Marijuana has always been popular and deeply embedded in culture, but now has become a lucrative industry. According to projections by Grand View Research, the legal marijuana market is set to reach a worth of $146.5 billion by the year 2025. Such growth potential attracts customers, investors, collaborators and also – hackers.
Businesses around the country invest funds into their online presence but are unknowingly opening the door to cyber-attacks of all kinds. To preserve your marijuana business and prevent losses, you need to improve your cybersecurity. With these tips, you will gain significant protection from malicious hackers.
Compliance with HIPAA
Many marijuana businesses want to expand into the medical marijuana market but are unaware of the challenges ahead of them. A lot of confusion exists around gathering, providing and storing information for medical cannabis. Even though the product is “technically” the same, the rules and regulations are far different.
An important factor in maintaining cannabis cybersecurity is compliance with the Health Insurance Portability and Accountability Act (HIPAA).
As a medical cannabis retailer, you need to maintain the security of the information of your customers. Technically, since your product is advertised as “medical,” any transaction information and customer data are considered protected health information.
When a patient obtains a medical cannabis card, they are purchasing medication. To avoid repercussions and punishments, your brand needs to be compliant with HIPAA, meaning that cybersecurity is essential. It’s not about losing money or time over a DDoS attack – you can lose your entire brand.
- A great start would be checking into your ERP and POS security software to check if everything is compliant with HIPAA.
- Make sure you only collect the data you truly need. Anything else is breaching the patients’ privacy and is thus breaching the HIPAA regulations.
- In addition to collecting data on a need-to-know basis, the patient has to consent to share every mandatory piece of information.
POS and ERP – staples of every cannabis cybersecurity strategy
The Point of Sale or POS is the most vulnerable part of every cannabis retail system, and yours is no exception. POS software calculates the origin of money owed by the customer, indicates the amount, generates an invoice and finishes the transaction.
Every one of these steps is a perfect target for a cyber-attack. Optimizing your POS software is essential when improving your cannabis cybersecurity.
What can hackers do if they compromise your POS system? Amongst other things, they can:
- Change the prices throughout your website
- Generate fraudulent invoices to your customer, causing them to funnel money to the hackers, all while thinking they are paying you
- Compromise the security of funds owned by both you and the customer
How can you prevent all this from happening? Maintaining cannabis cybersecurity through POS and ERP system is an easy, but often disregarded process. It consists of the following steps:
- Do extensive research about POS software providers. Pick a company that is based on your specific cybersecurity needs.
- Ask a lot of questions to see if the system is compatible with your ideas and plans. Don’t limit yourself to just basic security measures – know how they protect their server, as this directly affects the security of your customers/patients.
- Pick an ERP system that focuses on security.
- Always aim for companies that provide flexibility and that are willing to accommodate to your needs.
- Have regular security brush-ups with your software providers, ask for regular reports and always seek to improve the level of security.
Knowing that every transaction process is airtight and immune to cyber-attacks is reassuring, but this is one part of tailoring cybersecurity for your marijuana business. Due to the growth of automation, growth operations are at risk too.
Protect more than your website
Many marijuana businesses started as retailers, but have managed to expand and obtain a license to grow. This is a big step for any cannabis entrepreneur – a step that requires you to improve cybersecurity.
Running a marijuana business of a certain size often requires you to run several co-existing operations. If you also own a growth facility, the risk if even bigger. Leaving your POS system vulnerable can lead to much more calamity than your website being taken down – it can kill your plants.
Hackers are highly skilled and able to access one system of yours through another. After gaining access to one part of your network, attackers may gain control of your heating, cooling and irrigation systems. With just one altering of the temperature or the water pressure, your entire growth operation may perish.
Don’t fool yourself thinking that hackers are only after information. These individuals are highly skilled and be sure that they’ve done their homework about how marijuana businesses function. By strengthening your cyber security and investing in the right systems, you are protecting everything your brand stands for and depends on.
When combining multiple systems, make sure the integrated platforms work well in sync and that they have all taken the necessary efforts. A quality cyber security system consists of individual sections that work well in unison. A good ERP-POS combination is the staple of cannabis cybersecurity.
Limit access to employees
Information is power. Letting your budtenders and employees use it to enhance their performance and grow your business is a dream come true. But hold that thought for a second.
While data provision may be empowering, handing it over to employees is a security risk. Thus, you should only allow employees access to the information that’s needed for their particular duties.
There is no need for a budtender to know every password or everything related to the POS system. Putting barriers to information access makes it easier to define specific roles, but also to protect your data.
The less information an employee is trusted with, the lesser the risk for a security breach. You can never be too careful with sensitive data integral to your business. It’s better to prevent breaches than to subsequently deal with the damage they inflict.
