Implementing an Effective Mail Screening Process
Many organizations devote much time and effort in developing a comprehensive physical security plan. However, when companies assess their overall security, the mail center is often overlooked.
2020 has been an especially difficult year with a global pandemic, domestic political discord, and civil unrest. The current political climate combined with the impact of the pandemic could motivate international and domestic operators to initiate an attack via the mail center. Additionally, with many employees working from home, the need to effectively screen incoming mail and packages takes on greater importance in keeping employees and their families safe.
Suspicious mail continues to make headlines in this country and beyond. In September, a Canadian citizen was arrested for mailing a ricin laced package to the White House along with five additional letters mailed to law enforcement and detention facilities in Texas. Earlier this year in Europe, multiple letter bombs were sent to financial institutions, hotels, and various other businesses in Amsterdam. In October 2018, a disgruntled U.S. Navy veteran was arrested for sending letters to President Trump along with several administration officials. Also, in October 2018, a Florida man mailed 16 pipe bombs to several prominent Democrat politicians and Democrat supporters, as well as a prominent news outlet.
As indicated above, mail threats can occur at any time, for any type of organization. They may come from disgruntled employees, terrorist actions, homegrown extremists, or individuals with a grievance against a particular company. Therefore, Mail screening is and/or should be an essential part of an overall security plan that includes physical security and cyber security strategies.
Recent victims of mail related incidents have been:
- Financial institutions
- Government agencies and military installations
- Hotels
- Universities
- Media companies
- Social media companies
- Elected officials and high-profile supporters
- Religious institutions
Mail screening strategy begins with a comprehensive threat and vulnerability assessment and should be a part of any physical security plan. An effective risk management plan is a systematic approach to assess and respond to risk. It means, identifying, assessing, understanding, acting on and communicating risk issues within the organization. In general, address the following questions:
1. Is the company in a high-profile industry?
2. Has the company received any threats?
3. Is your company located in a high-risk facility or area?
4. Are the company’s products or services controversial?
5. Have there been recent layoffs?
6. Does executive leadership maintain a high public or political profile?
If the answer to any of the above questions is “yes”, your organization needs to consider a more robust posture regarding mailroom security. Mail screening can range from basic visual inspection, incorporating x-ray screening, to more advanced on or off-site screening for Chemical, Biological, Radiological, Nuclear and explosives (CBRNE).
Three Critical Reasons to Consider Mail Screening:
1. Employee Safety:
First and foremost, your frontline mailroom employees and any employee who receives mail or deliveries could be at risk. Ensuring their safety and workplace security is always priority.
2. Facilities and Assets:
Business disruption is expensive; even a hoax letter can cripple operations for hours. A hazardous threat could shut down your office for days or longer, at great cost to your business. Damaged facilities or assets can be very costly, and repair can take valuable time. Protecting your business continuity is important.
3. Organizational Reputation
The goal of a mail terrorist is to disrupt and generate publicity. In a matter of minutes, a mail threat could force your employees to be evacuated, staff scrubbed down by a hazmat crew, and their images broadcast on national television. Prevention is key to avoiding a public relations catastrophe.
While many organizations utilize x-ray technology to screen mail and parcels for explosives, this approach proves to be risky for two reasons: on premise x-ray screening affords facility penetration, and it fails to address the ominous threat of chemical and biological agents. When contaminants are not discovered before delivery, adverse media reports can cause panic about safety and can also negatively impact corporate reputation. Prescreening mail for these contaminants, including hoax substances, provides companies with the opportunity to determine if or when you will inform the public that an attempt was made to infect your personnel.
Mail threats are a low-cost, accessible form of terrorism. For the price of a stamp, your organization is at risk for disruption or real harm.
Basic steps for mailroom safety include:
1. Provide mailroom security training - All employees must be trained in safe mail handling procedures and should understand the importance of following protocols
2. Put a plan in writing – develop written policy and contingency planning should an incident occur
3. Install correct sensor equipment
4. Run practice drills
With advanced technologies, mail can be screened for “CBRNE” agents – Chemical, Biological, Radiological, Nuclear and Explosive materials.
The following threats are targeted during a full CBRNE mail screening process:
Chemical: Chemical warfare agents, such as blister, blood, and nerve agents, and toxic industrial chemicals, such as chlorine and phosphorus
Biological: Bio-targets consisting of plague, tularemia, botulinum toxin, anthrax, ricin, and smallpox; target list follows the Centers for Disease Control (CDC) Bioterrorism Agent guidelines and falls within the CDC’s Category A or Category B groupings
Radiological: Radiation sources that are potentially hazardous, such as gamma and neutron radiation
Nuclear: Radiation sources associated with special nuclear material
Explosive: Conventional explosives and improvised explosive devices
On-Site or Off-Site Screening:
Once an organization has decided to implement advanced mail screening, they will need to decide if they want to perform the screening on-site, or at an off-site location. On-site and off-site screening both come with their pros and cons. It is ultimately the organization’s decision to select the method that best suits their needs.
On-site Screening allows for instant access to cleared mail. This reduces any delays that might be experienced when introducing screening into the normal mailroom flow. While the elimination of any delay is ideal, for many organizations the risk of performing on-site screening outweigh the benefits. When performing screening on-site, a detected threat could still shut down your organization for hours, possibly days. If operations are shut down due to a legitimate threat entering the screening facility, all the time saved by performing the screening process on-site will quickly vanish.
Off-site screening keeps the threats from ever entering your facility. All mail is screened prior to delivery, ensuring only clean mail arrives at your facility. Unfortunately, off-site services will most likely cause a delay in mail delivery that could be anywhere from a few hours to the next business day. If the off-site screening facility is dedicated to only screening your mail, delays will be minimal. Off-site facilities that service multiple customers generally have a longer delay in getting clean mail back to each client. The benefit to an off-site facility that services multiple customers comes down to cost. As previously stated, having the mail screened off-site eliminates operational shutdowns but using a multi-customer facility eliminates the need to invest in expensive screening equipment on your own.
Mail threats can occur at any time to any type of organization. The mailroom or package delivery is the ‘forgotten back door’ that can allow easy entry to harm business sites. While many still believe that the chances of a suspicious item being mailed to them are remote, it only takes one incident to cause a facility wide evacuation or an even worse case scenario involving individuals. If anything, recent events have demonstrated that while many threats are costly and harrowing hoaxes, it only takes one to impact business operations.