We need to make sure the highly regulated world of cannabis business knows how to protect its data, customer and otherwise, yet also control access to it without too much hassle.
As an insurgent breed, hackers are savvy and will seek out the path of least resistance. When your defenses are good, the weak link is often your employees.
Data breaches are most likely to be the result of employee error or an inside job, says the ACC Foundation: State of Cybersecurity Report.
Of course you want to maintain normal operations around your firewalls, malware defenses and data protection. But all too often employees are an afterthought.
Some unscrupulous former employees may see an opportunity to profit.
Inactive user accounts are ripe for exploitation by attackers. By using legitimate, but inactive, accounts, a former employee can easily impersonate legitimate users and mask their nefarious activity.
There’s also serious potential risk involved when accounts associated with former employees or temporary contractors are not deleted when employment ends. They may be left with unauthorized access to sensitive data, which is especially dangerous if the split wasn’t amicable.
There are a few simple rules you can put in place to ensure inactive accounts aren’t a potential route in for attackers or a potential route out for sensitive data.
You’ll also want to enforce multi-factor authentication wherever possible, ensure that passwords and user names are fully encrypted, and configure and authenticate centrally.
Careful account monitoring is especially important at large organizations where breaches are more than twice as likely, according to that same ACC Foundation report.
It’s easy to focus in on the technology that you need to employ to bolster your cyber security defenses and forget that people can neatly sidestep all your efforts by taking the wrong action.
Perhaps your IT staff isn’t quick enough to patch or review logs. Maybe your security policies are not enforced in any meaningful way, or your employees don’t know any better than to click on a malicious link in a phishing email.
Attackers will go to great lengths to exploit any weaknesses or gaps here, and in many cases, they can persuade people to effectively lower the defenses and let them in.
The first thing to do here is to perform gap analysis and find where employees lack the skills required to implement your cyber security plans and policies. You have to know where they are going wrong before you can steer things rights.
Provide relevant training via outside experts, or even conferences and online courses. Make learning modules bite-sized and easy to understand. They must be updated to reflect the latest threats, and employees should complete them every few months. No one should be immune from this.
Senior management may be resistant, but they actually pose the greatest risk if a phishing attack is successful. They should complete the same training.
As a way to test how porous employees could be, the largest bank in the country tested staff with a fake phishing email after it suffered a data theft just a few weeks prior. Despite increasing their cyber security spend, 20 percent of these employees clicked on the bogus email. Had it been real, that action would have downloaded a malicious payload onto the bank’s network.
If you don’t take some time out to spend resources on awareness for employees and specific training where necessary, then you can unroll all your good efforts to improve your security and keep your business intact.
As you can imagine, the disruption to business from an attack is no picnic.
This article was originally posted in Cannabis Business Executive >