Addressing Mail-Borne Threats at Remote and Traditional Offices

​SHRM has partnered with Security Management Magazine to bring you relevant articles on key workplace topics and strategies. 

For all the network and physical security measures in place, there's a glaring vulnerability for corporate attacks that is largely unguarded. The enemy can come in through the front door—inside deliveries and mail.

In the last three years, the U.S. Postal Inspection Service (USPIS) and the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) responded to an average of more than 10 dangerous mail or package incidents per day. Yet, most companies prioritize cybersecurity over threats posed by such attacks.

New solutions are emerging and there is growing awareness of the problem, driven by recent high-profile mail threats against U.S. National Institute of Allergy and Infectious Diseases Director Dr. Anthony Fauci and the AstraZeneca COVID-19 vaccine plant. However, the challenge is growing too.  The shift in work routines—between work from home (WFH), hybrid, and return-to-office—presents more openings for attackers to exploit.

Companies should take precautions to keep employees and top executives safe from malicious mail and package threats, wherever they are working.

The Growing Threat from Mail and Packages

The "Amerithrax" threat in 2001, which led to the death of five people and sickened 17 others via Anthrax-laced packages in the United States, raised awareness about the need to lock down mail and package security. Organizations responded by implementing new systems for screening mail.

Fast-forward more than 20 years, and the COVID-19 pandemic has once again changed the work landscape, increasing potential attack vectors for mail threats. Corporations are now rerouting mail to people's homes. This jeopardizes the safety of employees and their families while increasing corporate liability.

Other factors complicate safety. The home delivery boom has led to vehicle fleets of various sizes and shapes, from on-demand services and outsourced mail carriers, zipping through neighborhoods. A decade ago, someone in an unmarked vehicle bringing a package to your door would be suspicious, but today it is routine.

Further exacerbating the issue is the easy access to online information about home addresses and corporate and political affiliations. In a highly polarized era fraught with tension, the mail threat risk is higher than ever. Companies must find ways to protect employees at both end points—the office and the home.

Traditional Mail Security Approaches Can't Scale

Data from public domain sources shows that 95 percent of the more than 200 dangerous mail attacks in 2020 involved letters or parcels small enough to fit in a curbside drop box. Of these threats, white powders were the most prevalent, found in 38 percent of dangerous mail items, according to Raysecur's 2020 Dangerous Mail Report.

While it might seem businesses and residential areas would be infrequently targeted, they account for the second highest (39 percent) behind only U.S. state, federal, and government facilities (42 percent). These numbers point to a need for better threat detection of very small substances and the ability to protect diverse locations.

Traditional X-ray scanners, which are most often seen in airport security checkpoints, use high frequencies and high energy to see through large items. This technology is excellent for scanning mass quantities of items and is better positioned to locate larger threats like weapons or explosive devices. But the technology struggles to identify low-density threats such as liquids and powders, which are the primary source of dangerous mail threats. X-rays are also not as accessible since they require certification and training for operation due to radiation emission.

For example, Meta (the owner of Facebook) is headquartered in California, with 85 offices around the world. It would be incredibly challenging to implement X-ray machines in each of its office locations due to their size, need for trained operators and requirements for radiation safety compliance.

Newer technologies using lower frequencies—such as mmWave—can peer inside of objects as well but without any hazardous radiation or excess training. This technology is currently used in most airport body scanners but is also suited for scanning smaller mail and packages. This is because mmWave is able to detect smaller traces of powder and liquids inside small mail and packages by offering real-time imaging (i.e., can see liquid moving along the conveyor belt). These scanners are typically smaller, making them easier to deploy across a corporate office.

Best Practices for Protecting People Where They Work

In addition to technology, there are ways that companies can bolster mail security with the right procedures.

Assess your risk level. The first step is to determine how vulnerable your organization is to mail threats, which have a lower probability of attack but a very high impact when it occurs. The U.S. Department of Homeland Security (DHS) and Interagency Security Committee identify some of the most significant risk factors for mail-borne threats. These include public posture (i.e., banking, legal and transportation are some industries more likely to receive threats); level of controversy and notoriety; and size and location (i.e., large, multi-tenant facilities and urban centers with larger employee counts). If an organization fits these criteria, it should prioritize a mail security program.

Prepare a plan for preventing and responding to potential threats that factor in the identified risk areas. HR should be involved in this process. Think of it like a fire drill, where you can prepare a plan of prevention, detection and safety in the event a threat is live. Every company should identify the individuals in charge of scanning for threats every day, develop standard operating procedures, administer training and establish an emergency response plan.

Factor emerging consequences relating to risk. DHS defines risk by weighing threat level, vulnerability and consequence. Hybrid and remote work alter the way companies should perceive mail threats within this definition. For example, the workplace may be less vulnerable than a residence—given additional security systems in place—even though the threat of dangerous mail remains the same.

On the other hand, should an event occur, the consequences to the workplace itself may be greater in terms of potential millions of dollars in losses due to business interruption. One of the growing consequences is the psychological damage of exposing a worker's family to a threat intended for that person. This should factor into organizational decision making about protecting mail threats at home for high-risk executives.

Companies are becoming increasingly diligent with their cybersecurity posture because of the global ransomware epidemic. It's important not to overlook tangible threats, however, especially ones that can reach employees and their families.

Having a detection and response system customized to your business is crucial to mastering workplace safety practices that now extend to the home. Technologies exist to mitigate these threats, so protecting workforces and facilities from these threats should be standard, not an option.

Will Plummer is the chief security officer (CSO) of RaySecur, a security imaging company in Westwood, Mass. In addition to his responsibilities as CSO, Plummer heads the company's 24/7 remote Explosive Ordnance Disposal (EOD) support team, EODSecur, to bring the technical knowledge of military-trained technicians into mailrooms to aid detection and interdiction of suspicious objects. Plummer is a 25-year veteran of the U.S. Army, where he earned a Bronze Star with Valor as a Master EOD Technician and commanded Special Operations units with multiple combat deployments.

This article is adapted from Security Management Magazine with permission from ASIS © 2022. All rights reserved.