Mail security is a critical vulnerability, and often an unaddressed security gap, for major companies, prominent individuals, governments and others. A third of major corporations report receiving mailborne threats annually, and many receive more than one each. Revenge from employees, former employees and other stakeholders is the most common motive, according to a recent U.S. Postal Inspection Service report. With three simultaneous crises – public health, economic and social justice – security teams are facing even greater challenges.
Like a pandemic, mailborne threats often fall into the low-probability/high-impact category. Six months ago, few businesspeople were concerned with a potential pandemic, but the impact of the COVID-19 crisis has been huge. In terms of mail security, failure to prepare properly has resulted in costly and public evacuations of facilities, injuries and even deaths.
The risks are not the same for everyone, though. The U.S. Department of Homeland Security and the Interagency Security Committee identify some of the risk factors for mailborne threats as:
- Public posture: About a dozen industries, including banking, legal and transportation, are more likely to receive threats.
- Symbolism: Is the organization well known and controversial? Twitter, Fox News or the Washington Post, for example, may be more likely targets than a lower-profile organization.
- Location: Organizations in large, multitenant facilities and urban centers are at higher risk.
- Organization size: Organizations with large employee counts are more likely to be targets.
- Volume of mail stream
There are other intangible factors. It is also important to note that an organization’s risk can change in response to current events. A recent round of layoffs, business disruptions, legal proceedings, or even a high-profile or controversial interview from an executive can quickly increase an organization’s risk level.
Given the rising number of mailborne threats, every organization should have a mailroom security program in place. A comprehensive mail security program rests on these five pillars:
Having the right people begins at the top. A company’s executives must be committed to providing the resources for an effective mail security program.
The mailroom team at an organization will typically be onsite staff, which provides the organization with the most control and ensures the mail will get to the recipients as quickly as possible. In-house teams are less expensive in the long run and are more likely to detect all threats – they know what their normal mail looks like and any risk factors unique to their organization. An added benefit of keeping mail screening in house is the ability to maintain full control over the privacy of incoming mail.
Some organizations use third-party, offsite screeners. These companies may have expensive technology, like biothreat detectors and chemical detectors, calibrated to detect specific types of threats. X-ray mail scanners are also useful for screening large boxes, but they cannot detect threats like powders and liquids (which make up the majority of mail threats) that newer, millimeter wave technology can. And if a threat is detected, it can be quarantined far from the company’s facility. Companies are, however, limited to the geographic availability of the vendor, and mail will be delayed – sometimes by several days – in being delivered.
Most companies do the screening themselves and only use third parties when new or unknown situations arise, or they have particular gaps in their programs.
Some companies use a combination of all three approaches, depending on the location and threat level of a particular facility. More recently, hybrid approaches have also emerged by providing mail security scanners with remote connection capabilities to mail threat experts, which provides the best of both worlds by enabling teams to screen mail in house and call on remote, real-time expert support when and where it is needed.
It is also important to keep in mind that the same approach may not work for all of an organization’s sites. A typical Fortune 500 company with 100+ sites worldwide,requires a flexible and scalable approach to address the different risk levels and logistical requirements of each site. The same systems and technologies used in the corporate headquarters may not be appropriate for a factory or a remote satellite office, and vice versa.
Standard Operating Procedures
To effectively deal with mailborne threats, companies must systematize their processes with standard operating procedures (SOPs) – and then adhere to them. Some of the matters that should be included in a mail center SOP include:
- Global company mail handling policy
- Personnel standards, training and certification
- Standardized mail screening processes
- Suspicious item screening processes
- Mail screening tools and technologies
- Emergency response procedures
A number of factors, such as chain of custody, size of the mail item and its visual appearance, will help identify the suspicious items that require special screening and attention. These characteristics and handling processes should be considered when formulating SOPs specific to the needs and risk factors of the organization.
Large organizations with many facilities will likely prioritize their locations into low-, medium- and high-risk ones and develop a comprehensive set of SOPs to accommodate the particular needs of each. They may also have different procedures for mail with known and unknown chains of custody.
While putting corporate or enterprise-level SOPs in place is a good first step, keep in mind that the SOPs should be reviewed periodically and updated as needed, based on any changes to the organization’s risk level and particular needs.
Ongoing education, training and coaching is key when it comes to implementing mail screening procedures and ensuring proper use of screening technologies. Organizations need effective training tailored to the unique roles and responsibilities of people in different positions such as the mail center team, facility and security teams and general employees who handle or receive mail. Mail security is a team effort, and everyone needs to understand how all parties come together to protect the organization from mail threats. It is equally important that the team continues to be coached on using the screening technology that the organization has adopted.
In addition to in-person and interactive courses, ongoing education may include ebooks, SOPs, infographics, articles on current mailborne threats, quarterly webinars and other materials to deliver current and timely content relevant to the needs of each team member.
It is important that the organizations adopt and encourage continuing education as part of their employee programs. Training programs are offered in house or outsourced by numerous organizations such as the Mail Systems Management Association and MAILCOM, to name just a few.
Mailroom security technology typically falls into two major types: those that can detect threats and those that can identify them.
Detecting threats is sufficient for most organizations: once a potential threat is detected, the local HAZMAT squad or other security organization can be called in to identify what specifically it is and determine its threat level. In the United States, the local postal inspector is equipped with a discreet, unmarked vehicle and will come to the facility and provide the first line of defense – keeping the incident out of the media and employees out of harm’s way.
In the case of threat detection, X-ray scanners can see through large boxes, but they are large and expensive and require special shielding to contain X-ray radiation, state licensing and certification. More importantly, the most common mail threats, which include small quantities of hazardous powders (so-called “white powder threats”) and liquids, are undetectable with conventional X-ray systems in the quantities sent in most mail threats.
A new type of mail scanner, millimeter wave scanners, can detect more and smaller threats than X-ray scanners and can handle the smaller envelopes and packages in which almost all threats are received. These scanners are ideally suited to detect not only all of the threats that can be detected with X-ray, but also those that can’t like powders and liquids. Additionally, millimeter wave imaging is completely safe, uses no harmful radiation and requires no special certification or licensing.
Law enforcement and related organizations, on the other hand, are most interested in threat identification – sometimes for forensic or prosecutorial needs. Technology to identify the specific nature of the threat includes mass spectrometers, chemical warfare agent detectors, negative pressurized rooms and other large, expensive laboratory-type equipment. Most organizations do not need these, though, and would rather leave these tasks to the pros.
Typically, an organization will use a two-tiered approach when handling emergency response requirements, including both an emergency response plan, which mandates how the entire threat is managed, and an emergency action plan that dictates the actions of those involved. These plans need to be prepared and rehearsed, and all individuals required for their implementation must be involved to ensure success.
Planning for threats should focus on both the most likely and the most dangerous threats, which provides two courses of action that an organization can adopt when an incident occurs. The core of emergency response planning is to reduce the threat to life, limb and property.
If at all possible, invite first responders to view and participate in organizational emergency exercise efforts; this process increases interoperability and, in the case of an actual emergency response, decreases unnecessary efforts, threats to employees and loss of time and money and speeds the return to normalcy.
These actions need to be in line with threat reduction. All emergency response efforts and equipment must be readily available and ready to return the organization to a normal state.
Although the risk factors and needs of each organization are unique, by addressing all five pillars of mailroom security a company can put itself in the best position to detect and deal with mailborne threats when they arrive – as they almost certainly will.
Alex Sappok is the CEO of RaySecur.
The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.