Mailroom Security Meets CyberSecurity

Published

Mail security is often the ‘forgotten back door’ of any complete security program involving both physical and information security.  

When mail is being screened, we often think of white powder threats, mail bombs or just plain threatening letters.  But now there is a new danger to be aware of for mail and package deliveries. 

"The U.S. Postal Service processes and delivers 484.8 million mailpieces of first-class mail a day—roughly one-and-a-half mailpieces for every person in the U.S.—in a single day," 

"What most people don’t realize is that some packages they receive may be looking to steal personal or confidential information. And the proliferation of e-commerce-related package deliveries is exactly what cybercriminals can exploit with a tactic IBM X-Force Red is calling 'warshipping'.”   -
FORBES

What is 'Warshipping?

Warshipping is where CyberSecurity and Mailroom Security intersect.

It is an extremely effective “low-tech” method to achieve a “high-tech” break into your corporate information security.

"Similar to wardriving, when you cruise a neighborhood scouting for Wi-Fi networks, warshipping allows a hacker to remotely infiltrate corporate networks by simply hiding inside a package a remote-controlled scanning device designed to penetrate the wireless network–of a company or the CEO's home–and report back to the sender."  - FORBES

Key Strategy Points for Implementing the Right Mail Screening Program for your Organization

Published

By Adam Oliver, Associate Director, Security Strategies and Services

Since its inception in 2002, SoBran SafeMail® has been the industry leader of mail screening and security. We continuously monitor our process, review new techniques and equipment, and implement change to benefit our customers. It is our pleasure to share our experience with companies looking to upgrade their mailroom security.

The need for mailroom screening programs is a vital part of any organization's security program, as evidenced in the recent spate of Netherlands letter bombs. It's important to take note that these incidents span a variety of type of targets. There have been financial services firms, hotels, sorting offices, a filling station, a care dealership and an estate agency. It would seem no one is immune from these sort of attacks.

The the availability of dedicated screening equipment for mailrooms is on the rise. We are seeing new equipment each day with advanced imaging technology, promises of 100% success rates, and low-cost alternatives to traditional screening technology. Before taking the step to purchase screening equipment, it is important to have a plan. We would like to offer a few steps to consider incorporating into your plan when deciding to implement mail screening:

Step One: Off-site or On-site?

Once you have decided to implement mail screening, you will need to decide if you want to perform the screening on-site, or at an off-site location. On-site and off-site screening both come with their pros and cons. It is ultimately the organization’s decision to select the method that best suits their needs.

On-site Screening allows for instant access to cleared mail. This reduces any delays that might be experienced when introducing screening into the normal mailroom flow. While the elimination of any delays is ideal, for many organizations the risk of performing on-site screening outweigh the benefits. When performing screening on-site, a detected threat could still shut down your organization for hours, possibly days. if operations are shut down due to a legitimate threat entering the screening facility, all the time saved by performing the screening process on-site will quickly vanish.

Off-site Screening keeps the threats from ever entering your facility. All mail is screened prior to delivery, ensuring only clean mail arrives at your facility. Unfortunately, off-site services will most likely cause a delay in mail delivery that could be anywhere from a few hours to the next business day. If the off-site screening facility is dedicated to only screening your mail, delays will be minimal. Off-site facilities that service multiple customers generally have a longer delay in getting clean mail back to each client. The benefit to an off-site facility that services multiple customers comes down to cost. We have already established having the mail screened off-site eliminates operational shutdowns but using a multi-customer facility eliminates the need to invest in expensive screening equipment on your own.

Step Two: Equipment

Your organization has decided to move forward with screening mail. Electing to have mail screened at an independent, multi-customer facility removes the burden of selecting the appropriate equipment. Organizations that prefer a dedicated operation are faced with the challenge of finding the right equipment to fulfill their needs.

Today, mail screening equipment is more widely available than it was just a few years ago. Advances in imaging technology have provided several affordable options for organizations simply looking to screen mail for explosive devices. Unfortunately, when it comes to screening mail, not all the equipment on the market today has been sufficiently tested for its capabilities. The responsibility falls on you, the client, to ask the right questions of equipment vendors to ensure their product meets your needs.

Equipment selection is key to a successful screening operation. Do not be fooled by vendors claiming their product can detect threats, when all their product is able to detect is if a powder or liquid is present. When a vendor advertises that their product can detect chemical threats, ask the following questions:

  • What chemicals/biologicals is the equipment capable of detecting?
  • How much of the chemical or biological must be present to be detected by the unit?
  • Is the unit capable of differentiating one powder from another?
  • Does the unit detect a threat is present?or is it the operator’s responsibility to assume a threat based on seeing a liquid or powder in the image?

Threat detection means you can identify whether a threat is present without further tests being performed. Threat identification is the ability to tell you exactly what threat you are facing. SafeMail® prefers identification over detection. Identifying the threat enables staff to react quicker, and more appropriately. Additionally, positively identifying the threat allow for personnel to effectively communicate with emergency personnel, ensuring an adequate response.

It is common practice for vendors of imaging equipment to advertise their product as capable of detecting chemical and biological threats, but the definition of threat detection is widely debated. SafeMail® believes that detection is achieved when our equipment positively identifies an item containing threat. Others believe being able to visualize the presence of a liquid or powder is enough to classify their unit as a threat detector. The problem with this method is that you run the risk of stopping your operations unnecessarily because you’ve ceased operations only to discover the package contained a non-hazardous substance.

Being able to identify if a threat is actually present is increasingly important in today’s work climate. With many employees having personal mail delivered to their workplace, there is an increase of uncommon items entering into professional mailrooms. This includes makeup, toiletries, food products and more. Making sure you have selected the right equipment will prevent unnecessary shutdowns caused by non-hazardous materials.

Step Three: Notifying Personnel

When implementing mail screening, it is important to keep your staff informed of the new processes in place. Including the additional steps of mail screening into your normal mailroom operations will cause a delay in delivery. Often this delay is minimal, but people will still notice the change. Additionally, if you are going to use any marking to indicate items have been screened, this will draw attention and concern from employees. The best way to ensure your staff accepts, benefits, and understand mail screening is to keep them informed.

These are just a few simple steps to keep in mind when your organization is considering mail screening. Incorporating mail screening is an easy process when done correctly, and SafeMail®has been helping businesses with the process for almost 20 years.


Threats to the Mail System in Times of Conflict

Published

The recent news of the assassination of General Soleimani of Iran has created much tension and speculation in various security circles.

In light of the conflict with Iran, we here at SoBran have been preparing for how we could be impacted in the US in terms of mail safety. We do not want to contribute to fear mongering; however, we do believe it's prudent to anticipate some form of retaliation from Iran and to prepare for possible mail threats.

While it's unlikely the Iranian army would launch a full-scale assault against the U.S., it is NOT unreasonable to think that militia groups and terrorists organizations that have operated as their proxy in the past, would do so again. These attacks could be of the cyber variety, or physical attacks against U.S. infrastructure, and could target top political and military officials. The mail system is an ideal pathway for these groups to achieve their mission.

How might the mail system be impacted?

  • Mailed bio-hazard materials and/or explosive devices, thereby creating illness, injury or death
  • Cyber-attack into mail tracking systems, thereby creating disruption in service and delays to delivery, as well as compromised identities
  • Physical attack against distribution centers and transportation resources, thereby resulting in damage to facilities, capital and loss of life

Preparedness is critical to security, and we encourage you to take a quick refresher on best practices for mail safety. You can visit the SafeMail Resource Center for all the latest information to help keep your knowledge current. Additionally, you will have access to several articles, posters and tip sheets to assist in keeping your organization secure.

Our mail screening teams remain diligent at all times, and are particularly aware of the need to remain especially so, now. We will continue to monitor the situation and keep our clients as informed as possible should there be new or unusual threat alerts. Should you ever have questions about how best protect your organization, we are just a phone call away.

This month, in lieu of our usual articles on current events impacting mail security, we thought it would be relevant to revisit some of the most prominent stories from over the years which illustrate different forms of mail threats.

While this is a difficult start to the new year, we would like to take a moment to wish all our clients, partners and their families the very best for the coming year. We hope it will be one filled with wonderful experiences, much success and most especially, peace.

No News is Good News?

Published

2019 has seen fewer reported incidents of mail threats in the news, compared to 2018.  With concerted efforts across government agencies and industry to employ more offsite screening tactics, we are seeing various threats and hoaxes are being found early and are mitigated before they become a full-scale incident and hit the national news.

It is important for us to remember that we should not become complacent just because we are not seeing disastrous situations being reported, but rather, we should continue to remain vigilant and keep the positive trend going!

As we wrap up the year, I thought it would be helpful to provide a roundup of our top five articles which offer the best tips and advice for remaining diligent in your mail screening practice, particularly with the holiday season upon us and a higher volume of mail and packages to be processed.


The #1 Best Practice for Mail Security and Screening


Top 5 Myths in Mailroom Screening and Security


6 Things We Learned from the Recent Ricin and Mail Bomb Attacks


Top 5 Questions to Ask When Looking for an Offsite Mail Screening Facility


Mailroom Threat Quick Reference Guide


As always, SoBran is interested in hearing about your personal experiences and your thoughts on the current state of mail screening best practices. Please feel free to reach out to us anytime at smartin@sobran-inc.com to share your opinion or make suggestions for future topics!

Mailroom Threat Quick Reference Guide

Published

U.S. Postal Service is expecting to deliver 800 million packages this holiday season. UPS says they are expecting to deliver around 32 million packages and documents a day.

Be prepared for the holiday rush - specifically all the packages delivered to your building for employees.

Increased volume requires more resources to screen for chemical, biological, radiological, nuclear or explosive (CBRNE) threats. Mail threats are a low-cost, accessible form of terrorism. Ensure your organization is ready for this influx in order to safeguard your assets, your employees and your organization's reputation.

Here is information on who to immediately contact when a possible threat is identified.

Quick Reference for Mail Threats:

For Radiological Threats
Limit exposure - don’t handle
Distance (evacuate area)
Shield yourself from object
Call Police
Call local Fire Department-HAZMAT Unit
Contact Postal Inspectors at 1-877-876-2455 and state “Emergency”

For Biological or Chemical Threats
Isolate - don’t handle
Wash your hands with soap and warm water
Call Police
Call local Fire Department-HAZMAT Unit
Contact Postal Inspectors at 1-877-876-2455 and state “Emergency”

For a Mail or Parcel Bomb
Evacuate immediately
Call Police
Call local Fire Department- HAZMAT Unit
Contact Postal Inspectors at 1-877-876-2455 and state “Emergency”

Basic steps for Mailroom Safety include:

(1.) Provide mailroom security training
(2.) Put a plan in writing
(3.) Install correct sensor equipment
(4.) Train employees
(5.) Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility.

If you need help determining your best course of action, let us know. We’re here to help.

As always, I appreciate your comments. smartin@sobran-inc.com

Top Indicators of Dangerous Mail

Published

If a dangerous package landed on your desk, how would you know?

If you don’t know the indicators for potentially threatening mail, you may be putting yourself and your organization at risk.  

“There are no guarantees that even the best mail screening technologies and procedures will identify all potential threats before a letter or package arrives at the desk of the intended recipient.  Therefore, all employees, not just mail center personnel, should be trained to recognize suspicious mail and packages….”   -- U.S. Department of Homeland Security 

Visual inspection can be your first line of defense. Do you know what to look for? 
 
First and foremost, follow your instincts. If you are concerned about a package, don’t open it.

Otherwise, below is a helpful list with some of the top signs that a piece of mail or a package is potentially threatening.

The Top 14 Indicators of Dangerous Mail Include:

(1.) Excessive postage
(2.) Postmarks that do not match return addresses
(3.) Misspelled common words
(4.) No return address or strange return address
(5.) Unusual addressing, such as not being addressed to a specific person or (6.) the use of incorrect titles or titles with no name
(7.) Restrictive markings, such as “personal,” “confidential,” or “do not x-ray”
(8.) Badly typed or written
(9.) Powdery substances felt through or appearing on the item
(10.) Oily stains or discolorations on the exterior
(11.) Strange odor
(12.) Excessive packaging material, like tape or string
(13.) Lopsided, bulky shape or unusually heavy envelopes or boxes
(14.) Ticking sounds, protruding wires, exposed aluminum foil

Remember, always contact the proper authorities if you suspect a mail security threat.

Click Here to get the free poster showing the Signs of Potentially Dangerous Mail.

Basic steps for Mailroom Safety include:

  • Put a plan in writing
  • Install the correct sensor equipment
  • Train employees
  • Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility. Click here to learn more about SoBran’s offsite screening services.

As always, I appreciate your comments. smartin@sobran-inc.com

5 Questions to Ask for Offsite Mail Screening

Published

Last month we looked at whether Offsite Mail Screening was right for your business.   If it is, do you know how to identify an outside facility provider to meet your company's unique needs?

Offsite Mail Screening is a mail screening and distribution service performed by a 3rd party in a separate location to manage organizational mail security and processing.

An offsite, confidential screening location can mitigate the possible threats of exposure to personnel and visitors - as well as facility closures. 

Screening mail offsite is a best practice utilized to keep organizations safe from Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE) mail and package delivery threats such as mail bombs, ricin letters and even white powder hoaxes.

Offsite Mail Screening's Popularity

As reported in this year’s 2019 SafeMail Mail Security Survey, Offsite Mail Screening is an excellent security solution that more organizations are choosing.

If you have determined Offsite Mail Screening is right for your organization, you might be wondering how to find the right company to provide this service.    

Top 5 Questions to Ask When Looking for an Offsite Mail Screening Facility

(1.) Exactly what threats can be detected? You should expect the full spectrum of threat screening – chemical, biological, radiological, nuclear and explosives (CBRNE).

You should also have the ability to customize screening for your organization.

(2.) Is the facility set up well? Look for a dedicated cleanroom environment and details on how your mail will be isolated from other customers’ mail.

(3.) How knowledgeable is the staff? Look for dedicated program management and a well-trained, experienced team. Mail screening is both art and science, so experience counts.

(4.) When can mail delivery be expected? The facility should be able to provide door-to-door service and customize the schedule to meet your needs.

(5.) Can this screening be accomplished with discretion and compliance? Confirm your organization’s reputation will be respected and understand the procedures that will be followed when a threat is detected.

No matter what your organization currently does for mail safety, ensuring basic steps to safety can be a first step to protect your staff and your facilities.

Basic steps for Mailroom Safety include:

  • Put a plan in writing
  • Install the correct sensor equipment
  • Train employees
  • Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility. Click here to learn more about SoBran’s offsite screening services.


As always, I appreciate your comments. smartin@sobran-inc.com

Is Offsite Mail Screening Needed for Your Organization?

Published

What is Offsite Mail Screening?

Offsite Mail Screening is a mail screening and distribution service performed by a 3rd party in a separate location to manage organizational mail security and processing.

An offsite, confidential screening location can minimize the possibility of threat exposure to personnel and visitors and facility closures. Airtight shelters detect threats before they are delivered to your organization.

Screening mail offsite is a best practice utilized to keep organizations safe from Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE) mail and package delivery threats such as mail bombs, ricin letters and even white powder hoaxes.

Trends in Offsite Mail Screening

As reported in this year’s 2019 SafeMail Mail Security Survey, Offsite Mail Screening is on the rise.

The latest trends we surveyed indicate the risky practice of screening mail in the same building in which most employees work has dropped from 60% in 2018 to 43% in 2019.

This is testament to the fact that Offsite Mail Screening can be your organization's best insurance for business continuity.

You might be considering this step for your business. But what is the best way to determine if Offsite Mail Screening is right for your organization?

5 Questions to ask to determine if Offsite Mail Screening is right for your organization:

(1.) Does the mailroom share a ventilation system with other departments, such as accounting, support or sales?

(2.) Is your organization’s mail screening area shared space with another organization? Is it in a building with multiple tenants?

(3.) Does your organization lack the specialty equipment needed to detect chemical, biological and radiological threats?

(4.) If your organization purchases specialty equipment, will space for the additional staff and equipment be a challenge?

(5.) Is your organization too short-staffed or over-worked to keep up on the latest threats, latest training and cutting-edge equipment?

If you answered “yes” to two or more of these questions, Offsite Mail Screening may be the best option to keep your facilities operating and your employees safe.

Basic steps for Mailroom Safety include:

  • Put a plan in writing
  • Install the correct sensor equipment
  • Train employees
  • Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility. Click here to learn more about SoBran’s offsite screening services.


As always, I appreciate your comments. smartin@sobran-inc.com

Lone Wolf Terror: The Continuing Mailroom Threat

Published

The Continuing Threat from Lone-Wolf Terrorists in America - In Homeland Security

In their article last month, In Homeland Security spotlighted the ongoing threat from Lone Wolf individuals, specifically sighting Cesar Sayoc who was, “…arrested in Plantation, Florida, for allegedly mailing more than a dozen homemade parcel bombs to liberal politicians and media affiliates, including CNN.”

Who Are Lone Wolf Terrorists?

“Domestic terrorists in the U.S. are usually loners who are often frustrated with their personal and professional lives. They are usually unmarried and often align with an extremist organization that they feel will understand and nurture their rage – a group that gives them a sense of belonging that they have never felt.” -- In Homeland Security

Despite this, the fact is that we don't really know who lone wolf terrorists are or will be.

We do know they often they suffer from mental illness. While they may identify with a larger terror group. they act on their own with no contact or direction from a group of any size. Lone wolves often act on beliefs or philosophies that guide known terrorist groups, but despite where their inspiration comes from, their plots are self-directed.

Examples of lone wolf attacks range from the classic Unabomber to the ricin-laced letters sent to President Obama. And while many of the widely reported on mailroom lone wolf attacks involve explosives, there are just as many chemical and biological threats.

Even hoax-threats by lone wolfs are costly to your organization causing stress for evacuated workers, continuity disruption and harm to organizational reputation in the news.

Why is this important?

Because social media monitoring is often seen as an infringement on individual rights, forewarning is limited, and organizations can be taken by surprise. Furthermore, the often classic solitary character of lone wolves hinders early detection.

Widespread use of social media and general online communication has facilitated either inspiring or educating a lone wolf in the best tactics to carry out harm.

Complacency could be costly for your organization. For the price of a stamp - the mailroom is an open door to possible lone wolf threats. It is important to take these threats into consideration for your organizations full security plan.

How do we protect our organization?

By nature, lone wolf terrorism is hard to predict. Therefore, organization’s must employ all the latest protections to mitigate all possible avenues for these types of possible threats to business continuity.

Preventing attacks by employing advanced detection devices is critical. X-ray screening is not sufficient to detect all threats, and is primarily used to detect explosives.

Additional training and specialized equipment is needed to detect targeted chemical, biological, radiological, and nuclear threats.

Basic steps for Mailroom Safety include:

  • Put a plan in writing
  • Install correct sensor equipment
  • Train employees
  • Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility.

As always, I appreciate your comments. smartin@sobran-inc.com

Hate Crimes – The Danger to Your Organization’s Mail

Published

"The NYPD recorded 184 hate crimes through June 2 — up from 112 in 2018 — during a period when the city experienced a continued reduction in overall crimes." -- New York Times

What is a Hate Crime?

The FBI defines a hate crime as a “crime in which the perpetrators acted based on a bias against the victim’s race, color, religion, or national origin.” They also include “crimes committed against those based on biases of actual or perceived sexual orientation, gender identity, disability, or gender.”

These types of crime can play out as “a traditional offense like murder, arson, or vandalism with an added element of bias." But the crime can also be in the form of mail - a package or a letter.

Last October, the FBI released hate crime statistics from 2017 reporting they rose more than 17% led by increases in minority and religious attacks.

"It is the biggest annual increase in reported hate crimes since 2001, when attacks on Muslims surged in response to the Sept. 11 attacks, and the third straight year that hate crimes have gone up." - LA Times

What Does This Mean for My Organization?

Targeting an individual or a well known organization, or targeting non-profit’s mission or an organization’s goals is a real and current danger.

Whether the hate crime is committed by a group or by a lone wolf, the incidents overall are rising.

What is the danger?

There is always the possibility of dangerous mailed hate crimes containing chemical threats, biological threats, radiological, nuclear and mail bomb threats. However, even 'simple' threatening letters can be illegal.

Organizations can easily be targeted for their beliefs or for the causes they champion. These can be political, religious or social. In the past year, religion has been a large target for all manner of hate crimes including dangerous and deadly mail attacks.

The motivation for the hate crime is sometimes only based on a company having a well-known brand where the hate would make its biggest impact for notoriety.

These hateful and disturbed individuals and organizations are always looking to find ways to make their message known, while often the groups would like to also grow their membership.

What is the difference between Threatening Letters and Hate Mail?

Threatening Letter: According the United States Postal Inspection Service (USPIS), it is a letter “threatening a person's reputation, blackmail or extortion through the mail.” This is considered a federal crime.

Hate Mail: This is a letter containing usually negative, hostile and hurtful language targeting a person or group based on a bias. If the letter does not contain certain threats, then sometimes it is not considered a crime.

Religious Hate Crimes are Making Headlines

Religious Freedom Report Offers Grim Review Of Attacks On Faith Groups - NPR

While many types of hate are causing threats, religious oriented hate crimes are a troubling trend for all beliefs and religious organizations.

"Hate crimes surge in NYC, attacks on Jews almost double" - NYT

What should we look for?

Again, for hate crimes the full spectrum of all possible mail threats should be mitigated. All causes for question or suspicion must be taken seriously.

Any of these items or a combination can indicate a dangerous package:
• Excessive postage
• Sealed with extra tape and material
• Restrictive markings like “Personal” or “Private”
• Lack of return address
• Lopsided or uneven package
• Strange odors, stains or leakage
• Badly typed or written addressing
• Misspelled words
• Return address from foreign country or does not match postmarking

Click here for the Poster "Signs of Dangerous Mail"

Basic steps for Mailroom Safety include:

Put a plan in writing
Install correct sensor equipment
Train employees
Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility.


As always, I appreciate your comments. smartin@sobran-inc.com