As the budding cannabis industry continues to grow from coast to coast, security teams face a new frontier of regulation and risk management. Securing a recently decriminalized product that is still illegal at the federal level comes with a host of eclectic state security requirements, a lack of long-term industry experience from security integrators and consultants, and new attack avenues for opportunistic criminals to exploit. When securing a dispensary, security teams must prove themselves adaptable enough to navigate these uncertain waters.
Join panelists Sarah Trent, Founder and CEO, Valley Wellness NJ; Tony Gallo, Managing Partner, Sapphire Risk Advisory Group; Ron Smalley, Founder and CEO, Mantis Cannabis, LLC; Scott Thomas, National Director of Sales for Gaming & Hospitality, Genetec; and Tim Sutton, Senior Security Consultant, Guidepost Solutions LLC and Andrew Cooper, who leads Falcon, Rappaport & Berkman’s Healthcare and Cannabis & Psychedelics Practice Groups and contributes to the Commercial Litigation Practice Group. for the Cannabis Security Breakfast at ISC East 2023. Brought to the stage by the Security Industry Association (SIA) and SecurityInfoWatch and supported by sponsors Genetec and Aiphone, panelists discuss the security hardships faced by this fledgling industry, including:
- The arduous process of adhering to differing security regulations and gaining state approval,
- Why cannabis security teams need to go above and beyond state security requirements,
- Common threat avenues that plague dispensaries across the United States,
- The prevalence of insider threats in the cannabis industry,
- And why does that necessitate strict background investigations and employee security training?
The Legal Web of Cannabis
While the legality of cannabis was originally exclusive to the West Coast, recent years have seen a greater effort to push legalization across the United States. The industry has since uprooted itself from its birthplace in California and has spread to the Midwest and the East Coast, with the latter experiencing a boom in dispensary openings for both medicinal and recreational use.
Cannabis is still illegal at the federal level, however, and remains classified as a Schedule I narcotic. The illegality of the product means that cannabis retailers must start from scratch, and as regulations are managed on a state-by-state basis, differing security requirements make obtaining state or city approval a long and arduous process. Enterprising business owners risk hemorrhaging money before they ever open their doors while waiting for inspectors to review their applications.
Trent, who founded her dispensary in New Jersey, suggests that teams “do it right the first time.” Retailers need to pay building rent and support employees while waiting for an application that may ultimately be rejected, she says, so they should place specific importance on preparation.
Gallo suggests performing preliminary inspection walkthroughs to identify vulnerabilities that state inspectors might catch during their checks. Trent and Smalley champion communication: choosing integrators familiar with the industry is paramount to getting a dispensary off the ground without wasting resources. Smalley also recommends meeting with inspectors, operations teams, and construction crews to gain a better understanding of the way they interpret regulations as well as their equipment capabilities.
“Anything that you can get ahead of and understand from an operational perspective is going to save the owner time and money and save you aggravation,” notes Smalley. Being involved in the process from the very beginning and becoming familiar with an operating team’s “big picture goals” also helps owners better understand their own risks and liabilities, knowledge that is especially important with nebulous regulations that differ by state.
Certain states will heavily regulate a dispensary’s physical and cybersecurity requirements, others do not specify strict guidelines, and some will allow the bare minimum, Thomas explains. While safes are commonplace in most stores, for example, several states do not require that dispensaries lock away their products in safes during off hours. As a result, retailers that adhere strictly to state regulations may leave high-value theft items unsupervised in unsecured storage rooms.
“Standard retail practices are the same in cannabis,” Sutton says. “That may not be in the regulations, but those practices should be followed.” He argues that dispensaries should take the same steps to secure their product as other stores, especially given the high amount of cash that cannabis retailers handle. Dispensaries should utilize smart safes, limit the amount of cash in register drawers, and take time to visibly enforce security policies, Sutton explains. Skimping out on security regardless of state regulation invites theft, especially for high-value targets.
The Problem with Organized Crime
Externally, organized retail crime (ORC) is a major problem for cannabis retailers, Thomas notes. As merchandise is not typically shelf-stocked like other stores, sophisticated criminals will opt for a different approach when targeting dispensaries. Trent notes that local thieves will wait until holiday weekends to break into dispensaries during their off hours by cutting the power and waiting until battery backups expire. Extraction areas and packaging rooms are the highest-value locations in a dispensary and are often the places criminals will hit first.
The muddy legality of cannabis between states, as well as the differing regulations, grant thieves an additional vulnerability to exploit, Trent continues. Local mom-and-pop cannabis retailers are often targeted by scam callers impersonating government officials who take advantage of this legal confusion to extract social security numbers or access codes from employees who believe they are complying with law enforcement.
Even with these more sophisticated techniques in their repertoire, thieves will still attempt brute-force approaches. According to Thomas, smash-and-grab robberies are commonplace, and facilities that lack vehicle barriers or bollards are prime targets for criminals who prefer ramming armored trucks through vulnerable areas of the building.
Mitigating the Risks
Identifying and mitigating these threats is important regardless of a state’s particular security guidelines, Sutton states. Panic alarms and motion sensors coupled with remote monitoring systems serve as a strong deterrent for criminals while preventing false alarms. Fencing off generators, transformers, and sirens may prevent the sabotaging of power supplies, and hosting offsite video storage preserves critical surveillance data if the facility loses power anyway. Sutton concedes that “technology does not eliminate any threat,” but the ability to mitigate and respond to incidents is necessary to lessen financial impact and preserve employee safety.
Training employees to respond to security threats and understand how in-store security systems work is also vital, Sutton argues: “The most important asset you have is your people.” Educating workers about potential phone or email scams is an easy way to prevent fraud, and working with employees to understand their surveillance and alarm systems grants the storefront an extra layer of threat prevention. Critical event simulations maintain employee safety and foster cooperative behavior with law enforcement.
When the threat is coming from within, however, security teams must take additional steps. Thomas notes that dispensaries are prime targets for insider theft from both current and previous employees. High quantities of on-site cash make dispensaries particularly susceptible to register and return fraud and current or ex-employees with knowledge of a facility’s access control systems may find little resistance when slipping into vulnerable extraction and packaging areas.
Employee surveillance may be one solution to this problem, Sutton says: “You can’t catch theft if you don’t know how they steal.” Because cannabis products can be broken down into smaller portions, Trent elaborates, thieving workers often employ creative methods. Surveillance systems can help capture minute sleight of hand tactics used by employees attempting to smuggle small quantities of cannabis out of the store, especially when supplemented by remote monitoring systems or aid from law enforcement.
Thomas explains that access control systems can also help identify problem employees. Identification-based systems monitoring the traffic of high-value areas allow security teams to narrow their search to a pool of credentialed individuals, and intrusion alarms may deter employees partial to opportunistic theft. Sutton warns against employees sharing alarm codes and advises owners to turn off access for people who are not scheduled to be on site.
The greatest deterrent to insider threats, however, is proactivity. “Clients should hold background investigations before state background checks,” Smalley recommends. Client-helmed background investigations may catch irregularities that the state does not, he notes; for example, an employee charged with a misdemeanor for committing register fraud may fly under the state’s radar. “A combination of red flags means something when inspecting someone,” Sutton concurs. “If someone has multiple convictions, for instance, they might have a problem with authority.”
When it comes to cannabis security, knowledge is power. Cannabis’ unique status as a limited-legality product merits unique solutions to defend its distributors. Forging bonds with professionals and inspectors who understand the industry’s distinct requirements and regulations, as well as recruiting and encouraging like-minded employees to do the same, is the most proactive way to mitigate risk. In this, Gallo’s sentiment rings true: “Sometimes the role of a security professional is to be an educator.”
To learn more about the unique position cannabis security holds in the security industry, watch the ISC East 2023 Cannabis Security Breakfast here.
Samantha Schober is an associate editor for SecurityInfoWatch.com. She can be reached at [email protected]