Cybersecurity: White House Advisory
We usually focus on the cannabis industry here, but this week a look at a larger issue.
The news associated with Russia’s invasion of Ukraine has been devastating in many ways, and given the scale of human suffering, the potential fallout to American businesses is probably far down the list of concerns. However, the conflict is taking place in a part of the world known as a hotbed for ransomware and other cyber threats, and the threat to businesses is very real, to the extent that the White House has taken the unusual step of issuing a blanket advisory.
Cannabis businesses – and all businesses – should take note.
The announcement from the White House Briefing Room acknowledges intelligence indicating that Russia is planning cyber attacks, and points to these eight specific recommendations for businesses:
- Mandate the use of MFA: Multi-factor Authentication (MFA). Your team members don’t like the inconvenience of that extra step, usually a one-time code delivered via SMS or email. But MFA has been a best practice for some time because it works. Live with the inconvenience, because MFA may be the single most effective way to prevent unauthorized access to your systems.
- Deploy modern security tools: Too many businesses relax into a ‘set and forget’ mode. The threat landscape has changed substantially and so should your defenses. If you’re still using the same methods from a few years ago, you’re asking for trouble.
- Ensure systems are protected: That’s pretty vague advice. More specifically, it’s about keeping systems patched and protected, and requiring scheduled password changes so that any previously stolen credentials become useless. Needless to say, strong passwords are vital.
- Back up data: You already knew this, but do you also regularly check those backups to make sure you can restore from them? Do you use offline backups to keep data out of reach of the bad guys?
- Run exercises: Just as you would drill for a safe exit from your facility in case of a fire, you should have a complete response plan for a cyber breach. Everyone should know their own role, and you should practice making sure it all goes as you hope in the event of a real situation.
- Encrypt data: Yes, this means more inconvenience, but encrypted data is useless to thieves. Take the trouble to encrypt, and send them looking for an easier target.
- Educate employees: Your first line of defense is an educated staff, because they’re the likely entry point for a phishing attack. Train your team to recognize the common tactics used in cyberattacks, and to be extremely cautious of all outside communications. Refresh that training on a regular basis.
- Engage with local resources: The White House advice on this front mentions ‘informational websites,’ but we would suggest that you need well-qualified IT professionals in your corner. Make sure the software you use prioritizes your security.