Most people don’t realize that the United States Postal Service also houses one of the oldest federal law enforcement agencies in the world. With almost 250 years of experience securing the U.S. mail, postal inspectors investigate every aspect of mail-related crime--including mail theft, mail fraud, and mail containing dangerous items or substances. Unfortunately, for many businesses and organizations across the nation, their own mail security is almost non-existent. This critical and often unaddressed security gap leaves both people and assets vulnerable to everything from lethal mail bombs to crippling biologics.
In a time of a pandemic, economic uncertainties and social unrest, organizational threats to the mailroom may come in many different forms. Former and current employees looking to settle a score against the company or specific staff, a disgruntled vendor or other stakeholders are all suspects that may have motives to disrupt business or tarnish a brand.
According to security and risk guidelines established by the USPS, mailrooms may have a low, medium, or high-risk level depending on their locations and their customers. it is also important to be aware of your customers and the types of business they conduct. International businesses or controversial professions or services can significantly heighten risks. If your organization employs security professionals, they can identify your mailroom risks and recommend how to address them. If not, you can immediately set in place some security measures; other measures will require some planning, action, and financing.
SecurityInfoWatch.com (SIW) Editorial Director Steve Lasky recently spoke with Will Plummer, the Chief Security Officer of RaySecur, a security imaging company that features the world’s first millimeter wave scanners, remote analysis, and threat detection solutions, about some of the current challenges of mailroom security and how to mitigate risk. Plummer is a 25-year veteran of the U.S. Army, where he earned a Bronze Star with Valor as a Master Explosive Ordnance Disposal Technician, and commanded multiple Special Operations units with multiple combat deployments.
SIW: What are the dynamics that are currently happening in the country in general that is making any type of security mitigation a little more top of mind for organizations?
Plummer: You must start with COVID. For infrastructure security and for the security enterprise at large, the entire C-suite and everything you must protect is inside the walls of your facility, so it's a fairly defined problem. You know who comes in, you know who goes out. We work with quite a few companies and it's interesting that once COVID hit, everybody ran to the four winds. If you are handling executive protection (EP), it has just gotten complicated. Your CEO maybe has two or three homes that they're bouncing between, but so does most of the C-suite, and all the regular work still has to be done like getting legal documents signed. So now, instead of going through a personal assistant or through the EP team, for example, items are just getting delivered straight to the house. Your security folks are worried about everything, from phishing emails to all the normal physical threats, and you're no longer behind your firewall or behind your server. Now you're sitting, oftentimes in a Starbucks or where they decide to work in a public space and …the infrastructure itself has become quite decentralized.
SIW:The remote worker migration over the last 20 months has opened up a new paradigm that has impacted businesses that were neither prepared for it, nor knew how to deal with it once it hit. How did this new normal increase the specter of cybersecurity but also highlight the vulnerabilities organizations have in physical security?
Plummer: Physical security is tied to cybersecurity in myriad ways. Everything from physically taking care of your servers, making sure that you physically know where they are and what's physically going on with them, to the packages and logistics stuff of physical mail that goes out and comes in. That has all changed.
SIW: With the changing risk dynamics and security landscapes that are highlighted by smaller staffs and reduced facility footprints, how have these factors challenged mail security protocols and increased vulnerabilities?
Plummer: It's actually becoming more of a vulnerability the longer we do this. You can shop for anything in the world now and it'll be delivered to your front door. I can buy a car without having to go to a car dealer. But that means that there's a lot of things that are starting to happen, we as a security team, can’t control. You're getting last minute deliveries with no precautions. A FedEx or UPS person that you know and can be relatively sure that since you’ve got the same person on your route your risks are lower. However, now as things get delivered, it is oftentimes a third-party person in their privately-owned and unmarked vehicle that is walking up to the front door and dropping off a package. You’re not likely to be snapping a picture to verify a chain of custody for things like that.
Reduction of security manpower, especially around the home office or around satellite facilities have an impact. These were historically identified as low or medium threat. In a reduced office setting, security is one of the first things that you strip away. Now there are six or seven people working in that co-use building and they all have the ability to get their hands on mail and potentially critical information. It's an easy way for someone to fall into corporate espionage and get information about your organization into the wrong hands.
SIW: When you're designing a company-wide mail security program, what are some of the basics that need to be considered, not only for mail being delivered to the home of executives, but also to short-staff offices?
Plummer: The most secure approach would be for all mail and packages to go through the corporate office, then have interoffice mail or have couriers drop the mail off at the house with the known chain of custody from the company. There are tools out there to do all sorts of stuff, but to be honest, it is best if your staff understands where most threats are found, and then have individuals that care enough to pay attention to the visual and tactile inspection procedures. All the stuff that comes through the mailroom on a daily basis that you know is just chaff, separate it out and don't waste your time evaluating each piece. But if it's going to the C-suite, if it's going to anybody that's high profile, take an extra good look. Inspect the list of people that have sent mail to your executives in the past and actually run it against your new list of receivables.
It's interesting, that with my background of 20-plus years on the bomb squad, after almost every event you talk to somebody and they are like, "Yeah, I didn't feel right. Something was weird about what I just saw or what just happened to me." But very rarely do people listen. If you empower the people in your mailroom, and that's not necessarily the security professional, but somebody who's interacting with the threat on a regular basis, to step up and raise their hand and go, "Hey, boss, this might be a little off," you’re going to have a higher probability of catching something before it gets farther into your organization.
SIW: As you set up your security plan, how do you begin to integrate technology into it?
Plummer: You begin by looking at the logistics solution. If you have a large facility that has a large number of bulk items coming through it, like a major computer corporation that just happens to work with a lot of computers, a good x-ray set is going to be worthwhile and very helpful for you. You're going to measure things that go in and go out, they're known quantities, you're going to figure that out.
If you've got some of the newer technology stuff that's hitting the market, there are more passive systems out there which will give you a more refined solution related to what shows up or what doesn't while scanning packages. There are some interesting handheld technologies out there that if you're looking to mitigate a particular problem, they are more event specific.
We've got clients that worry about biological threats Their primary concern is a biological contaminate getting into the facility because we know that some people return items covered in some of the most disgusting things. That requires a targeted piece of equipment since you know what you're looking for and it goes after your particular problem.
SIW: We discussed the convergence of cyber and physical security as it relates to mail security. Do you have an example?
Plummer: Over the last 18 to 24 months, we have taken the temperature of our C-suite clients and had conversations about converged threats like “warshipping” and its potential impact to an organization. Simply put, warshipping is a type of cyber attack in which criminals use physical package shipping services to send malicious hardware to a victim or hide malicious hardware on the business premises. This hardware can be remotely controlled by the attackers and used as a staging post for further attacks. This takes a physical security strategy to stop bad actors from planting mail in a facility that's going to listen in on your devices, pick up packets of data, and potentially give away corporate secrets and proprietary information.
SIW: How does this attack happen?
Plummer: Most companies have a fairly robust Technical Surveillance Countermeasures (TSCM) program. TSCM generally is effective on fixed facilities or removing someone (carrying a bugging device) in and about a facility, and the standards and procedures are well documented.
But I've inspected multiple companies where packages have been mailed back to the company that sells hardware and it's got no name; nothing on it, no department, it just says 'Company A.' You ask the mailroom supervisor or inventory folks about the suspect packages and how long they’ve been sitting there. Their answer? After looking at the mailing information, oh, about eight months. What! So, you have a piece of equipment that's electrical that can carry a battery and potentially transmit information on the collected information, and it's just sitting here for eight months. This is a legitimate (mail) threat that should have security people worried. This is why TSCM programs exist in the robustness that they do.
About the Author:
Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected].