Over 200 conditional cannabis cultivation licenses have already been approved, conditional processing applications are open, and experts anticipate retail regulations will be finalized shortly. The New York legal recreational cannabis market is barreling ahead with thousands of entrepreneurs diligently working on their applications.
One component most potential business owners will need to address is security: local municipalities want to maintain a safe community as they introduce this new industry into their neighborhoods. But while companies debate the proper number of cameras, alarm systems, locks, and other more traditional security measures, many are forgetting one vital element: cybersecurity.
All small businesses need to be concerned about cyber threats. This can include credit card theft, misuse of personally identifiable information, ransomware, or even leaked trade secrets. The cannabis industry is a particularly attractive and vulnerable cybercrime target. What makes cannabis different?
- Inherently due to the cannabis industry’s history of prohibition and complicated current legal status (federally illegal, but legal in some capacity in a majority of states), the industry already has a target on its back. Hackers may target cannabis businesses in an effort to de-legitimize the industry and reinforce preexisting negative stereotypes or acquire sensitive information about employees and vendors.
- The legal cannabis industry is also brand new and quickly evolving. There aren’t defined best practices or examples for cannabis businesses to easily follow or copy. This means many companies won’t have the threat of hacks on their business plan or strategy – making them a big target for even unsophisticated hackers.
- A significant portion of cannabis businesses are in the “startup phase.” Getting a cannabis business up and running is already extremely expensive. Businesses are operating on shoe-string budgets and prioritizing getting off the ground and not hardening their tech.
- Privacy is much more important to cannabis patients than in many other consumer businesses. Many cannabis dispensaries must manage and store medical information for their customers. And many of these customers might not want their neighbors to know how and why they consume cannabis. This makes cannabis businesses potential victims of ransomware attacks.
- Most cannabis businesses aren’t big enough to have an IT person or IT staff and are more likely to not have best practices in place to be able to handle a cybersecurity attack. This could result in an attack going unnoticed or staff members who aren’t properly trained to avoid phishing attempts.
Cybercrime is also expensive. IBM and the Ponemon Institute found that the average cost of a data breach exceeds $3 million. The National Cybersecurity Alliance backs this up by stating that six months after a security breach, 60% of small businesses stop their operations completely. For an industry where companies run on razor thin margins, a cyberattack can mean bankruptcy.
New York currently has no required cybersecurity protocols or standards for potential businesses to follow. As the Office of Cannabis Management drafts its security requirements, it’s imperative that they look to their neighbors in New Jersey. The state rightly requires cybersecurity elements in the security plans for all cannabis businesses.
Today, it should be considered a foundational element in any thorough security plan, just as much as video surveillance or alarm systems are. But even without any requirements, with the stakes so high, it’s not something cannabis businesses can afford to ignore.
Tracey Kauffman is the Chairman and Founder of Cannaspire. Cannaspire provides end to end cannabis consulting, products, and services working with cannabis businesses and policymakers. Tracey also founded Validity, a privately held Cybersecurity Solutions Provider that has been providing large enterprise businesses with industry leading cyber security solutions since 2003.