How to Determine Your Mail Threat Level


The mail is an easy and low-cost, accessible form of terrorism.

Whether it is a terrorist group, a lone wolf or a disgruntled employee, you need to be prepared. But how prepared should you be? You might wonder how vulnerable your particular business is to possible mail attacks.

How to Determine Your Mail Security Risk Profile:

Here is a handy security formula for calculating your organization’s risk factors:

RISK = Threat + Vulnerability + Consequence

DHS Best Practices for Mail Screening and Handling Processes

What is the ‘Threat?’

The threat in your organization’s mail and deliveries are defined in terms of Chemical, Biological, Radiological, Nuclear and Explosives  (CBRNE). This includes any substance that could turn out to be a hoax, but at the time of discovery, the threat is not yet known.

A threat is any substance known or unknown which the sender intends to do harm to your employees, your organization or your corporate reputation.

What is the “Vulnerability?”

Vulnerability is your organization’s particular strengths or weaknesses when encountering potentially harmful mail and/or packages.

The possibility of a mail attack grows if a company is lacking a particular screening technology or an organization can be more exposed to mail threats if the staff has not been trained.

Example questions include:

  • Is your staff trained?
  • Do you have the needed screening equipment?
  • Do you run training drills?
  • Is your mail delivered to your physical place of business?

What are the “Consequences?”

The key factor in evaluating Risk is the possible consequence to your organization.

Example questions include:

  • Will the entire building have to be evacuated?
  • Will employees be potentially harmed?
  • Will there be long term emotional consequences to employee absenteeism and comfort?
  • Will clients and/or income streams be disrupted?

DHS sited Case Study: Large International Organization

This organization received a letter containing white powder. This caused the entire organization to shut down for a period of 2 to 3 days while the substance was analyzed and ultimately determined to be a hoax. In a post-event analysis, the organization estimated that the cost of paying employee salaries for the period of the shut down exceeded five million dollars.

Ultimately the organization determined that the cost of an offsite mail screening facility would cost only a fraction of the lost wages on an annual basis–thus it is critical that an organization include financial impact in their risk profile assessment.

What to Include in Your Risk Profile:

A variety of factors, both internal and external, can help determine the vulnerability of your workplace.

Target Status: Is your organization a known industrial or infrastructure target for terrorism?

These could include:

  • Banking
  • Energy
  • Power
  • Defense/Military
  • Legal
  • Pharmaceutical
  • Chemical
  • Nuclear
  • Transportation (air/land/sea)
  • Health and Medical
  • Telecommunications
  • Construction
  • Bio-Medical Research

Location: Does your location make your business an attractive target for mail threats?

Example questions include:

  • Is your organization located in a large major metropolitan area?
  • Is your organization located in a location of national or patriotic significance?
  • Is your organization in a location of a high population?

Visibility/Fame: Is your organization a high-visibility well-known name or brand?

How Do I Know if My Organization is “High Risk” for Mail Terrorism?

Answering “yes” to any of these questions can put your business in the high-risk category:

  • Has your organization appeared in the media?
  • Has your organization been engaged in a lawsuit?
  • Has your organization been threatened with a lawsuit?
  • Has your organization made public statements on sensitive issues?
  • Is your organization a member of an industry whose services, research or products could be the subject of public controversy?
  • Has your organization experienced a recent reorganization or buy-out requiring layoffs?
  • Has an employee made threats to harm the company or any other employee?
  • Has your organization attracted political or potentially controversial attention?
  • Has your organization done business internationally?

If your business is High Risk – view our infographic to see how offsite mail screening can better protect your employees and your organization and your reputation.

Each business is unique, therefore, assessing your organization’s unique risk can be a helpful first step to determining the plans needed to mitigate possible attacks and keep your organization safe.

At any risk level, you should ensure your mail is safe.

Basic steps for Mailroom Safety include:

1. Provide mailroom security training
2. Put a plan in writing
2. Install correct sensor equipment
3. Train employees
4. Run practice drills

If this is not possible, consider outsourcing mail screening to a third party or sending mail to a third party screening facility.

If you need help determining your best course of action, let us know. We’re here to help.

As always, I appreciate your comments.