Leave it to Tom Brokaw to make the statement for mailroom and postal security. When Tom Brokaw held up his amber prescription bottle in October 2001 on NBC Nightly News and declared, "In Cipro we trust," the statement encapsulated the nation's vulnerability during the anthrax scare. Brokaw's assistant had tested positive for exposure to cutaneous anthrax and much of NBC's New York staff, including the usually unflappable anchor, was put on the anthrax-fighting drug as a precaution. Of course, NBC wasn't the only entity caught up in the hysteria. Politicians, celebrities and thousands of regular folk scrambled to get their hands on the small white pills. A spate of white-powder hoaxes followed, and across the country companies supplied latex gloves and detailed procedures for their employees to use when opening mail. The evening news was filled with images of Americans donning gloves and face masks for the short walk down to the mailbox.
Although 22 infections and five fatalities were eventually attributed to anthrax exposure, three years have faded much of that initial fear into a melodramatic memory. Many of the precautions that companies put in place were phased out after the initial crisis passed, and in most companies the mailroom work is once again considered just another rote administrative task with few or no security implications.
"It's out of sight, out of mind," says Mike Guevremont, senior vice president with Executive Protection Systems (EPS), a security consultancy that provides WMD protection equipment, training and services to the U.S. Senate, House of Representatives and Department of Defense. "It's been so long between incidents that people have become lackadaisical again. Companies are very nonchalant. They used to make people wear gloves, but why should they now? Nothing's happened." Guevremont estimates that only 3 percent to 5 percent of private industry is currently prepared to handle a mail-borne security threat.
Few organizations understand the stakes of mail security better than the United States Postal Service. Two postal workers died from inhalation anthrax in 2001, and another seven survived exposure. The Brentwood postal facility in Washington, D.C., required a $130 million decontamination and renovation before finally reopening in December 2003. And another facility in Trenton, N.J., underwent an $80 million cleanup and is expected to reopen by the end of 2004. Since the attacks, the Postal Service has taken the lead in educating private companies and citizens about the standards and practices that are fundamental to good mail security, offering onsite consultations to help companies improve their security procedures. Thomas Day, vice president of engineering for the USPS, has seen his job transformed by the anthrax attacks from a focus on expediting the movement of mail to strengthening the Postal Service's defenses against future attacks. Day says that CSOs have an important role to play in ensuring mail security. But that message has yet to be received in many security departments. "There's a tendency to forget about the mailroom," he says. "Security focuses on the front door, not the back door, which can be a greater threat. At least at the front door you have to identify yourself. When you're coming in the back [as the mail usually does], there are ways to sneak around that process."
We spoke to inspectors, security executives and industry experts to get their perspective and experience on the challenges of securing corporate mail facilities, and we gleaned their best advice on how CSOs can begin to repair this hole in their security defenses.
Mail Security 101: The Problem with Stale Muffins
With all the "suspicious white powder" incidents reported in the news, one could assume that awareness about what can and can't be sent through the mail would be high. But the Postal Service still witnesses more than its share of bad packaging decisions. Just ask Molly McMinn, a postal inspector and national public information officer with the United States Postal Inspection Service, who has seen everything from beach sand to crushed lentils cause alarm when shaken loose from packages. One woman was so upset by the quality of an English muffin that she put it in an envelope and mailed it back to the manufacturer. It was crushed en route by mail sorting machinery, producing
But other mail doesn't need a high-tech solution to be deemed suspect. Omer Recore, Citizens' executive security officer, recalls, "We had one package, an envelope in disrepair with horrible scribbled handwriting. 'Supreme Court of the United States of America' was crossed out on the back, and on the front it said 'Citizens Bank, Boston' and no return address. Packages like that are easy; you just don't even accept them."
But many security executives overplayed the mail security issue during the anthrax attacks, investing in expensive technologies and instituting procedures that seemed unnecessary once the panic subsided. Those CSOs are now in the position of having to garner support from a deeply suspicious executive leadership team.
There are a number of effective arguments that they can make, however. The first
EPS worked with a Florida-based nonprofit called Project Hope, which received a delivery containing an unknown powdery substance. The company had to shut down for several days while samples were tested in a lab. The substance turned out to be innocent enough, but it was a wake-up call for the company, which hadn't worried about mail security up to that point. After experiencing the disruption of a false alarm, the organization decided to put procedures in place. "You have to weigh a little bit of training against the prospect of having an employee breathe something in," says Guevremont, "and the psychosomatic trauma that comes with that. Proper mail handling should be considered a corporate benefit. It gives employees peace of mind and shows that you will do what it takes to protect their health. Plus it could save a lot of money from the lawsuits that will inevitably arise if you're not prepared."
Finally, it's important to remember that the culprits behind the 2001 anthrax attacks and the more recent ricin mailings to the Capitol are still at large. While your company might not be in an industry or geographic area that would intuitively be a target, cross-contamination
"If anybody is going to raise the alarm on this issue, it should be the senior security executive," says R. Douglas Nunes, a certified protection professional with ASIS International and retired U.S. Postal Inspector with 30 years of experience in mailroom security, mail bombs and bioterrorism. "If time passes and nothing has happened, the CSO needs to rejuvenate that awareness because you don't know when you're going to be a target. And the CSO will be the first one criticized for not raising that alarm."
The precursor to creating a mail security policy and the appropriate procedures is to first understand the threat and what the unique risks are for your company. Factors such as the type of industry and geographic location of corporate assets are obvious contributors to a company's risk level. "If the company is a defense contractor or has a lot of foreign investments, it would certainly face more risk than a medical supply company or a financial institution," says Nunes. Many otherwise low-risk companies are located next to high-risk entities such as a consulate or may even share building mail facilities with a company that could be threatened.
In many cases, the location of the mailroom within the building can be a risk factor in itself. Companies seldom have the option of moving the mailroom to a lower level or loading dock area, but mailroom positioning is one of the critical elements that security experts look at in assessing a company's risk. When a mailroom is located on a middle level within a building it dramatically increases a company's overall exposure because, as the mail travels through the building, any contaminants that are present have a greater opportunity to spread to other floors and work areas. Ideally, the mailroom should have its own HVAC controls and be located on the lowest level in an area that is easily cordoned off. Some federal buildings and other high-risk companies have even gone to the expense of installing negative pressure rooms, where the airflow can be reversed into the room to ensure that any contaminated air is contained.
CSOs should consider international terrorism as just one item in the portfolio of risks that can manifest in the mailroom. Domestic terror groups, disgruntled employees, spurned lovers and your basic slacker employee looking for a free day off work can all use the mail system as a means to carry out threats. For this reason, it's critical that the mailroom be included in the communication chain during times of heightened security.
Mailroom Security 102: An Ounce of Prevention
Once a company has determined its risk level, it can start to address and mitigate those areas of concern. The first step that most experts recommend is to ensure that there is a single point of entry for all mail into the enterprise. All packages and envelopes should go through a centralized facility where they can be subjected to the same screening process. Many companies send USPS mail through the mailroom but make the mistake of allowing delivery people to walk in the front door or deliver packages directly to the recipient. The lack of unique packaging on an expedited delivery leaves the recipient with even less information to determine whether the contents are hazardous. "There's nothing magical about what they ship or send that makes it safe," notes USPS's Day. "We often see that mail from the Postal Service is subjected to heightened security screening, when a FedEx or UPS package is allowed to go straight through." The single-point-of-entry policy should be extended to couriers and bicycle messengers who are also often allowed to wander a building and deliver their packages directly. "The biggest mistake is to exclude [those deliveries] from scrutiny in favor of expediting delivery to the CEO," says Nunes. "It makes no sense to have access control for personnel while allowing the entrance of something through a delivery service. But we see that kind of contradiction in many places. It's just dumb."