High Turnover, High Risk:
Cannabis Employee IT Security
February 19, 2026 · 8 min read
Cannabis has one of the highest employee turnover rates of any industry. Roughly 40–60% of workers leave within their first two months. Annual turnover averages 55%. Only 14% of employees last beyond three months. And only 44% of cannabis companies even have a dedicated HR department. Every single departure is a cybersecurity event — an employee who retains access to your POS system, your METRC account, your surveillance cameras, and your customer database. How many former employees can still log in to your systems right now?
Why turnover is a cybersecurity problem
The security risk isn't theoretical. 95% of cybersecurity incidents trace back to human error. When employees rotate every few weeks, you face orphaned accounts with active credentials that nobody revokes, shared logins across shifts where three budtenders use the same POS password, knowledge loss where departing staff take security procedures with them, insider threats from disgruntled former employees who retain access, and zero audit trail when multiple people share the same credentials.
The Ohio Marijuana Card breach — where 957,434 patient records sat in an unprotected database — illustrates what happens when basic access management doesn't exist. The average data breach costs $4.44 million across all industries (IBM, 2025), and 60% of small businesses close within six months of a major hack.
The cannabis-specific wrinkle
State compliance systems like METRC require individual user accounts tied to your license. A terminated employee with lingering METRC access isn't just a security risk — it's a compliance violation. The same applies to state-mandated surveillance systems, limited-access area badge controls, and POS platforms that log transactions by user. Every vendor in your stack — Dutchie, Flowhub, Treez, Cova — has its own user management portal. When someone leaves, you need to revoke access across 5–10 disconnected platforms, not just disable an Active Directory account.
IT onboarding checklist: Day one security
Unique credentials. Every employee gets their own username and password for every system. No shared logins. No exceptions. This is non-negotiable for both security and compliance audit trails.
Role-based access. A budtender doesn't need admin access to METRC. A trimmer doesn't need access to the POS back office. Configure permissions by role, not by convenience.
MFA enrollment. Enroll every new employee in multi-factor authentication on their first day — before they access any system containing customer or compliance data.
Security awareness training. 15-minute onboarding module covering phishing recognition, password requirements, and what to do if they suspect a security incident. Document completion.
Acceptable use agreement. Signed document acknowledging company policies on device usage, data handling, and the consequences of unauthorized access. Goes in the personnel file.
IT offboarding checklist: Same-day revocation
Immediate credential revocation. Disable access across every platform the same day the employee departs: POS, METRC/BioTrack, email, surveillance viewer, cloud storage, VPN, WiFi, and any vendor portals.
Badge and physical access. Deactivate access badges for limited-access areas immediately. Collect physical keys. If they had alarm codes, change them.
Device recovery. Retrieve any company-issued devices — laptops, tablets, phones. Remote-wipe if devices can't be recovered. Verify no company data remains on personal devices.
Access log review. Review the departed employee's recent access logs for any unusual activity — large data exports, access from unusual locations, or access to systems outside their normal role.
Shared password rotation. If shared credentials existed (they shouldn't, but often do), rotate every password the departed employee knew. WiFi passwords, safe combinations, alarm codes — all of it.
The managed IT solution
Most cannabis operators don't have the bandwidth to manage provisioning and deprovisioning across 5–10 vendor platforms for every hire and departure. That's exactly what a managed IT partner handles. We maintain a master access matrix for every employee, automate provisioning workflows, and execute same-day revocation when someone leaves — across every system, every platform, every time. No orphaned accounts. No compliance gaps. No former budtender browsing your customer database six months after they left.
This article is for informational purposes only and does not constitute legal or cybersecurity advice. Consult qualified professionals for guidance specific to your operation.
How many former employees can still access your systems?
Book a free assessment. We'll audit your access controls and show you exactly where the gaps are.
Book Free Assessment →