Fri, May 21, 2021

Five Ways to Improve Your Cannabis Business Security

With the legalization of cannabis expanding across multiple states, a growing number of entrepreneurs are finding new and lucrative opportunities. Without federal approval, the cannabis business is not without risk. Whether their focus is on medical or recreational—cultivation, extraction, testing and calibration, manufacturing, transport/delivery or dispensary—facility owners and operators should prioritize compliance and security to stay on the right side of the law and protect their investments. The following best practices can help you keep regulators happy and protect staff, customers and inventory.

Focus on Physical Safety and Security

It might seem obvious, but safeguarding customers and employees from harm is a must. To ensure security is both visible and engaging, companies in the industry should take the following measures:

  • Posting an obvious security professional by the front door and any other entryways.

  • Making it obvious that cameras, intrusion detection and door access control systems are in place.

  • Ensuring covert security measures (e.g., hold-up buttons) are effectively placed and readily accessible.

  • Physically hardening critical areas against penetration by reinforcing walls, ceilings or roofs, floors, doors and so on as required.

  • Implementing layered measures to enhance security. For example, entries should include attack-resistant building materials, secure cameras with clear lines of sight, automated locking mechanisms and professional security personnel.

  • Conducting regular testing and inspection of security measures and practices for effectiveness and regulatory compliance.

  • Developing and executing robust security policies and practices for product receipt/delivery, storage, handling, processing, packaging, fulfillment and cash management.

Technological security systems are an important tool, but they can provide a false sense of security if not properly applied. For example, cannabis regulations typically require cameras in all spaces where cannabis is cultivated, processed, packaged, handled, circulated or sold. But optimal placement, image resolution and quality are much more important than installing several cameras. In addition, no one person can (or will) monitor dozens of camera feeds. The best approach is to consult with security experts to determine the proper system equipment, placement, operation and management to ensure compliance with regulatory requirements and best practices.

Staff training is another important aspect of physical safety and security. Adequate training enables staff to deal with any crises that might come up, including:

  • Robbery

  • Medical emergencies

  • Fires

  • Natural disasters/community emergencies

  • Power outages

  • Protests

  • Chemical spills

State regulations might mandate a certain number of training hours, but more is always better when it comes to crisis management. Many turnkey, online retail security training programs are available. In addition, a professional security company can help you customize training to your facility, product, services and brand.

Commit to Due Diligence and Strong Operational Security

Regulations typically stipulate strict measures for accessing, handling and disposing of inventory. To comply, you need clear procedures for entering and working in areas of restricted access (e.g., via access card), disposing of waste (e.g., rendering waste “unusable and unrecognizable” and placing it in secured waste receptacles) and other processes. But human nature often leads to shortcuts. Why take the time and effort to swipe your card or key in an access code every time when you can simply prop open a door?

Business owners not only need to develop, document and implement processes that meet regulatory standards—they also need systems in place to enforce those processes and deal with violations.

  • Begin by evaluating where such areas exist and documenting clear procedures for expected behavior.

  • Educate staff about these procedures and the consequences of noncompliance.

  • Dedicate staff or outside independent professional services to secure and monitor these locations; for example, conduct random video assessments of important areas to observe if activity is compliant with regulations.

  • Follow through with repercussions for noncompliance.

Due diligence is the most important action cannabis entrepreneurs can commit to if they want to protect their investment. Security lapses can easily result in loss of product. For example, we know of one facility in which workers were found to be smuggling out product in improperly disposed of personal protective equipment (PPE).

Security and legal experts with experience in the cannabis industry can help you understand compliance and regulatory requirements, which vary from state to state and sometimes across counties or cities. Don’t underestimate this necessity. Some shortcuts—whether malicious or not—can threaten your entire business. Serve an underage patron with a fake ID at a bar, and you risk a fine and license suspension. Do the same at a dispensary, and you risk permanent closure—or worse.

Don’t Slack on Cyber Security

Without digital financial transactions, cyber security might not seem like a priority for those in the cannabis industry, but cyberattacks threaten much more than customer credit accounts. Cyberattacks against local area networks or security systems, as well as phishing emails and other strategies, can enable hackers to gain access to computers, automated cultivation systems, customer databases and more. The results can be frightening:

  • Hacker access to medical customer IDs and personally identifiable information (PII) can put you in violation of HIPAA regulations.

  • Attackers who gain access to automated systems (e.g., lights, irrigation) can threaten crops to demand payment.

  • Malicious access to customer PII can be used in extortion schemes.

  • Sabotage security systems.

No business is too small to be at risk. A local business might not produce big profits for a hacker, but could be the perfect crash-test dummy, enabling them to try out their strategies before targeting bigger fish.

A cyber security professional can help you develop programs, policy, training and endpoint monitoring to help protect your business and customers. From adequate data backup to system security to penetration testing, such services aren’t just smart—they’re vital. Remember, the question is never “will you be breached?” It is always, “when will you be breached—and are you prepared to respond quickly?”

Community Support – Be a Good Neighbor

Community support, or lack of it, can make or break cannabis businesses. When it comes to fighting the “not in my backyard” mindset, education and public outreach are key.

As cannabis businesses flourish, states and communities that have passed legalization measures are finally beginning to gather data on important issues like crime rates, tax revenue, real estate values and impacts on local economies and public health. In many cases, these data shine a positive light on the industry.

Business owners can, and should, utilize such data, along with proof of their own due diligence to educate the public and develop good relationships within their local communities.

  • Make sure you understand all state and local laws and regulations and develop the procedures needed to comply with them.

  • Consistently and diligently train all employees to follow those procedures.

  • Share statistics and your commitment to community safety with community stakeholders, licensing boards and law enforcement. Rebuff negative studies with evidence-based medical and legal data.

  • Consider engaging public relations or crisis communications services to help you relay such information in a positive way.

  • Clearly post educational materials about your policies for consumers. Posters, pamphlets, product inserts, discounts in exchange for signing up for customer communications—find creative and effective ways to make sure customers know that you will enforce those policies, up to and including a lifetime ban.

Worried that enforcing consequences might be bad for business? In reality, such measures protect both your standing in the community and your clientele as well. Many customers aren’t aware of the potential risk of running afoul of consumption laws, which can be severe. If federal authorities decide to crack down, they’re likely to start with businesses that show the least commitment to rigorous compliance or that have the most community complaints.

Know When to Ask for Help

Last but not least, if you decide to engage security services, choose a firm with experience in the cannabis industry and the expertise to help you bolster physical, technical and regulatory protection.  Ask how they can help you analyze your current security and compliance stances and develop a robust and comprehensive program, and then use these best practices as a measuring stick to evaluate potential security experts.

The cannabis industry is growing; it’s an exciting time for entrepreneurs. Use these tips to minimize risk and make your business venture even more rewarding.

Cannabis Security, Valuation and Risk Management Solutions

Comprehensive security, due diligence and valuations services for the cannabis industry.

Enterprise Security Risk Management

Kroll’s Enterprise Security Risk Management practice provides expert guidance and advisory services to our global clientele as they navigate the most challenging and emerging security and threat-related issues.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Expert Services

Independent expert analysis, testimony, advice and investigations for complex disputes and projects.

Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance teams consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.