If you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for improvement in your entire cybersecurity profile. Your employees have business-need access to a lot of important data, and their ability to protect that data — or to inadvertently let it walk out the door of your organization — is strong.

Lack of education has been at the heart of several incidents of a major security breach. Consider the scenario about the new HR employee who got an email from the president of the organization asking for all the W2 information on every employee, so that person sent them exactly as instructed. The employee did not recognize the fact that the email came from a hacker impersonating the CEO, and a major security breach took place.

Entire business models are based on this kind of fraud. Let’s pretend that I am going to build a site with the world’s best collection of cute pet pictures. I’ll give you the first 10 for free (and those 10 are the most adorable pictures you have ever seen), but to see more, you need to set up a username and password. The access is still free, though.

No big deal, right? Wrong. In this scenario, I own this website, I am a criminal, and my business model is to try to use the username and password you just entered at every major banking website, on all major email providers, on your company’s VPN portal, and anywhere else that I think you might have used the same username and password. I will then extract any valuable information I can from those sites, sell the information for a profit, possibly ransom your own data from you to make even more money, and then move on to the next victim.

Need some numbers to illustrate why educating your employees about cybersecurity practices is important?

• The IDG 2018 Global State of Information Security Survey reported that during the past year, the top sources of security incidents were current employees (30%), former employees (27%), and unknown hackers (23%). The main impacts include customer and employee records being compromised, and the loss or damage of internal records.
• According to the Ponemon Institute, 60% of employees use the exact same password for everything they access. Meanwhile, 63% of confirmed data breaches leverage a weak, default or stolen password.

Cybersecurity training

So where can your company start? Start with a training program. Your employees need to be educated on cybersecurity best practices.

Any cybersecurity awareness training program should address implementing real password policies. There’s no easy way to say this, so I’m just going to say it: Passwords stink. They are no fun to create, no fun to remember, and no fun to type in. But passwords are still the most common authentication method today. It is imperative to implement a password policy requiring complex passwords that can’t easily be guessed, and end-user training to go along with it. Microsoft’s Active Directory “require complex passwords” setting is a start, but end-user training is also mandatory.

Many users apply the same passwords for every online system in which a password is needed. This is a problem. If one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your firm’s VPN. It is imperative that your cybersecurity awareness training program encourage your team members to use different passwords for different sites, and especially for any system that your company uses.

Most companies have some sort of safety guidelines that their employees must follow or be aware of and cybersecurity should be no different. There are a number of companies that specialize in this type of training and picking the right type of training is critical.

Cybercriminal profiles

Today’s cybercriminals come at your company from many angles. Their motivations are often more practical than many law-abiding citizens would expect.

Profit. They want money, and you have information they can monetize.

Influence. They can use data to manipulate business or personal situations in their favor.

Power. If your company dominates an industry or owns critical trade secrets, others wish to take that power away from you and use it for their own advantage. Cybercrime is one way to accomplish that goal.

Motives such as these change the way cybercriminals operate. They are organized. They share information among each other. They are often well-funded. And these things make them more dangerous. Some cybercriminals are also your employees. This is a difficult topic. While it’s true that internal employees are responsible for a large number of cybersecurity breaches, it’s also true that most of these are unintentional. They are a result of good people doing something they shouldn’t, either out of ignorance or because a cybercriminal tricked them into doing it (if you saw the movie “Catch Me if You Can” this is Frank Abagnale’s social-engineering behavior). Statistics on the exact percentage of “insider” cyber breaches that are deliberate vs. inadvertent vary widely, but the opinion can be held that the vast majority of insider threats are not malicious. No matter which statistic you believe, everyone agrees that many insider threats would have been prevented if the insider had understood how his or her behavior allowed a breach to occur. It’s easy to see why a good cybersecurity awareness training program is so important to the success of your company.

There is a risk of an employee with malicious intent to breach your sensitive data. Whether it be to share sensitive details to a competitor, profit from your data, or a disgruntled employee looking to carry out revenge against your company. If your company falls victim of a malicious-intentioned employee, finding out what happened is even more difficult because they often have high level system privileges that allow them to erase their tracks.

If your company is one of the unlucky ones where an insider deliberately caused a security breach, then you are automatically in the highest risk category of those susceptible to cybercrime. The keys to mitigate this risk are simple.

• Educate your employees. Establish a strong mandatory and frequent cybersecurity awareness training program for your employees that clearly lays out the policy for cybersecurity and the consequences of violating the policy. Don’t allow employees to take home devices that contain sensitive files due to the risk of the device being stolen or sensitive data being transmitted over insecure networks at their home or other locations. Instruct your employees to never share their passwords.
• Know your people. Perform background checks on your employees to assist in identifying those that may take deliberate actions that would harm your company. Know which people have access to the most sensitive data.
• Guard your most sensitive data. Limit your employees’ ability to obtain access (intentional or unintentional) to sensitive information via a least-privileged approach to your data. Identify your most sensitive and valuable data. Then assign that data the highest safeguarding and most persistent monitoring.

Remove “local administrator privileges” from your users to their company-provided laptops or desktops. A local administrator is someone who can do anything he or she chooses to with a computer, such as install programs, delete files, change sensitive security settings, and so on. Turning on “egress filtering” on your network and limiting the use of USB thumb drives will make it harder for anyone to make copies of it and move them outside of your organization.

Ensure that you have forensics available to you. Tracking down an internal cybercriminal requires logging of network activity, especially for any access to sensitive information. Any logs need to be stored in an area that is limited to the fewest number of employees as possible.

In short, your employees are your most valuable asset, but can also be your greatest liability. They need to be trained on best practices to keep your data safe, and they also need to understand that you have forensic systems in place that will likely catch them if they attempt to access data they should not. A “trust but verify” approach regarding employee access to your critical intellectual property is an important part of your company’s cybersecurity program.

Bryce Austin is the CEO of TCE Strategy, and actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats.

Almost seven years ago, Strawberry Fields’ team worked through the holiday season to adopt a cannabis tracking system, as mandated by the state of Colorado. Their deadline? When the clock struck midnight on Dec. 31, 2013. But unlike the people who organize the annual New Year’s Eve celebration in Times Square, the cannabis cultivation company didn’t want to drop the ball.

“All the tagging of the plants and getting that system up and running within our grow in a short amount of time was just insane,” says Rich Kwesell, who founded and owns cultivator Strawberry Fields with his brother, Mike.

The business’ roughly 30-day notice to adopt the Marijuana Inventory Tracking System (MITS, precursor to METRC) on the cusp of Colorado’s rollout of adult-use sales on Jan. 1, 2014, was just a preview of the regulatory compliance that would come. The state would become more stringent with its requirements as it transitioned from serving a limited medical patient base to a much larger group of adult-use consumers.

Ensuring traceability and safety in a regulated market is paramount to cannabis cultivators, regulators and other industry stakeholders. To further establish their grip on the cannabis market, or to avoid it entirely, many state and local lawmakers have also restricted cannabis business activity through license caps, bans and moratoriums, complicating regulatory compliance. This piece reviews the evolution from early industry testing and licensing regulations to today, how the patchwork system continues to change, and how regulations can be improved.

Colorado: Paving the way

Since it began cultivating cannabis more than a decade ago, Strawberry Fields has grown to roughly 90,000 square feet of state-legal greenhouse cannabis production and another about 210,000 square feet of greenhouse production of feminized hemp seed, Rich Kwesell says. Kwesell Brothers Group (KBG) is now vertically integrated with brands touching everything from cannabis cultivation, processing and retail to ATM services and online document management.

Although regulations seemed daunting when adult-use sales went online in 2014, they were relatively loose compared to now, and they continue to evolve.

For example, the state started requiring pesticide testing for adult-use and medical cannabis in 2018, as has become the norm in most states. It was an easy adjustment for Strawberry Fields, however, as leadership had already been growing and marketing pesticide-free product.

“Something that we adopted early, early on was biocontrols,” Kwesell says. “I’m just super thankful that we did that.”

Businesses blossomed across the state where they could. Colorado’s Marijuana Enforcement Division (MED) data shows 705 adult-use grow licenses as of Aug. 3, 2020, and 599 adult-use stores as of Aug. 1, 2020. Amendment 64, while avoiding capping licenses at the state level, allowed cities and counties to limit and even ban cannabis industry establishments and institute moratoriums. (As of January 2019, fewer than 30% of Colorado cities and towns had cannabis sales, according to the Denver-based news publication Westword.)

Not all cities and counties have license caps on grows, but with many limits on storefronts due to moratoriums, bans and strict zoning, the market will see consolidation in the growing space, Kwesell says. And that’s OK, he says.

“I believe in free market, and I think that that provides the best products that I buy from all different kinds of companies.”

Some regulations have eased as the market has matured. In 2019, for example, Colorado did away with a ban on cannabis business ownership by publicly traded companies.

Shannon Gray, communications specialist for Colorado’s Marijuana Enforcement Division (MED), the agency tasked with making and enforcing rules and regulations for the state’s industry, says the agency continues to collaborate with many industry stakeholders in the rulemaking process.

“That includes cultivators from different areas, testing facilities, licensees of every type, and then local jurisdictions, public health advocates, public health officials — just everyone who touches this industry in some way,” Gray says.

In a larger effort to collaborate to create sensible regulation for the industry, MED Executive Director Jim Burack says regulators from states with medical and adult-use programs, and Canadian provinces, formed a group about three years ago called The Regulator Roundtable.

“For Colorado, we’ve shared our successes with packaging and labeling, vaping, testing and production management with other states and received ideas most recently about how to create a social equity program that is sustainable and effective,” Burack says.

Burack says MED has also traded regulatory insights with government representatives in the Netherlands and New Zealand.

Colorado’s early foray into adult-use legalization, and the lessons that went with being a pioneer, helped set the stage for rules and regulations for the entire industry, Kwesell says.

For example, over the years in Colorado, residents and business owners have complained of the influx of cannabis operations and sued cannabis businesses. Visiting officials from other states have taken this to heart, Kwesell says, limiting license numbers and implementing strict zoning.

Washington: Controlled licensing but voluntary testing

On Nov. 6, 2012, the same day Colorado voters passed Amendment 64, voters to the northwest in Washington state legalized adult-use cannabis through Initiative 502.

Unlike Colorado, Washington’s adult-use market didn’t follow a regulated medical market, says Crystal Oliver, who co-founded Washington’s Finest Cannabis with her husband, Kevin Oliver, in 2014. “… It was a very different environment as far as what the existing marketplace looked like,” she says.

Crystal Oliver, whose Deer Park, Washington-based operation includes about 30,000 square feet of outdoor cannabis production, says the state’s medical market was split between two federal prosecutors. Jenny Durkan, now mayor of Seattle, allowed storefronts to operate in the Western District. Mike Ormsby in the Eastern District didn’t allow them to operate, as Oliver puts it, “in any significant numbers nor for very long.”

For years following medical marijuana legalization in Washington in the 1990s, only medical patients and their primary caregivers were permitted to grow cannabis, says Sativa Rasmussen, associate at law firm Dorsey & Whitney and chair-elect of the Washington State Bar Association’s Cannabis Law Section. In 2011, the state passed a bill to permit “collective gardens,” allowing up to 10 medical patients to share a garden.

In 2015, the state passed the Cannabis Patient Protection Act, which, among other things, ended collective gardens, effective July 2016, and replaced them with medical cooperatives, says Brian E. Smith, spokesperson for the Washington Liquor Control Board (LCB). The cooperatives are limited to four patients.

The state previously limited producer licenses to one per entity, Oliver says, then changed the rules in 2017 to allow for three per entity, with the stipulation that two of them be gained through an acquisition.

Under the 2015 Cannabis Patient Protection Act, passed after the state’s adult-use market became operational, the state aligned the medical and adult-use markets. Smith says retailers “are required to hold a medical marijuana endorsement to sell certain medical product and must have a consultant on site.” However, producers and processors don’t need a separate endorsement.

As of Aug. 19, 2020, Smith says Washington has 942 active producer/processor licenses, 146 active producer-only licenses and 233 active processor-only licenses.

The state allows cities, towns and counties to ban or set moratoriums on cannabis establishments. Vertical integration, along with out-of-state owners, have been prohibited since adult-use cannabis was legalized.

The ban on vertical integration helped encourage an array of diverse businesses and low barriers to entry, says Oliver, who also has served on a number of regulatory working groups over the years, including on the LCB’s Cannabis Advisory Council. “A lot of the things they did in Washington were done with that in mind: how [to] get these folks who are operating a currently illegal business to step into the light and operate under these regulations instead,” she says.

Out-of-state financing, originally banned, became legal in 2016 in the form of gifting and lending. And out-of-state ownership is still a point of contention. This, Oliver points out, is exemplified by a lawsuit filed in Thurston County Superior Court in June 2020, Todd Brinkmeyer v. Washington State Liquor & Cannabis Board, which challenges the constitutionality of the ban on out-of-state owners.

“... It seems that in order to attract significant investment into Washington state, we would need to be drawing investment from outside our state,” Oliver says. “[It] also … seems the people have figured out other ways to kind of circumvent those restrictions, so I’m not sure how much those restrictions really help at this time.”

The industry’s ability to obtain access to significant capital seems to generally be more difficult in Washington than in some other states, like Colorado, Rasmussen says.

At the same time, Rasmussen says industry members are concerned that “lifting the residency requirement would result in an influx of big money, which would lead to consolidation and the elimination of small, locally owned craft cannabis businesses, which … is already something that small producers are struggling with.”

Washington’s testing requirements for adult-use cannabis include analysis of potency, mycotoxins, moisture, microbiological content, residual solvents and foreign matter, Smith says. The state also regularly updates lists of permitted pesticides and their limits, prohibited pesticides, and allowable limits for four heavy metals. But it doesn’t require testing for pesticides or heavy metals in the adult-use market.

The state’s medical market adopted permanent rules for required pesticide testing and heavy metal testing in 2017 and 2018, respectively, Smith says.

Many participants in the state’s adult-use cannabis industry, however, have conducted voluntary testing to ensure safe product, Oliver says. “Periodically, if there’s been a complaint or some allegation, we’ve seen the WSDA [Washington State Department of Agriculture] and LCB go out to facilities and do sampling to identify if illicit pesticides are being used and that sort of thing,” she says.

This regulatory scheme might change soon, though, Rasmussen says. At the urging of consumers, businesses and other adult-use cannabis stakeholders, LCB may adopt mandatory pesticide and heavy metal testing soon after press time in August 2020, to require testing as soon as March 2021.

Another potential change to Washington’s program, Oliver says, would be the establishment of farm-direct sales. “I think that’s an interesting area and one I’d like to see the industry evolve so that farmers have more opportunity to connect with consumers and educate consumers, and I think that would be good for the overall industry,” she says.

Oregon: Growers glad they were No. 3

With an optimal climate for sun-grown cannabis and history of enterprising growers, Oregon has a long history of growing the plant, says Mason Walker, CEO and co-owner of East Fork Cultivars in Southern Oregon.

Its medical program, which began in the late ’90s, was popular, Walker says. “Prior to recreational, a rich web of medical growers, processors, and dispensaries stretched across the state,” he says. Patients are still allowed to grow plants or designate a caregiver who can, and doctors can prescribe cannabis. But adult-use dispensaries now serve most medical patients.

In 2014, voters’ passage of Measure 91, to legalize adult-use cannabis, followed Colorado and Washington’s legalization initiatives.

“I was kind of surprised that we didn’t lead as one of the first states, but I’m actually in retrospect really glad that we were No. 3 to the party because we got to learn a bit from the mistakes that Washington and Colorado made in the structures of their industries they set up,” Walker says.

Unlike those states, for example, Oregon required pesticide testing when adult-use growers began cultivating in 2016. The state had “by far the longest list of banned pesticides” at the time, Walker says, and it still has stringent regulations for pesticide and solvent testing. Like those states, Oregon does allow local governments to opt out of the adult-use program.

Walker says East Fork Cultivars has had “a seat at the table” during regulation development and rulemaking, and its team members sit on various industry boards. They have, for instance, served on rules advisory committees with the Oregon Liquor Control Commission (OLCC); most recently, East Fork’s Education Director Anna Symonds joined the rules advisory committee on vaporizer additives.

One of East Fork’s co-founders, Nathan Howard, has been involved in Oregon politics for several years. “He was heavily involved in the shaping of that adult measure that led to legalization in Oregon,” Walker says. “So, we’ve had that inside view from the beginning, which we’re lucky to have.”

Oregon took a “small-license approach” to licensing and limited the amount of production space per cultivator in the adult-use market, says Walker, whose operation, founded in 2015, is growing about one acre of adult-use cannabis and nine acres of hemp in 2020. “They decided that a patchwork with a large number of small businesses is going to be the best approach for a more equitable, inclusive industry,” he says.

However, no limits on licenses nor residency requirements for ownership, and low barriers to entry (non-refundable $250 application fees and annual fees ranging from $1,000 to $5,750), paired with limited demand, led to an oversupply in the Oregon market. In 2019, the state passed a bill allowing the OLCC to freeze the processing of license applications received after June 15, 2018. It is set to expire in January 2022.

And as of Aug. 7, 2020, the OLCC has granted nearly 2,300 recreational producer, processor, retailer and wholesaler licenses, according to the agency’s website.

Oregon’s climatic conditions make it ripe to become a net exporter state if and when interstate commerce opens up, Walker says. That will be a multistep process but is underway. In the summer of 2019, Oregon passed a bill to allow cannabis imports and exports. The next steps, Walker adds, are for other states to enact similar legislation and the federal government to indicate it will allow it.

Tough market conditions, he says, have so far set “Oregon up to be stronger when interstate commerce happens because we’ve gone through that crucible of competition, honed our products, honed our brands.”

Illinois: Rec in the Midwest

The Illinois General Assembly legalized adult-use cannabis in 2019, and sales started Jan. 1, 2020. It was the second Midwest state to legalize recreational cannabis, behind Michigan, and these newer markets have had the advantage of learning from the medical and adult-use pioneers that preceded them.

Bedford Grow Vice President of Sales and Marketing Paul Chialdikas says the state’s medical program required, from day one, that labs test for cannabinoids, pesticides, residual solvents, mycotoxins, bacteria and yeasts.

Aside from following the rules and regulations that address state laws, testing labs often take additional steps to ensure customers get the product they’re looking for. “The labs stepped up at the very beginning, started adding terpenes.… Our labs are so thorough that I trust the product that all the cultivators are putting out in the state of Illinois.”

Over the years, the lab that Bedford Grow uses has increased the number of terpenes for which it tests. In 2020, the state began requiring labs to test for heavy metals, Chialdikas says.

The Illinois Department of Agriculture confirmed these testing requirements, but the state uses the term “microbiological contaminants” instead of “bacteria” and “yeasts.”

With licensing, Illinois has allowed 22 cultivators to grow for the medical market, according to the Illinois Department of Agriculture. Now, those same 22 cultivators grow product for adult-use sales.

“The capped licenses allowed the state to learn [how to regulate the new industry]. Now, can they add more? I think the state of Illinois probably feels comfortable that they can add more,” Chialdikas says. “To have come into the market and say, ‘We’re going to allow 1,000 operators’? Whoa, I don’t know. I don’t know if we’d be at the spot we’re at right now, with the quality of product that we’re putting out in the marketplace.”

(Contrastingly, Oklahoma, has nearly 6,000 active grower and 21 active lab licenses as of July 1, according to the Oklahoma Medical Marijuana Authority. The state announced in July that it will begin enforcing testing for all cannabis products for the first time since sales began in 2018.)

Illinois has delayed issuing additional licenses for craft growers, infusers, transporters and retailers until at least late August, citing the COVID-19 pandemic.

Before COVID-19 struck the U.S., the state of Illinois would send a compliance director to Bedford Grow’s roughly 80,000-square-foot building in Chicago every week for five hours. “He walked the facility with bar coding — everything’s bar coded — checked plants, checked weights. … It was thorough,” Chialdikas says. In the COVID age, “they come in the back door through our computer system and watch our cameras and everything,” he adds.

Ohio: High compliance in a medical market

Ohio’s medical marijuana program launched in January 2019 following legalization in 2016 through the state legislature, grew to nearly 109,174 registered patients by the end of May 2020, says Ali Simon, spokesperson for the state’s Board of Pharmacy. As of press time, 24 cultivators hold certificates of operation, and another nine hold provisional licenses, according to Jennifer Jarrell, spokesperson for the Ohio Department of Commerce.

Ohio’s relatively tightly regulated market works for Brian Kessler, chairman of the board of Youngstown, Ohio-based grower Riviera Creek, which he owns through his company SBL Venture Capital LLC. Kessler was motivated to enter the cannabis industry because he wanted to produce a regulated product that was safe for consumption.

According to its administrative code, Ohio requires labs to test for contamination from microbials and mycotoxins; contamination from heavy metals, “including, at a minimum, arsenic, cadmium, lead, and mercury;” fertilizer and pesticide residue; and cannabinoid potency for THC, THCA, CBD, CBDA and CBN.

“When a state puts in place good, solid testing requirements and makes you have methodologies that you need to do to meet it, I’m a big fan of that. And Ohio has that,” Kessler says.

Testing labs may test for terpenes, per state law. “If terpenes are added to a product, they are required to be on the ingredient panel, regardless of the origin,” Jarrell says. She adds that cultivators and processors can choose to include terpene analysis results on their product labels.

One thing Kessler says could be improved in Ohio is the number of dispensaries. “Some cities are well served, but there are some cities in the state, Mansfield [between Columbus and Cleveland] for example, that require an hour and 20-minute drive to reach a dispensary,” he says.

Several cities and towns in Ohio, such as Mansfield, have banned cannabis businesses. Others have set up moratoriums.

Ohio’s Board of Pharmacy, Department of Commerce and State Medical Board have instituted changes to address public health crises, Jarrell says. In addition to issuing rules in response to COVID-19, Ohio banned Vitamin E Acetate early on.

In explaining the need for stringent regulations, Kessler references the pharmaceutical industry’s tight controls.

“I always worry,” Kessler says, “because if a consumer’s using [cannabis] and says, ‘I need this to help me address this problem,’ but the product varies every time you deal with it, their success rate and happiness about, ‘This is helping me,’ could be affected if there’s tremendous variance. So, we’re not there yet. We’re not at a ‘Tylenol level’ of cannabis.”

Merging the states’ regulatory patchwork

Ahead of federal cannabis legalization, Walker of Oregon’s East Fork Cultivars says he would like industry groups to push for, and states to adopt, model legislation so there is more consistency between them. He says: “It’ll set us up for less pain down the road, collectively, as an industry, to try to compete on a national and global stage because right now, you flip that switch, it would be chaos.

“A lot of businesses would just go out of business because … a set of rules in Ohio or Illinois would not be able to compete at all in a national market. That’s kind of like my last sentiment there on regulation is we’ve got to step our game up here pretty soon, as an overall industry, and stop getting too deep into the weeds.”

Patrick Williams is senior editor of Cannabis Business Times, Cannabis Dispensary and Hemp Grower.

This article originally appeared in the September 2020 issue of sister publication, Cannabis Business Times. Read the related “How we got here” articles regarding the cannabis industry during the last decade here http://bit.ly/decade_cannabis_1 and here http://bit.ly/decade_cannabis_2.

For years, Beth Blankenship would spend nearly three hours doing payroll every Friday. She’d been manually tabulating hours from paper time sheets and entering them into her Quickbooks payroll software. She’d been looking for a better way that could save the company time and money. When the COVID-19 pandemic hit in mid-March, it gave them the push they needed.

Beth owns Blankenship Farms and Nursery with her husband Jerry. The McMinnville, Tennessee, wholesale grower specializes in trees and shrubs, especially native container trees and shrubs for mitigation, conservation and lining stock.

A two-week COVID-mandated shutdown in March would have been very costly for Blankenship. That’s when their business takes the bareroot trees and shrubs out of the barns and plants them. If the planting doesn’t get done then, the whole business model can go off the rails.

Still, there are plenty of reasons to switch to a touch-free system besides COVID concerns. Between the cost and hassle of ordering and receiving new cards each week and the desire to free up Beth’s time for other tasks, the nursery had been looking for other options to handle this part of the business since last fall. Beth says they looked at systems that used a fingerprint sensor, but because of the dust and dirt in the nursery environment, they decided that wouldn’t work. However, the FaceIn biometric time clock system from Lathem seemed like a good fit, especially since it was easy to set up.

“Just take it out of the box and plug it in,” she says.

At Blankenship Farms, the face scanner is set up on the wall next to the door heading out to the fields, in a very high traffic area near both the kitchen and the bathroom. Still, Beth says there hasn’t been any issues with accidental clock-ins or outs.

It takes about two minutes to get each of Blankenship’s 25 employees registered into the system. That process involves the employee standing in front of the screen and moving their face around while the machine scans it from different angles. Once an employee is in the system, it takes about two seconds for them to clock in or out.

Lathem’s PayClock employee time and attendance software that works with the FaceIn time clock integrates easily with Quickbooks Online payroll system. That meant Beth didn’t have to transfer her employee list from Quickbooks to PayClock; everyone was already entered in the new system. As a result, the PayClock solution significantly reduces Blankenship’s payroll processing time — by as much as 83% — freeing her up to check on farm crops or take care of personal matters. She is also able to check on employee attendance from an app on her mobile phone while she’s out running errands, instead of having to be physically present at the clock.

Beth likes how FaceIn creates a healthy workplace at Blankenship Farms by providing touch-free, contactless employee time and attendance tracking.

Employees at Blankenship Farms don't need to touch the clock when recording their hours so there is no potential spreading of germs or viruses. And because the time clock system records punches in seconds, employees don't have to wait in lines close to each other to clock-in and out. It's much appreciated when employees are practicing social distancing at work.

“They're not touching anything to clock in and I'm not touching the timecard at the end of the week that they’ve touched all week,” she says. “So, it's really good for everybody.”

She’s been pleased with the other efficiencies of the system as well.

“There are no cards so cost-wise, I don't have to buy cards anymore,” she says. “And I was spending about two and a half hours on Friday to do payroll. I can get everything done in about 30 to 45 minutes now. So it's about a two hour savings for me. And that's a lot of time on a Friday.”

It also eliminates the possibility of human errors, like transposing numbers when reading them off a timecard and entering them in Quickbooks. Beth jokes that she wears bifocals now, so that type of mistake is a real possibility.

There’s another potential benefit to using the face recognition system for clocking in and out. Standard time card systems are open to the potential of “buddy punching” — a system exploit in which an employee swipes his or her friend’s card for them, allowing their friend to get paid despite not actually being at work. While Beth doesn’t think that their nursery had a buddy punching problem before, it certainly won’t now.

Customer service has been easy to use, as well, with any questions she’s had answered quickly over the phone.

“I can’t think of a drawback, because any time we’ve had an issue they’ve been able to change it,” she says. “Every nursery is different, everybody runs it differently and they are able to customize what you need, the rules to be in the system. Like, what time you take breaks. It'll allow you to do that without you having to enter that in.”

Beth was concerned about pushback from her employees. But it turned out that they were less apprehensive about privacy issues than she was.

That’s because the device uses two cameras to perform a 3D analysis of the 60 facial points that are unique to each employee. These are all mapped at the time of that first scan. The facial data is recorded and stored in the time clock and cannot be reproduced as a photographic image.

“The logarithm of the face, the ‘math’ of the face, is what causes it to be ID’d,” she says. “And when I talked to the guys about it, they were kind of excited about the technology and doing something new.”

For more: blankenshipfarmsandnursery.com; www.lathem.com

In times of chaos, saying thank you can be easily forgotten — but right now is when employees need to hear it most.

Like you, your employees are struggling. They may be working long hours. They may worry that their health is at risk. Maybe they’re coping with a home life that’s been disrupted in some way. You may not be able to change their day-to-day reality, but you can change the way they experience their work life.

Saying thank you positively impacts everything from employee well-being to job satisfaction to motivation to productivity. It’s a powerhouse tool for building engagement. Infusing gratitude into the workplace may even be a pathway to building a more empathetic and emotionally intelligent workplace.

Here are some simple and creative tips for thanking your employees.

1) Recognize and celebrate your team members’ accomplishments.

For employees working on site, you might hold a socially distanced pizza party, for instance. And don’t forget remote employees. For example, on a Friday, request that everyone finish up half an hour early and host a Zoom happy hour. While everyone is enjoying their snacks, sodas, or beverages of choice, take a few minutes to say thank you to each employee.

Get specific about how their hard work has helped the company and share a few things you have noticed that they do especially well. Then open it up for employees to thank and compliment one another. It’s a great way to create a sense of unity and camaraderie while people are physically separated.

2) Put your “thank-you” on paper.

The uniqueness of a handwritten note — especially in this age of emails, Facebook posts and tweets — will not go unnoticed. Pick up some beautiful cards and write a heartfelt letter of thanks to your employees. There doesn’t have to be an occasion. Simple words of gratitude and encouragement are always uplifting. Of course, if you want to call out someone’s exceptional performance on a recent project, it will be greatly appreciated.

As Paul Spiegelman, cofounder of the Small Giants Community, shared, “That note you can get from someone…that says, ‘thank you, you’ve changed my life’…is much more powerful, much more valuable, than any amount of money I could have in the bank.”

3) Extend the gratitude to family members as well.

The simple act of sending a special thank-you note to an employee’s spouse, parent, or child can have an exponential impact. (After months of Zoom meetings, you may already be on a first name basis with them as well.) This thank-you can help strengthen the high performer’s personal life, especially when their partner or another family member may have felt they, too, had sacrificed — from family time lost — as a result of the dedicated effort extended by this hardworking relation.

4) Name an “employee of the week.”

Each week find someone who is giving their all and name that person employee of the week. You might even drop off a fun certificate to their home along with a crisp $20 bill or a gift card. In difficult times, even a modest gesture means a lot.

5) Get original with your “thank-yous.”

For example, if you know a team member will be stopping into the office to pick up some more supplies, leave a box of their favorite cookies on their desk for them to see. Mail everyone a $15 gift certificate to a local restaurant to treat all to lunch (and help out a small business in the process). Send everyone some company merchandise like pens, T-shirts or hats.

6) Be generous with flex time.

When everyone is stressed and overworked, giving people some freedom with their work schedule helps them stay sane. If someone’s life can be made easier by working a half-day in the morning and finishing their work in the evening, be as accommodating as possible. Also try to make yourself available to them on their schedule if you can. This is a big way to let them know you care.

7) Encourage time off.

Say thank you by encouraging people to take mental health days from time to time, as well as their regular vacation days. Also, periodically, dismiss your team early or tell them to come in late the following day. During periods of remote work, employees need reminders that they can make time to recharge and take breaks.

During a time when everyone needs a boost of positivity, don’t underestimate the power of thank-you. It can do amazing things for morale and make your team unstoppable, even in a pandemic. And saying thank you feels good. It rewards the giver as much as it rewards the recipient.