Human error and complacency are the primary threats to your business
The often-portrayed hooded hacker cracking into a business network with just a keyboard and an internet connection is, with rare exception, a fallacy. While the standard lighting and dress of those who commit cyber-attacks is inconsequential, the fact of the matter is that the vast majority of cyber criminals look for an unwitting accomplice to gain access to vital information.
“Being in the security industry, I just don’t see many big, sophisticated hacking attacks,” says Gary House, owner of the security company Dem360. “Where you see that is like the North Koreans are attacking the U.S. Air Force and their systems. But in retail markets, corporate environments and particularly in cannabis companies, it’s just the social engineering, non-sophisticated attacks that make up a large part of the activity that’s taking place.”
Properly maintained security software is crucial for any operator, says Michelle Drolet, the founder and CEO of the data security provider Towerwall. But simply having security software isn’t going to keep a company’s data safe; operators and employees need to understand the threats and have procedures to protect themselves against the evolving world of cybercrime.
“Cybersecurity is a journey, not a destination, because the bad guys are always getting better,” Drolet says. “New technology like AI is good for the good guys, but it’s good for the bad guys too.”
Data breaches occur every day, and the overwhelming majority of them are from simple phishing campaigns.
“There are so many layers of security and antivirus and EDR [endpoint protection and response],” House says. “The criminals are saying, ‘Okay, you put up this big roadblock, we’ll just go around.’”
The way these criminals go around is devilishly simple; they reach out to anyone with access to the data and lie to get them to either unwittingly download ransomware or directly tell them their login information. This could be done with a phone call, an email doctored to look like it was from someone within the company, through social media or really through any means of contacting someone with the access information.
“Pure play cybersecurity is building the system and having your employees understand it, because they are the weakest link,” Drolet says. “The employees know what the rules of engagement are and that means building out acceptable-use policies or the overarching information security policy, so everybody’s marching to the same drummer.”
What’s at Risk
A common misconception is that smaller or even mid-size operators believe that cyber-attacks only target larger businesses. Smaller operators often think they don’t have valuable data to steal, Drolet says.
“It hurts my heart when a small business owner says, ‘I don’t have anything anybody wants,’ because that’s not true,” Drolet says. “They could have bandwidth, computing power, their employees’ data, their customer data or patient data, intellectual property.”
Data security is really meant to protect the same assets in cannabis as it would in practically any other business: financial data, intellectual property and personnel data which would include employee information and/or customer data, House says. Financial data is basically accounting information and should only be accessed by a small handful of people working directly with the company’s finances, such as the chief financial officer, accountant or finance manager. Personnel data and intellectual property data should only be accessible by those that need access in order to perform their duties. House and Drolet both warn that patient data inherently has its own subset of rules in accordance with HIPAA, so mishandling that information can come at a higher risk to the operator.
Insurance companies have been evolving their policies in response to strategies employed by cyber criminals and regularly place new requirements to ensure their clients aren’t negligent of the threats. For example, many insurance providers require security features such as multi-factor authentication and intrusion detection and prevention, as well as layers of email security, to be eligible for coverage.
“Insurance companies are saying, ‘Hey, we’re not going to underwrite or renew your policy if you don’t have a certain number of security controls,” House says, adding that many insurance providers now have their own questionnaires to evaluate risks.
Companies applying for data coverage or renewing their insurance will likely have to pass the provider’s threat assessment, which will ask what the company is doing to protect access to its privileged user accounts, what anti-virus software it is using and what sort of email encryption is being used, among other factors, House says.
“A lot of our client’s eyes glaze over looking at these insurance questionnaires,” House says. “They’ll send it to us because we’re their IT support. We’ll look at it, review it and we’ll have to answer it honestly.”
Depending on the level of risk, the provider may outright deny the coverage or opt to allow coverage but with a stipulation that the company needs to address its specified weak point(s) within a given timeframe or it will not be allowed to continue coverage. House says this process often leads to a larger conversation about the risks the client is undertaking by not having certain protections in place.