Cybersecurity has never been a strong point of the cannabis industry. Part of that is structural. Part of it is historical. And part of it comes down to simple resource limits. As the sector consolidates and operators become more reliant on large integrated software systems, the gap between what the industry needs and what it can reasonably support is becoming harder to ignore.
Rocco Del Priore, co-founder of Sweed, works in the middle of that tension every day. His company builds software for dispensaries that covers point of sale, ecommerce, marketing tools, loyalty programs, and text messaging. In other industries, connected tools are readily available and are the mainstream norm. In cannabis, the lack of access to traditional tech infrastructure means dispensaries have to piece together disparate systems to achieve a complete tech stack.
© SweedRocco Del Priore
"You cannot rely on credit cards, banking, or standard messaging solutions," he says. "Any company working in this space has to make these things themselves. It creates a much higher cost of entry." The problem is not limited to plant touching business, as even cannabis software companies have to navigate unusual restrictions. "We build software," he says, "and we cannot even have company credit cards."
For operators, the strain shows up everywhere. The image Rocco uses is simple: Retail operations that use stitched together platforms and systems are like a house that require an overstretched team to check, and secure each entry point. With each integration a new door is created that opens the home up to mistakes, oversights, and in some cases, serious breaches.
Based on what he has seen across the industry, the causes of security failures vary. Former employees looking to damage a company, outdated systems, and rushed internal processes can all contribute. There is also the matter of sensitive data. Growing operations guard their standard operating procedures closely. Retailers and medical operators worry about patient data. History gives them reasons. "The national patient data outage in the middle of the last decade is still fresh in many minds," he says. "Some of that information was never recovered."
© Sweed
Even with these risks, cannabis remains young and fragmented. "It is not a fully mature industry yet with resource constraints," Rocco says. That immaturity also shows up in how security programs are adopted. Measures that are standard in other industries take longer to gain traction here.
Sweed's recent move to launch a bug bounty program is an example. Bug bounty programs are common in the wider software world. They invite outside researchers to probe a platform for weaknesses in exchange for financial rewards. For most companies, this is a sign of maturity rather than innovation. "If you have a young product, it does not make sense to open yourself to a bug bounty," Rocco says. "Once your platform reaches a stable and mature state, it makes sense to invite other people to test it."
He points to the steps Sweed has taken ahead of the rollout. The company has a SOC type two certification and has undergone multiple rounds of penetration testing. "Reports come back clean. Our platform is stable enough that it makes sense to invest in additional security." The goal, he says, is not to make a statement about being first, but to normalize a practice that should eventually be standard across the sector. "It would be disingenuous to say others are not thinking about it. They just may not be comfortable doing it yet."
The program is expected to run indefinitely, with rewards calibrated to severity. Early activity will likely focus on ecommerce components, simply because that is the only part of the platform open to the public. Broader testing will follow the usual pattern seen in other bug bounty ecosystems.
© Sweed
Rocco points out that security tends to improve as industries consolidate. Ten years ago, cannabis retail ran on white label systems assembled from whatever components could be found. In 2015, there were dozens of point-of-sale platforms. Today, there are far fewer, and he expects that number to keep shrinking. "Each company is going to grow and invest more in security. The whole industry is in a much better space now."
That trajectory mirrors how Sweed approached product development. First came the idea that marketing, point of sale, and retail operations should live inside one system. Later came white label consumer platforms for individual stores and a focus on larger multistate operators. "Starting with a concentrated customer base allowed us to maintain a consistent level of support, which is something cannabis software companies have always struggled with."
Inside the industry, attention is already shifting to what artificial intelligence will and will not be able to do. Rocco expects a divide between reactive tools and proactive ones. "The real change will come from systems that analyze inventory and recommend actions before you ask," he says.
For now, the more immediate question is whether cannabis companies will begin to treat cybersecurity as a core business requirement rather than a secondary concern. Bug bounty programs are one small indicator of that shift. "As platforms mature and the number of software providers narrows, security is likely to become a more routine part of how cannabis businesses operate," Rocco concludes.
For more information:
Sweed
Email: [email protected]
sweedpos.com
