which we highly recommend everyone check out. The Cannabis Information Sharing & Analysis Organization (ISAO) offers a free Slack workspace where we share information on both physical security and cybersecurity threats, in addition to paid memberships which include more detailed threat reporting. Learn how you can get involved here.

Check out the latest blog highlighting issues important to cannabis security!

On