Why dispensary networks are different
A dispensary is not a coffee shop with WiFi. Your network connects POS terminals processing customer IDs and purchase histories, surveillance cameras storing months of compliance footage, METRC API endpoints transmitting seed-to-sale data to state regulators, IoT sensors monitoring grow environments, access control systems logging every entry to limited-access areas, and guest WiFi for customers. When all of these systems share one flat network, a single compromised device gives an attacker access to everything.
Network segmentation: the single most important step
Network segmentation uses VLANs (Virtual Local Area Networks) to create isolated zones within your network. A properly segmented dispensary network has separate VLANs for POS and payment systems, surveillance and NVR, METRC and seed-to-sale, staff workstations and back-office, IoT and environmental sensors, and guest WiFi. When ransomware hits a workstation on a segmented network, it cannot reach your POS data, cannot encrypt your surveillance footage, and cannot disrupt your METRC reporting.
Firewall configuration for cannabis operations
Your firewall is the gatekeeper between network zones and between your network and the internet. For cannabis operations, proper configuration requires IDS/IPS (Intrusion Detection and Prevention) enabled and tuned, rules reviewed quarterly as POS vendors and state systems change endpoints, outbound filtering to prevent data exfiltration, geo-blocking for countries with no business need to connect, and logging with at least 90 days of retention for compliance.
Dual-WAN: because METRC does not wait for your ISP
A single internet connection is a single point of failure. When it goes down, your POS stops, METRC cannot sync, and cloud surveillance cannot upload. Dual-WAN with cellular failover ensures automatic switchover in under 30 seconds. The cost of cellular backup ($50-$150 per month) is negligible compared to revenue lost during a multi-hour outage or the compliance risk of a METRC gap.
WiFi security for dispensaries
Guest WiFi must be completely isolated from your internal network on its own VLAN with no route to POS, cameras, or METRC systems. Use bandwidth limits to prevent guests from consuming business capacity. Staff WiFi should use WPA3 Enterprise with individual credentials. When an employee leaves, their WiFi access should be revoked immediately as part of offboarding.
Monitoring: you cannot protect what you cannot see
Network monitoring should alert you to unauthorized devices connecting, unusual traffic patterns, bandwidth anomalies indicating cryptojacking, failed login attempts across systems, and METRC API connectivity issues before they become compliance gaps. 24/7 SOC monitoring catches the threats that happen when no one is watching.
Need help with this?
710IT builds cannabis IT infrastructure that addresses every issue covered in this article. Book a free assessment and we will evaluate your current posture.
This article is for informational purposes only and does not constitute legal, cybersecurity, or professional advice. Requirements vary by state and change frequently. Always consult qualified professionals for advice specific to your jurisdiction.