Expanding Safety-Sensitive Roles to Address Cyberattacks

The potential of a cyberattack is one of the most significant threats to businesses across all industries. The increasing sophistication and complexity of these attacks can often go unnoticed, causing widespread damages and disruptions internally and externally to vendors or partners. In fact, according to recent data from Verizon’s Data Breach Investigations Report,1 ransomware accounted for 25% of all breaches in 2021 – continuing its upward trend.

While it is impossible to be 100% safe from cyberattacks, organizations can reduce their vulnerability by thoroughly training employees and developing new policies, in addition to strengthening current policies. This effort includes expanding policies that focus on substance use on the job.


Traditionally, there is the temptation to limit drug testing to candidates and employees in positions associated with high physical risk or post-incident scenarios – but what about other risk-sensitive situations?

A reported 82% of breaches organizations experienced resulted from human involvement, including phishing, misuse, human error, or stolen credentials.2 And although many employees are vigilant about reporting suspicious emails, working under the influence can reduce alertness and create unnecessary vulnerabilities for organizations.

In addition to training employees to identify potential hazards and strengthening policies, organizations can further reduce risks by deterring substance use during work hours. One way to think about this is that no company expects an employee, remote or on-site, to use alcohol while on the clock or work while under the influence of alcohol. So why should the use of other impairing substances be any different?


Beyond internal cyber risks, organizations with employees working in an incapacitated state can become a vendor risk, leaving partner organizations vulnerable. Here are a few best practices for organizations to implement in addition to effective workplace cannabis policies and testing:

  1. Ensure recent software updates occur. Developers constantly update their software to bring users the latest features and remedy security flaws hackers can exploit. Setting up employees’ operating systems or applications to update automatically can lessen an organization’s exposure. 
  2. Back up sensitive data. Having backup copies of the company’s or customers’ information is imperative and can guard against unforeseen catastrophes, not just cyberattacks. At least one of these copies should be stored offline, disconnected from your network, and inaccessible from the internet. Periodically test the backup to ensure its data can be recovered flawlessly.
  3. Develop comprehensive cyber education and risk policies. The users of your information technology, including employees, are often the weakest point of your security – unless they are educated and made aware of the threats. For example, the strategy should include users choosing strong passwords and prohibiting the reuse of passwords across multiple accounts. The reuse of passwords is common and results in attacks referred to as credential stuffing attacks. In these attacks, a hacker attempts to use a compromised password from one account on various other systems hoping the user did not use unique passwords.

As cyber attackers continue to develop new malicious techniques and strategies, it is mission-critical to ensure employees are alert and using their best judgment. Beyond ensuring workers performing manual tasks aren’t creating hazardous situations, organizations need to have a holistic substance use policy to deter use immediately and during the workday to reduce the chances of cyberattacks successfully penetrating the first line of defense – a company’s employees.   

To learn more about effective workplace policies in the era of cannabis legalization, check out this blog that examines why employers need to return to the basics of objective testing to deter and detect recent use. 

Originally prepared for and published by PBSA in the May-June 2022 edition of the Journal. Read the full issue here: 

July 14, 2022

Chief Information Security Officer