Operating a secure website is serious business – especially in the cannabis industry.
Neglecting cybersecurity can leave businesses open to serious data breaches, legal penalties, and loss of reputation that could ultimately result in complete failure. This is doubly true for businesses that operate in industries where sensitive data is collected and subject to strict regulations.
Virtually every cannabis business is an attractive target for hackers simply because the industry is a lucrative and growing one. However, despite the steep consequences of a compromised network, not every cannabis business (and small business in general!) is prepared to protect sensitive customer data and valuable business information.
What basic steps can you take to protect your sensitive data and the data provided by your customers? We turned to Cory Maier, CannaContent’s WordPress Project Manager, to break down the issues involved in website security and how and why they impact the growing cannabis industry.
The importance of cybersecurity
Cybersecurity is one of the most important aspects of running a business, and yet it is frequently overlooked. While many entrepreneurs think about search engine optimization or a new logo, they make the mistake of either underestimating the threats that face their company or are simply unaware of the vulnerabilities in their networks. Therefore, website security tends to go by the wayside — which could come at great cost.
“It’s probably one of the most important things that’s always overlooked. A lot of small businesses don’t really do anything cybersecurity-wise,” Cory shared with us. “Many businesses make the mistake of saying ‘I’m small, so no one’s coming after me.’ That’s like saying no one is ever going to break into your house because you have a small house.”
The reality, though, is that even the smallest businesses hold data that is incredibly valuable to cyberattackers. These include employee social security numbers, customer payment information, and even the business’s own financial information. Moreover, many attackers are aware that small businesses tend to leave their networks far less secure than larger companies, making them easier targets.
Common vulnerabilities and threats facing small businesses
The first step in securing your network is understanding the common vulnerabilities that small businesses frequently leave open to attackers. By identifying these gaps, you can formulate a strategy to mitigate them, whether that means implementing a software solution, revising your policies and procedures, or training your employees to be wiser about their network usage.
According to Cory, some of the most common — and avoidable — vulnerabilities include:
- Unsecured emails and transfer of sensitive data in plain text: Many small businesses will send sensitive information such as passwords back and forth in plain text over an unsecured email channel. Unencrypted, plain text emails can easily be intercepted by attackers, granting them easy access to all the information sent and received. If you must share sensitive data, consider inviting the recipient to view a shared document on a cloud server, such as Google Drive, One Drive, or DropBox.
- Use of public Wi-Fi networks: Public Wi-Fi networks might seem like a convenient tool when you’re on the go, but they represent a huge risk to your business. According to Cory, you could work on a public network totally unaware that another user is sniffing the network looking for ways to infect your computer with malicious code. From there, it’s just a matter of time before they capture sensitive info when you reconnect to the internet later on. When you simply can’t avoid using public Wi-Fi, a virtual private network (VPN) can make sure you’re protected.
- Use of insecure passwords: Many people use passwords that are easily guessed or broken by brute force attacks. Passwords should be randomly generated, frequently changed, stored securely, and never shared in order to ensure that they remain known only to the user who generated them. Consider storing passwords with a password vault, such as LastPass or Dashlane.
- Offering employees excessive access to data: Employees should only have access to the data and files they require to perform their jobs. Providing even the most trusted employees with access to all the data stored on your company network is not only inefficient but creates additional vulnerabilities by sharing data more widely. The more hands the data touches, the more likely a mistake is made that offers attackers a way in.
- Use of an insecure website: Some small business websites fail to obtain an SSL certificate, which certifies that data transmitted to and from the website is encrypted. Failure to encrypt a website means any information your customers fill out on your website could be easily compromised by an attacker lying in wait.
Each of these vulnerabilities provides hackers with a vector of attack that could compromise your business’s data and network. All it takes for an attacker to succeed is one point of entry, so it’s critical you identify these vulnerabilities and shut them down. Otherwise, you could be left dealing with the significant fallout of a successful cyberattack.
The consequences of a cyberattack
All it takes is one of these vulnerabilities to result in a successful cyberattack, which can be extremely costly to the point of closing a business down for good.
According to the Insurance Journal, 47 percent of small businesses suffered a cyberattack in the past year, incurring an average cost of $36,604. For large companies, the average cost of a cyberattack was more than $1 million. And those are just the direct costs. According to Cory, cyberattacks and data breaches also carry with them the risk of seriously damaging brand reputation, eviscerating trust among partners and clients, and harming future earnings.
Cybersecurity risks facing businesses in sensitive industries
Sensitive industries are often subject to regulations that demand tighter network security. This only raises the stakes, making the cost of a data breach steeper than that for more conventional small businesses.
“Cybersecurity is a big factor in the cannabis industry because it’s such a new industry,” Cory shared with us, adding that medical cannabis businesses should be particularly wary of cyberattacks.
Cory says that laws like the Health Insurance Portability and Accountability Act (HIPAA) and the European Union’s General Data Protection Regulation, which impacts any business collecting data on European Union citizens regardless of location (or legal status of the product or service discussed on the website), mean serious fines and lawsuits for companies that fail to meet the standards.
HIPAA stipulates that any protected health information (PHI) captured by companies, including cannabis businesses operating in the medical marijuana sector, must be protected by physical, technical, and administrative safeguards. This means a combination of encryption software and firewall technology, on-premises barriers like locked offices and filing cabinets, and strict policies and procedures are all required to protect PHI. Failure to do so could result in significant penalties ranging from $100 to $50,000 per violation, as well as criminal penalties for repeated violations.
“If someone in the cannabis industry is doing any type of work that could potentially be used in the medical portion of cannabis industry, even if it’s just one email, that means everything has to be HIPAA compliant,” Cory said.
What you can do today to better protect your cannabis business from a cyberattack
Luckily, most of these common vulnerabilities are easily patched with simple mitigation techniques. Cory broke down some of the immediate steps small businesses can take today to better secure their network and avoid the nightmare scenarios associated with falling victim to a cyberattack. These steps include:
- Investing in quality servers: Don’t take the cheap route and purchase a server for $3 a month, Cory advises. While the savings might seem great up front, the costs of using an unsecured server could be huge in the long run.
- Secure your website: Be sure your business’s website obtains an SSL certificate, so the data communicated to and from is encrypted. This is especially important if you’re capturing customer information on your website.
- Train employees to not open suspicious emails: Shady emails and the links within them are likely attempts by attackers to gain credentials that provide access to your data. Employees should be trained to forward any such emails (even if they think it could be legitimate) to someone trained in identifying phishing attempts.
- Don’t share passwords: Passwords should be randomly generated and stored securely in a password vault. If a password must be shared, use a vault that has a secure sharing feature. The National Institute of Standards and Technology no longer recommends frequent password changes, but you should still audit and update your passwords periodically, especially following a potential security breach.
- Employ the Principle of Least Privilege: The Principle of Least Privilege stipulates that admins should ask if users require access to certain data when setting them up on the network. For example, entry-level employees do not require access to payroll information or other employee contacts. Access to any and all data should be assigned permission accordingly to reduce creating unnecessary doorways into sensitive information.
If you’re unable to secure your network yourself, Cory suggests hiring a security consulting firm to help your small business protect its data. While it might require an upfront investment, he says the cost is nothing compared to the consequences of leaving your network unsecured.
Don’t leave your website’s security up to chance
It can be tempting to take a hands-off approach to website security, but much like your network, it is a potential vector for attack if left unsecured. Unfortunately, many small businesses have learned the hard way that the “it won’t happen to me” approach is fatally flawed. It’s especially true for businesses operating in sensitive industries or handling privileged data that a cyberattack could strike a killing blow the first time. When the stakes are so high, it pays to build a secure website from the start.
If you’re in the midst of a web development project, it’s important to ensure that your website is built in a secure manner. Cory recommends building a secure website from the ground up.
The cannabis industry has immense growth potential, meaning startups want to launch quickly and begin generating revenue. While those ends are admirable, it’s critical to launch the right way, and that means properly configuring your website for best data security practices, as well as establishing policies and procedures that protect your business for the long haul. Don’t jeopardize the future health of your business in an industry with such a bright future. When it comes to cybersecurity, it pays to cross your t’s and dot your i’s.