A retail cannabis security blueprint that works

March 21, 2024
Through consultation with a security expert and a complete and comprehensive security assessment, cannabis facilities can mitigate risk

In 2022, my company, Setracon Inc., was presented with a unique project. We were contacted by the Washington State Liquor and Cannabis Board with an emergency request to conduct risk, threat, and vulnerability assessments of retail cannabis shops.

2022 was a rough year in Washington for cannabis retailers. There had been numerous thefts that were perpetrated in many ways, including smash and grabs, driving a stolen vehicle into the front of a store, rooftop break-ins, and armed robbery. Several of the armed robberies resulted in the injury and, in some cases, the death of retailers.

Background

For your information, in May 2023, 37 states have legalized the medical use of cannabis. Additionally, twenty-four States have legalized cannabis for recreational use.

The U.S. Federal government classifies cannabis as a Schedule 1 drug. According to the United States Drug Enforcement Agency (DEA), Schedule I drugs are "those that have a high potential for abuse, no currently accepted medical treatment use in the U.S., and a lack of accepted safety for use under medical supervision. Examples of Schedule I drugs include heroin, lysergic acid diethylamide (LSD), marijuana (cannabis), methylenedioxymethamphetamine (ecstasy), methaqualone, and peyote."

The fact that 37 states have legalized cannabis, and the Federal government considers it a Schedule 1 drug, has created banking problems. Most banks operate under the protection of the Federal government. The Federal Reserve System is the central bank of the United States. The Federal Deposit Insurance System (FDIC) insures bank deposits against potential failure. These two organizations govern most banks in the United States.

The problem lies in the fact that a federally protected bank cannot accept funds from the sales of Schedule 1 drugs, making retail cannabis a cash-based business. Depending on the size of the shop and the frequency of cash pickups, a retail shop can have up to $200,000 in cash on hand.

With $200,000 in cash and access to substantial amounts of cannabis, this is a target that is attractive to thieves.

When WLCB first approached us about the project, we could not find any assessment protocols for retail cannabis. Having no protocols, we engaged in the conduct of considerable research.

In the past, I worked in retail crime prevention, loss prevention, and organized retail crime, providing services for strip malls, downtown retail districts, and high-end jewelry stores. We found many similarities in those venues to the problems being faced by retail cannabis stores.

We then considered best practices in banking security, Crime Prevention Through Environmental Design (CPTED), physical security, and best practices in retail security, specifically those stores that sold high-value items.

Further, we considered the industry's threats in Washington State, including crimes against people, extremely violent attacks, and physical assaults such as pistol-whipping and homicide.

The Protocol

From this basis of knowledge, we developed a seventeen-page protocol that we could utilize for assessing retail cannabis stores in Washington State. The document serves as an informational guide for consistency in assessing current levels of security and opportunities for improvement for Washington State retail cannabis vendors.

Having a standard protocol provided us with the additional ability to analyze our findings. The findings and trends are used to improve security legislation, protect lives, and minimize crime.

The Risk Assessment

We used a formula based on the traditional Sandia formula R=Pa*(1-Pe) *C, where

R=Risk, Pa=Threat, 1-Pe=Vulnerability, and C=Consequence. Because we were working with large data sets, we modified the formula for five-panel results. So instead of the traditional low, medium, and high, we had low-negligible, medium-low, medium, medium-high, and high catastrophic.

 The five-panel results provided greater granularity in our findings and analysis.

Demographic and Threat Information Collected

We collected demographic information, including.

  1. Neighborhood-urban or rural
  2. Multi-Tenant Building
  3. Stand Alone Enterprise
  4. Square Footage
  5. Dedicated parking area or shared parking area
  6. Security Guards Contracted or Proprietary
  7. Average Law Enforcement response time (Target 3 minutes or less)
  8. Frequency of crime over the last twelve months
  9. Nature of the crime, such as crimes against people and crimes against property.

Areas Examined

Exterior

The exterior includes the parking lots, fencing and barriers, exterior building attributes, loading docks, exterior windows, exterior doors, cabling, landscaping, lighting, cameras, employee entrances and exits, and store entry.

 Interior

The interior areas are power sources, backup power, doors, cameras, camera locations, panic alarms, access control, visitor management, safes, lock and key control, cash handling, product storage, retail counters and displays, integrated systems, alarm panels and guard services.

Programs

We looked at security plans, policies, procedures, and employee training. The intent is to evaluate procedural security. The policies we wanted to see and examine are cash handling and storage, lock and key control, cash register procedures, protection of products, protection of assets, internal theft, response to crimes including shoplifting, burglary, and robbery, incident reporting, and emergency planning and evacuation.

Training

Two core areas we wanted to evaluate were training in de-escalation techniques and identifying suspicious behaviors and activities.

Findings and Analysis

We identified three very different types of store owners. We mention this because every kind of owner addresses security differently but similarly to their ownership category.

  1. Corporate Ownership: these business owners came from the corporate world and brought their corporate skills into their new venture. The skills include a focus on policy and procedure business management and a strong knowledge of risk management. Corporate owners invest heavily in good human resource processes, hiring the right people, extensive background checks, and a significant investment in physical security systems supported by robust policies, procedures, and training. Many of these owners had multiple stores, some upwards of five. We found this group very open to our suggestions for improvements, and many appreciated the Enterprise Security Risk Management approach to their organizational security.
  2. Entrepreneurs: Entrepreneurs are business owners who are profit-motivated. They generally have high-traffic stores with high sales volumes. They are less receptive to any application of physical security that slows down the customer experience. For them, it is about moving as many people from the parking lot to the sales counter as possible. For this owner, identifying potential risks and the impacts and consequences of risk is essential. Although they may not be receptive to some changes, understanding impacts and consequences can assist in making informed risk-based decisions.
  3. Mom and Pop: These stores are generally smaller, family-owned stores. They may not have a lot of funds for investment in physical security systems other than what is required by State law. But there is an upside. All the people participating in the business are family members or very close friends. Therefore, they are highly aware of industry risks and overcome many security challenges through well-written policies and procedures coupled with a common security goal. We found the mom-and-pop stores to be the most enjoyable to work with. They are extremely interested in learning about the practical applications of physical security and security awareness.

Findings Reveal Workable Solutions

There are a lot of low-hanging fruit. Improving policies, procedures, and training creates awareness and pays dividends. We found a significant opportunity for many no-cost/low-cost small changes, such as enhancing locking mechanisms restricting access to critical areas such as cash counting, manager's offices, and product storage.

Perimeter: Bollards are a low-expense, high-impact enhancement. In Washington State, we are experiencing a rash of stolen vehicles being used to drive through the front of the store. Driving a car through the front of a store generates significant costs in loss of product, cash, and physical damage to the building, resulting in the store being closed for some time. Investing in bollards is a relatively inexpensive mitigation when you add up the total value of financial impact.

Physical Security: We observed a lot of inferior installations of physical security systems. We saw many system installations with cut corners that resulted in systems that could easily be compromised by simply unplugging the power because they were not hardwired and exposed cabling that is easily cut or accessed. Additionally, we noted a lot of low-quality and mediocre equipment installed. We educated a lot of store owners on the state of physical security equipment and improvements such as video analytics and video capture quality.

Delivery & Storage: We saw a lot of variances in product deliveries and storage. We observed product delivery through the front door instead of a secure entrance. Additionally, we observed products stored immediately behind the sales counter and other open store areas where they would be easily accessible and attractive to thieves. Having secure storage with limited accessibility minimizes the opportunity for theft.

POS: We see a lot of issues with retail counters. Retail counters should be high enough to make jumping over difficult for thieves. Elevated heights also minimize the opportunities for smash-and-grab thefts. We also strongly recommend foot pedal-operated panic alarms for every transaction station. It is difficult to use an under-counter panic button when your hands are in the air at gunpoint. Lastly, ensure that gaining access behind the retail counter is not easy.

Cash Handling: There are several areas we consider when it comes to cash handling. First, we do not recommend cash counting or handling on the retail floor. Set an acceptable limit for cash in the till. In a high-volume store, change out the tills frequently. Move the cash drawer to a secure area off the floor for counting. Ensure regular cash pickups and work with the armored car company to inform you of their arrival time so cash for pick up is not unsecured for an extended period.

We recommend ensuring controlled access to the store. Limit the number of people in the store to the number of transaction stations available. Limiting the number of people can discourage attempted robberies by groups of thieves.

Lastly, make sure you are hiring the right people. Background checks are essential and prevent a store from hiring an insider threat.

How Did We Measure Success?

At the end of the day, we are educating store owners one store at a time. We are assessing to identify issues, offering education on our findings, and providing actionable mitigations that store owners and managers can easily accomplish.

Store owners are appreciative, and we get positive feedback from all involved.

The lessons we have learned have allowed us to positively impact the retail cannabis industry and contribute to national standards in development.

Jeffrey A. Slotnick, CPP, PSP, iis President, of Setracon ESRMS and an internationally known Enterprise Security Risk Consultant with over 28 years of experience. Jeff is peer-recognized as a “Thought Leader and Change Agent. He focuses on all Enterprise Security Risk Management facets, including quality management programs, risk, vulnerability, threat assessments, Emergency Response Planning, Business Continuity Planning, and Physical Security System Master Planning, Design, and Integration. As a curriculum developer and master trainer, Jeff advocates for quality professional development and training of security and military personnel. He is a member of the North American Board for ASIS International, a Faculty Advisor for the University of Phoenix Bachelor of Science in Cyber Security and Security Management Degree Program.
About the Author

Jeffrey A. Slotnick CPP, PSP | President of Setracon ESRMS

Jeffrey A. Slotnick, CPP, PSP

President, Setracon ESRMS

Chair, Board of Advisors Robotic Assistance Devices

Community Vice President, ASIS International

Board of Directors, Jewish Federation of Greater Seattle

Founder Safe Washington

United States Army Engineer Corp, CSM Retired

Trusted Advisor | Leader | Change Agent | Risk Consultant | ESRM Advocate | Security Management Professional | Physical Security Specialist | Master Quality Management Systems Professional | Public Speaker | Author | Media Consultant.

Mr. Jeffrey A. Slotnick, CPP, PSP, is an internationally known Enterprise Security Risk Consultant with over 28 years of experience. Jeff is peer-recognized as a “Thought Leader and Change Agent. He focuses on all Enterprise Security Risk Management facets, including quality management programs, risk, vulnerability, threat assessments, Emergency Response Planning, Business Continuity Planning, and Physical Security System Master Planning, Design, and Integration. As a curriculum developer and master trainer, Jeff advocates for quality professional development and training of security, law enforcement, and military personnel. He is a former member of the North American Board. He is a Community Vice President for ASIS International and a Faculty Advisor for the University of Phoenix Bachelor of Science in Cyber Security and Security Management Degree Program.

Jeff is a regular contributor to Security Executive Magazine and SecurityInfoWatch.com 

[email protected]