Applications, both web and mobile, are always in-demand and make attractive startup targets for entrepreneurs. Identifying a particular industry need, then attracting investors who will back X amount of developers to do Y amount of work in Z amount of time, these startups aim to solve common problems in industries that desperately need modernization. Cannabis is chief among those industries and is growing in popularity as a target for tech startups for that reason. With many farms and retail locations still keeping records on notepads and spreadsheets, it’s no wonder there has been a veritable flooding of the market by new software application vendors promising patient or client management, record keeping, point of sale systems, compliance management systems, delivery trackers, and even agriculture technology management applications that integrate with on-site farming equipment to enable remote crop management. These applications are not just for farms or dispensaries, either. Many are designed to help state governments manage cannabis industry data, as well. Consider the amount of oversight required to manage every shipment, every measurement, every purchase. Investors who have stakes in 3rd party application vendor companies, as well as cannabis businesses looking to implement them, need to be aware of the serious security risks that need to be mitigated in order to protect profits and avoid security incidents that could lead to fines or even legal liability lawsuits.
Since the primary function of an application is to accomplish a particular task within your organization more efficiently than before, most business leaders who are driving, investing in, or purchasing the solution tend to focus on how well the app does its job. Does it make your accounting simpler? Give you greater visibility into processes? Enable mass farming and crop management with fewer employees? Those functions are all important to enable a modern cannabis business to keep up with growth. So code tends to be reviewed and tested for efficacy. Certainly, some security best practices may come into play, but more often than not, developers are pressured to adhere to strict timelines and release dates in order to drive profits. If sales don’t meet expectations, investors can become uneasy, so corners become easier to cut. Without application security lifecycle management, code reviews, static and dynamic testing, ongoing scans, etc. there is bound to be a vulnerability missed.
What does this mean for vendors and stakeholders?
The issue with an application vulnerability is the potential for an attacker is able to gain access to or even gain control of functions within a tool as powerful as a software application. Suddenly, they may have the ability to scrape your database for client information, gain access to trade secrets, or even destroy your crops. Imagine the liability issue around an Industrial Control System (ICS) that, instead of maintaining water supply to plants, is maliciously programmed to dehydrate or overheat crops? In an industry where attribution is nearly impossible to prove, the victim is very unlikely to find and press charges against their attacker. More likely is the scenario where the creator of the application is held liable for having left a vulnerability in the code, system, or web interface. You can see where the potential for such an incident would leave investors and other stakeholders wanting security assurances ahead of and post-rollout.
More Apps and Sensitive Data for eCommerce
With the impending consideration and likely passage of the SAFE Banking Act, dispensaries are going to have the ability to add to legally roll out eCommerce applications that accept user credit card and, in some states, patient card information. For repeat customers, personal data will be stored in company databases. Mobile applications will be soon to follow. When you consider what this will do to digitally transform one of the least technologically sophisticated industries in the United States at a very rapid pace, you can see the need for an emphasis on security at every level.
What can be done?
If you are an investor or business stakeholder in the 3rd party application, you will want to ensure that your organization is actively employing a highly trained Information Security Officer, whether internal (CISO) or outsourced (VCISO). Then, you can request validations of the security program your CISO/VCISO is building, such as the most recent professional penetration test reports and risk assessment reports. Next, you might look into your cyber insurance provider’s recommended best practices. Oftentimes, insurance companies have key requirements and recommendations to protect themselves (and you) from the likelihood of a serious security incident.
If you are an IT Director or software architect, you will want to take the following steps around application security:
- Development phase
- Testing Phase
- Launch Phase