The industry needs to get serious about security to avoid a wave of break-ins by criminals who see medicinal cannabis as the ‘new cash’, a risk management expert has warned.
Director of risk, safety and technology at Barrington Group Australia, Glenn Lynch, said the potential value of the product on the street, coupled with a lack of experience in storing schedule 8 medicines, makes the industry uniquely vulnerable to organised crime.
“In essence, it is a cash asset, something that can be sold,” he said “A business criminal can break in and get their hands on millions of dollars of product that they can move very quickly on the street. And it’s a lot easier than robbing a bank.”
Lynch said the banking industry has beefed up security in recent times, forcing would-be thieves to look for softer targets.
“The banks worked so hard to stop armed robberies. They secured the cash, they put up resistance screens, they’ve got cameras everywhere. Robbers might get away with a few hundred bucks if they’re lucky. The risk versus the reward doesn’t stack up.
“That’s not the case with cannabis. It is a relatively new industry and people working in it may not have a history of storing schedule 8 medicines.
“They may not know that their facility is not properly secured, they may think the fabric of their building is difficult to get through. Even though a determined robber can breach it in five minutes with a demolition saw and a sledgehammer.
“In my experience working with the banks to prevent ram raids and ATM gas attacks, there’s a snowball effect. Once one attack happens, there’s a huge spate until that industry changes. But by then it’s too late.
“I’d like to see the medicinal cannabis industry act before it gets to that point.”
Lynch said the danger for a relatively new medicine which already struggles with stigma is that lax security could further tarnish its image in the eyes of the regulators.
“An incident or one attack probably doesn’t upset the apple cart too much,” he said. “But if you get two or three incidents in close succession against different organisations, the whole industry is damaged and it takes time to recover.
“We want to see the sector respected for following the proper processes and protocols. Unfortunately, that takes a bit of investment.”
Lynch said a lack of clarity around the regulations, financial pressures and inexperience in storing medicines are all contributing to the sector’s vulnerability.
However, he said there are a number of simple steps businesses can take to help mitigate that risk.
The first – and most crucial according to Lynch – is to do a full risk assessment prior to designing any secure facility.
“A security consultant will do an assessment first to understand your operation and the risks you potentially face. And then they can overlay that with the requirements – both state and federal – to ensure your facility is compliant.”
While hiring a security consultant is vital, Lynch said it’s important to do so from the outset, so they can help with project design, not just sign off.
“They shouldn’t just sign off someone else’s work,” he said. “They should write a detailed specification with drawings. They shouldn’t specify a brand, but they should specify a minimum standard to meet.”
While a security consultant shouldn’t recommend a single supplier, they should be able to help with the tender process, Lynch added.
“They will know the suppliers, and can help put together a request for information to determine whether their products are self-certified or independently tested, and whether they meet Australian standards. Then – and only then – do you let them shoot it out on price.”
Self-certification by suppliers should be a particular red flag, according to Lynch.
“There’s no way of knowing whether those products meet the required standards. They may do, but they’ve just tested it themselves, it’s not been independently verified, so they could be cutting corners. We don’t know because it’s not at arm’s length.”
Medicinal cannabis companies would be risking a lot by putting their faith in the word of third parties, he added.
“If you transfer [responsibility] to a supplier that self certifies, your brand could suffer significant damage if you have an incident and you’re found to be negligent. Or that you knew your supplier had self-certified and didn’t do anything about it.”
Lynch said in an industry which is often strapped for cash, the temptation to cut corners can be overwhelming. But doing so often leads to more expense when hastily assembled security solutions prove insufficient or non-compliant.
“There’s an old saying that the poor person pays twice, and that’s definitely true in security, where mistakes can prove costly to undo. Retrospectively, you could double your initial investment.
“It’s a dead cost – a straight hit to the bottom line – but it’s important to remember that you are protecting your people, your brand and your licence.”
Lynch said one common mistake companies make is to focus on the potential external threat and therefore only start worrying about preventing access to their facility once it has been constructed.
That ignores the potential threat from within, he warned.
“We take the cyber security approach of zero trust and crime prevention through environmental design (CPTED),” he said. “We get involved as soon as an architect has done a draft sketch. We can design out the risks of crime prior to even turning soil.
“Has your security team been vetted? Do you know who they are? Have you done police checks? If you want to stop the threat from inside, you need to know who your people are, and how they work. You need to ensure that all your staff don’t know all of your operation, only components of it.
“Security is a jigsaw puzzle.”
What makes that puzzle more difficult to piece together are the myriad rules and regulations from the Office of Drug Control (ODC) at the federal level and the health departments of each state.
“The rules can be confusing and some consultants pick and choose what regulations they want to read and how to apply them – to the detriment of the customer.”
As an example of the potential for confusion, Lynch pointed to ODC guidelines which state that refined cannabis should be protected by two layers of intruder-resistant physical barrier, one of which should be a secure storage unit.
But the precise requirements for that storage unit are left unspecified by the ODC, with the licence holder expected to provide “security that is appropriate to the volume of cannabis to be stored”.
That leaves plenty of wriggle room for firms to cut corners, Lynch said, but insisted it was up to their security consultant to make sure they resist the temptation.
“We talk in terms of the ‘onion layer’ of security,” he said. “Nothing works in isolation.”
Ultimately, Lynch warned, those tempted to prioritise savings over security will be making an expensive mistake.
“The ODC says it is the licensee’s responsibility to ensure that their facility meets the requirements,” he said. “If they don’t they could lose their licence, and we know how hard they are to get. Why would you take that risk?”