Handling Mail Threats To Your Organization

By DAVE FLORA
Firestorm Franchise Principal

THE recent cargo bomb attempts out of Yemen again tested the security and resiliency of the postal and shipping sector of the National Infrastructure Protection Plan.  Incidents such as this remind us of the devastating potential that can be contained in a single letter or package.

Going back to pre-9/11 and the Unabomber, and continuing through the 2001 anthrax attacks in the United States, during which five people died and 21 suffered long-term effects, the Postal Inspection Service has identified threats to all levels of USPS clientele.
 
While the reality is the number of fatal incidents involving mail is statistically very small, in the U.S. there have been more than 30,000 reports of suspicious liquids and powders since the anthrax attacks. Putting a substance in an envelope or package or express box is a pretty simple weapon that can be done anonymously and delivered all the way to an intended target.

The USPS has identified some common characteristics of suspicious mail, and the Postal Inspection Service has provided many corporations with mail-center and receiving-area training in becoming “first observers” of the mail and packages being moved around your enterprise every day.

Since 9/11, many efforts have been taking to lower the risks associated with this vulnerability: Some agencies and corporations moved toward remote mail-processing facilities, others mitigate the risk by having specialized third parties open the mail and scan it, instead of moving the actual documents around the corporate campus.

A matter of priorities

While the processes have greatly improved in the public sector, the unfortunate truth is awareness lags in the private sector, and a form of disaster denial sets in that says “that happens to the other guy.” Mail center and receiving area risk management usually falls pretty far down the typical business continuity spectrum, and is often even lower with regards to the budget.  

However, disaster planning in the 21st century involves developing a proactive approach to maintain your organization’s cash flow, stakeholder confidence and regulatory compliance regardless of the business disruption some “disgruntled” could be planning for your organization.

What types of companies are vulnerable to “disgruntleds”?  Only those companies that have former or soon-to-be former employees, angry spouses, unhappy customers, bad relationships with competitors, service controversial industries, do business with the financial community, federal government, defense department, conduct R&D involving animal testing, or work with organizations that fanatics from around the world target.

Your organization needs to recognize its vulnerabilities, assess the risks and monitor the threats.  You need to perform site safety and security audits, make sure your suppliers and your third-party providers have similar distaste for risk during the hiring process, and build redundancies wherever disruption from outsiders could impact the critical infrastructure of your business, including:

•    Cash flow;
•    Failing to comply with federal or state regulatory requirements;
•    Loss of investment community confidence;
•    Loss of market share;
•    Inability to meet payroll obligations;
•    High level of public scrutiny or reputation damage.

The end game of targeting an organization more often is to create distraction and disruption to the above bullet points as opposed to creating a true disaster. However each individual incident, weather it is an exploding toner cartridge, a radiological or biohazard, or simply spiking letters with baby powder, needs to be treated as a potentially serious threat.

Conflicting concerns

One of the big problems that the package carrying companies and the USPS share is the enormous volume and high speeds at which they need to operate in preventing risks from entering the shipping streams.  High speeds and mail screening for an undisrupted flow of goods are necessary, and yet not necessarily compatible. The urgency in delivering expedited packages to America’s mail centers every day and the constantly evolving methods and threats of breaching your organizational security seem to play opposing roles.

A sober assessment of your company’s organizational risk needs to include the financial risk of a mail security breach: $80 million was spent on the cleanup and restoration of a single USPS  facility in New Jersey in 2001; the cost of replacing a major medical campus that had been biologically or radiologically compromised could reach half a billion dollars; and the brand reputation damage associated with the “poisoning” of a major corporate headquarters could impact shareholder value for years to come.

Simply put, it is easier and cheaper to prevent than recover.  But you must bat 100 percent.

So why does an organization need to plan for disruptions in its inbound and outbound mail and packages?  Because disasters are beyond our control, but planning and response is within our control.  Using disaster denial as a strategic plan is no plan at all.   

Next Week

Lessons learned from BP’s lack of planning