Most people understand the importance of physical security in the cannabis industry. Cannabis businesses in the US have to carry lots of cash on-premises and have a product that has a high black market value, so they make good targets for theft. Due to zoning laws many are located in isolated or less desirable areas that makes theft easier and more likely.
And even if you’re not too concerned about physical security, most states and cities require you to implement security measures like guards, alarms, and security cameras anyway, and will fine you or shut you down if you don’t comply.
In our experience, even those that take security seriously in the cannabis industry are still overlooking some important points, especially when it comes to IT security and surveillance system management.
Why Security Is Even More Important Than You Think
As you grow, even the little things can become a big deal. The nuances of security and compliance may not seem like a big deal when you’re just starting out and struggling to get off the ground and have so many other things to worry about. But maybe now you’re more established and have multiple locations, which means both that you have more resources to ensure your security and compliance and more to lose from not doing so. Plus, the bigger you are the more you become a target of regulators.
Banking reforms and better black market enforcement won’t remove all risks. Even if you could start accepting credit cards and all your black market competitors disappeared tomorrow, cannabis would likely still be a top target for thieves due to the transportability, un-traceability, and high resale/black market value of their products, similar to jewelry stores.
The more mainstream cannabis gets, the higher your security requirements. Cannabis businesses are expected to be allowed access to mainstream banking and credit card processing soon. But this access also brings with it increased scrutiny from bankers and the requirements of PCI DSS.
Because security is important to investors and buyers. If you’re looking to get outside investment in your dispensary business or eventually sell it to one of the big MSOs, your business needs to demonstrate mature operations and risk management, which includes a well-thought-out and well-executed approach to security and compliance.
Employee theft is an issue, whether you want to acknowledge it or not. You may not want to think that your employees or colleagues are stealing from your company, but it happens, especially since positions like budtender are relatively low-paying and high-turnover, and staffed by younger people that may not think too much about the consequences of their actions.
Dispensaries still have an image problem in some quarters. Don’t make it worse. Most people are fine with cannabis being legal these days, but many still view dispensaries as somewhat shady and are reluctant to shop there and may not want them in the same neighborhood as their home or business. See the example of California, where a majority voted for legalization but many cities still ban both dispensaries and deliveries. Crimes occurring at your business or getting hacked can scare people off even more, and sully the reputation of not only your business but the industry as a while. If you want to be viewed as a safe, mainstream business, you have to act like one and take security extremely seriously.
Cybercriminals are getting more sophisticated and ruthless, and can seriously disrupt your business. Ransomware is a big problem and can delete all of your files in just a few hours, if not a few minutes. Phishing is getting harder to prevent too, as criminals are doing a good job of pretending to be company CEOs and mimicking legitimate emails like password resets, invoices, and shipping notifications. These aren’t problems that a quick scan with Malwarebytes every now and then can fix. They’re persistent threats that can paralyze your business for hours or days, cost you lots of money, and potentially lead to you having to shut down.
Data privacy is more important to consumers and regulators than ever. Having some hackers steal, say, your marketing lists, might not seem like a big deal. But GDPR and many state laws require you to protect your clients’ data and report any data breaches. Also, keep in mind that companies like Target can get away with having big breaches because they have the brand equity and billions of dollars in resources to recover, while you getting hacked might cause your top customers to leave you for your competitor down the street.
IT security solutions are less expensive than you think. For all but the biggest dispensary chains it’s impractical to hire a $100,000+/year in-house IT security expert. And some enterprise security solutions might be outside your price range. But most managed IT security services can cost as low as a few dollars per month per device, give you all the protection you need, and more than make up for their cost by preventing expensive security breaches and related outages.
Top Security Mistakes Dispensaries Make
Not Segmenting Your Networks
Segementing your networks means separating your networks so they’re isolated from each other. You segment your networks when you create a guest WiFi network at your home, for example. Segmenting is typically done virtually, at the software layer, but you can also physically segment networks by, for example, having all your surveillance cameras and NVRs on a wired LAN that doesn’t even touch the internet or any other networks.
Segmenting keeps secure and sensitive information like POS transactions away from insecure information like guest WiFi web browsing, and keeps hackers from being able to expand their access to your networks after gaining an intial foothold.
Not Using a Pro-Grade Firewall Appliance
Windows devices, at least, come with a software firewall called a Windows Defender Firewall. But what we’re talking about is a firewall hardware appliance like Sophos or Fortigate. These devices are like a combination of business-grade routers and a software firewall. They have the advanced security and administrative features you need.
Advantages of firewall appliances include:
- They protect devices that don’t have onboard firewalls and antivirus protection, like security cameras and POS devices
- They prevent security threats from breaking into your networks in the first place
- Advanced malware and hacking/intrusion detection
Not using a firewall appliance makes it harder to detect threats and protect the edges of your networks.
Not Protecting Your Mobile Devices
You might think you don’t need to protect your mobile devices like you would a computer, but they can be hacked, infected with malware, and stolen just like a PC. This can include your store manager’s smartphone, regardless of whether it’s their personal device or not.
And with kiosk/check-in tablets, you have the added danger of customers being able to walk in and use the device at will.
MDM software like Microsoft Endpoint Manager and Jamf lets you manage a bunch of mobile devices from a single dashboard. You can use them to install and update OSes and apps, scan for malware, change permissions and settings, block websites, and wipe the data on stolen and lost devices.
Not Protecting Your Managers’ PCs
This might seem like an unnecessary precaution, because it might just be a single laptop, and most of the software you use might be cloud-based, like Microsoft 365 or Dropbox. But it’s important to secure your managers’ PCs since they have access to such crucial information, including records, intellectual property, and payment info. Securing your PCs includes installing antivirus, keeping the Windows OS and applications updated, monitoring for unusual activity, and backing up the data on the hard drive. If you don’t have time to do this yourself, or you have a lot of manager PCs, you can outsource to a company like Cure8.
Not Managing and Monitoring Your IT Security
Just implementing security measures often isn’t enough. You should really monitor and manage everything on a continuous, ongoing basis. Some security measures require constant upkeep, including updating Windows and virus definitions. Antivirus and firewall alerts have to be checked, and potential threats removed and remediated as quickly as possible, even if the breach occurs overnight. Plus, security threats are constantly evolving, and states sometimes add security requirements as well. This is something that can be outsourced to an MSP, or you can hire an internal IT resource to handle it for you.
Thinking Employee Theft Isn’t Happening at Your Dispensary
As we mentioned earlier, you don’t want to think your employees are capable of stealing from you, but it’s something you at least have to consider or protect against. We’ve dealt with clients that thought employee theft definitely wasn’t happening, only for them to catch some in the act after installing a more robust cloud video surveillance system. Make sure to install your cameras in such a way that there aren’t any blind spots where employees can pocket your inventory, and look out for suspicious transactions that involve unusual refunds, rebates, or cash back, while at the same time leaving some leeway for innocent mistakes.
Not Using “Smart” Video Surveillance Solution
A “smart” cloud video surveillance solution that integrates with your POS like Solink can help you improve security in multiple ways. For one, it lets you set fined-tuned, custom alerts – for example, a motion-based alert for a certain area at a certain time, like a vault during after hours. It also makes searching through hundreds of hours of surveillance footage a lot easier, and automatically stores and backs up your video for the required amount of time.
Suppose you suspect an employee of stealing. With a typical surveillance system, this would require manually looking up records in your POS and fast forwarding through and watching a bunch of footage on multiple different cameras. Solutions like Solink make this process a lot easier, letting you look through footage by the employee completing the transaction and watch video of specific transactions that aroused your suspicion, like unexpected discounts or refunds.
Ignoring Surveillance System Alerts
Many state laws require you to set up alerts so that you’re notified if any of your cameras go down or stop recording. They may also require you to alert authorities of any outages and fix them as soon as possible. Your surveillance system may also alert you of events like your cameras getting obstructed or activity in a restricted area like a vault or safe room.
Setting up these alerts is one thing, actually keeping track and responding to them quickly is another. You’re probably already pretty busy at it is, and might get sick of dealing with constant false alarms to the point where you start ignoring alerts. At the same time, not responding promptly to alerts can compound your problems – giving thieves more time to plunder your inventory, or leading to more significant fines from regulators for extended downtime. You can [outsource the monitoring and management of your surveillance system] if you prefer.
Not Managing and Maintaining Your Surveillance System
Don’t just set up your surveillance system for inspection day and then forget about it. You have to continually ensure that your cameras are always on, always recording, and free from obstructions, and that your footage is being retained and backed up. You have to have someone that can fix any problem with your system quickly, as well as find and submit footage of incidents to authorities as required by law. We personally know of several dispensaries that have lost their licenses due to non-compliant surveillance systems.