A risk management expert has cautioned that the medicinal cannabis sector could face a surge in criminal break-ins unless companies take security far more seriously, warning that organised criminals already view the product as the "new cash."
Glenn Lynch, Director of Risk, Safety and Technology at Barrington Group Australia, said the high street value of the product combined with a general inexperience in handling schedule 8 medicines leaves the industry particularly exposed to organised criminal activity.
"In essence, it is a cash asset, something that can be sold," he said "A business criminal can break in and get their hands on millions of dollars of product that they can move very quickly on the street. And it's a lot easier than robbing a bank."
Lynch noted that the banking sector has substantially strengthened its defences in recent years, pushing opportunistic criminals toward easier targets.
"The banks worked so hard to stop armed robberies. They secured the cash, they put up resistance screens, they've got cameras everywhere. Robbers might get away with a few hundred bucks if they're lucky. The risk versus the reward doesn't stack up.
"That's not the case with cannabis. It is a relatively new industry and people working in it may not have a history of storing schedule 8 medicines.
"They may not know that their facility is not properly secured, they may think the fabric of their building is difficult to get through. Even though a determined robber can breach it in five minutes with a demolition saw and a sledgehammer.
"In my experience working with the banks to prevent ram raids and ATM gas attacks, there's a snowball effect. Once one attack happens, there's a huge spate until that industry changes. But by then it's too late.
"I'd like to see the medicinal cannabis industry act before it gets to that point."
Lynch said the added risk for a relatively new medicine that already contends with public stigma is that poor security practices could further erode its standing with regulators.
"An incident or one attack probably doesn't upset the apple cart too much," he said. "But if you get two or three incidents in close succession against different organisations, the whole industry is damaged and it takes time to recover.
"We want to see the sector respected for following the proper processes and protocols. Unfortunately, that takes a bit of investment."
Lynch said the sector's vulnerability stems from a combination of regulatory ambiguity, financial pressure, and a lack of familiarity with the requirements around medicine storage.
He outlined several practical steps companies can take to reduce their exposure to these risks.
The most critical, according to Lynch, is conducting a thorough risk assessment before designing any secure facility.
"A security consultant will do an assessment first to understand your operation and the risks you potentially face. And then they can overlay that with the requirements – both state and federal – to ensure your facility is compliant."
While bringing in a security consultant is essential, Lynch stressed that they must be engaged from the beginning of the process so they can shape the project's design rather than simply approve someone else's plans after the fact.
"They shouldn't just sign off someone else's work," he said. "They should write a detailed specification with drawings. They shouldn't specify a brand, but they should specify a minimum standard to meet."
Although a security consultant should not direct clients toward a particular supplier, they should be equipped to assist throughout the tender process, Lynch added.
"They will know the suppliers, and can help put together a request for information to determine whether their products are self-certified or independently tested, and whether they meet Australian standards. Then – and only then – do you let them shoot it out on price."
Lynch said self-certification by suppliers should be treated as a serious warning sign.
"There's no way of knowing whether those products meet the required standards. They may do, but they've just tested it themselves, it's not been independently verified, so they could be cutting corners. We don't know because it's not at arm's length."
Relying on the assurances of self-certifying third parties puts medicinal cannabis companies at significant risk, he added.
"If you transfer [responsibility] to a supplier that self certifies, your brand could suffer significant damage if you have an incident and you're found to be negligent. Or that you knew your supplier had self-certified and didn't do anything about it."
Lynch acknowledged that cash-strapped companies often feel pressure to economise on security, but said that approach typically results in higher costs down the line when inadequate or non-compliant solutions need to be corrected.
"There's an old saying that the poor person pays twice, and that's definitely true in security, where mistakes can prove costly to undo. Retrospectively, you could double your initial investment.
"It's a dead cost – a straight hit to the bottom line – but it's important to remember that you are protecting your people, your brand and your licence."
A common error Lynch identified is that companies focus almost entirely on external threats, only addressing access controls once a facility has already been built — leaving internal risks unexamined.
That oversight can be just as dangerous, he warned.
"We take the cyber security approach of zero trust and crime prevention through environmental design (CPTED)," he said. "We get involved as soon as an architect has done a draft sketch. We can design out the risks of crime prior to even turning soil.
"Has your security team been vetted? Do you know who they are? Have you done police checks? If you want to stop the threat from inside, you need to know who your people are, and how they work. You need to ensure that all your staff don't know all of your operation, only components of it.
"Security is a jigsaw puzzle."
Adding to the complexity are the overlapping rules that flow from the Office of Drug Control (ODC) at the federal level and individual state health departments.
"The rules can be confusing and some consultants pick and choose what regulations they want to read and how to apply them – to the detriment of the customer."
As an illustration of the confusion that can arise, Lynch pointed to ODC guidelines requiring that refined cannabis be protected behind two layers of intruder-resistant physical barrier, one of which must be a secure storage unit.
However, the ODC does not specify the exact requirements for that storage unit, instead placing the onus on licence holders to provide "security that is appropriate to the volume of cannabis to be stored."
That vagueness creates opportunities for companies to take shortcuts, Lynch said, though he maintained that a competent security consultant should ensure their clients do not go down that path.
"We talk in terms of the 'onion layer' of security," he said. "Nothing works in isolation."
For those who let cost considerations override security, Lynch had a blunt warning.
"The ODC says it is the licensee's responsibility to ensure that their facility meets the requirements," he said. "If they don't they could lose their licence, and we know how hard they are to get. Why would you take that risk?"
