4 minute read 25 Oct. 2018

Five cybersecurity strategies for cannabis companies

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

4 minute read 25 Oct. 2018

Show resources

  • Managing cyber risk in Canada’s new cannabis sector (pdf)

Cannabis companies collect an enormous amount of sensitive data. Learn about the top five strategies to protect against cyber threats.

Now that recreational cannabis is legal nationwide in Canada, licensed producers (LPs) entering the market are going to face the same types of cyber risks as any other business. Cyberattacks are becoming more prevalent, severe and sophisticated, and can have a significant negative impact on companies’ business operations, process automation, data protection and privacy.

Cyber events are hitting companies’ bottom line, brand and reputation, and cannabis companies are not be immune. Companies need to take steps to safeguard their data and operations in the short term and for the long run.

Let’s take a look at the top five strategies cannabis producers should consider.

Build a robust governance framework

Good governance starts with the tone at the top. If board members don’t understand the company’s cybersecurity risk, the organization will remain vulnerable to outside attacks.

Cannabis companies collect an enormous amount of sensitive data, including medical, customer, personal, financial, transactional and proprietary data. This makes them an even more tantalizing target for hackers than other businesses.

Making sure executives and board members are educated on the cyber risks the company faces will help establish a cybersecurity program that’s truly integrated with the organization’s operations and not just tacked on as an afterthought.

Companies need to recruit and develop talent that understands the importance of cybersecurity and enables a proactive, risk-aware culture. Boards, executives and risk committees want a clear picture of their cyber risk exposure and how the company’s cyber program addresses these risks.

Cannabis companies collect an enormous amount of sensitive data, including medical, customer, personal, financial, transactional and proprietary data. This makes them a tantalizing target for hackers.
Yogen Appalraju
EY Canada Cybersecurity Leader

Protect strategic intellectual property

In the competitive cannabis market, brand is a major source of value for companies so it’s important to have tight control over intellectual property. Most companies are developing cannabis-derived products that qualify for patents or drug identification numbers; a data breach that exposes such numbers could be devastating.

Companies need to include information security in overall strategy planning. An ounce of prevention can mean the difference between secure data and significant financial damage.

Setting up the organization with the necessary tools to prevent, monitor, detect and resolve breaches requires annual planning and spend. Cannabis producers should draw up a prioritized roadmap for investments in cybersecurity. This requires strategic budgeting for information security operations in line with the organization’s requirements and fosters organizational change.

Know the risks of technological innovation

Cannabis cultivation is an agricultural business, and advancements in technology have enabled companies to upgrade their facilities with innovative systems and processes that are unique to the space. State-of-the-art equipment, machinery and environmental systems enable producers to embed a greater level of automation and advanced crop monitoring.

Utilities, wages and salaries are some of the biggest cost drivers of operational expenses for cannabis producers. Innovative technologies such as Internet of Things, blockchain, robotic process automation, artificial intelligence and machine learning can help companies with cost-cutting and efficiencies when it comes to automating manual and labor-intensive activities.

While these innovations can bring great benefits, they also involve potentially significant risks. Cultivation with a degree of automation can include various smart technologies, including utility consumption management, connected HVAC, lighting, drip irrigation and nutrient systems, plus environmental controls over humidity and temperature. Each of these areas can be hacked. Cannabis is a very difficult plant to optimize, and because of the pharma-like regulations in an agricultural environment, a cyber incident could ruin entire crops or grow rooms, resulting in unsellable products.

Manage and identify risks

Cannabis companies often engage external partners, vendors or contractors who can support their growth and rapid scaling. These relationships introduce potential third-party risk. Companies can tap into enterprise resource planning systems, servers to host patient and customer data, vendor management programs to automate operational finance and procurement, and other various third-party services.

So cannabis companies need to understand the responsibilities and boundaries of their own cybersecurity environment and have insight into the control environments of their service organizations. They should also keep an accurate inventory of third-party service providers, network connections and data.

Internal cybersecurity enablers and programs include threat and vulnerability management for malicious attacks, identity and access management to monitor the facility’s perimeter and rooms throughout the cultivation lifecycle that comply with Health Canada’s security requirements, advanced predictive analytics and artificial intelligence to identify threat patterns and attacker techniques while crawling the dark web to discover and prevent imminent attacks.

Build resilience for stronger business continuity

Because cannabis companies collect a huge amount of customers’ personal identifiable data, they are of high value to cyber criminals. Ransomware attacks can expose the vulnerabilities of organizations that have outdated technology and aging infrastructure, crippling day-to-day operations.

Cannabis companies should be proactive when it comes to protecting their data and systems — the cost of being reactive is too high.


Companies in every sector face a wide array of cyber risks, and cannabis companies are no different. While the industry is nascent, the risks are well known. Cannabis companies collect a huge volume of their customers’ personal data, which is a tantalizing target for cyber criminals. In addition, these companies hold large volumes of intellectual property, making them vulnerable to cyber attacks. Licensed holders will need to ensure their leaders and boards are aware of the cyber risks and build robust cybersecurity systems to protect and defend their operations.

About this article

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.