When US news anchorman Tom Brokaw held up his amber prescription bottle in October 2001 on NBC Nightly News and declared, "In Cipro we trust," the statement encapsulated the nation's vulnerability during the anthrax scare. Brokaw's assistant had tested positive for exposure to cutaneous anthrax and much of NBC's New York staff — including the usually unflappable anchor — was put on the anthrax-fighting drug as a precaution. Of course, NBC wasn't the only entity caught up in the hysteria. Politicians, celebrities and thousands of regular folk scrambled to get their hands on the small white pills. A spate of white-powder hoaxes followed, and across the country companies supplied latex gloves and detailed procedures for their employees to use when opening mail. The evening news was filled with images of Americans donning gloves and face masks for the short walk down to the mailbox.
Although 22 infections and five fatalities were eventually attributed to anthrax exposure, three years have faded much of that initial fear into a melodramatic memory. Many of the precautions that companies put in place were phased out after the initial crisis passed, and in most companies the mailroom work is once again considered just another rote administrative task with few or no security implications.
"It's out of sight, out of mind," says Mike Guevremont, senior vice president with Executive Protection Systems (EPS), a security consultancy that provides WMD protection equipment, training and services to the US Senate, House of Representatives and Department of Defense. "It's been so long between incidents that people have become lackadaisical again. Companies are very nonchalant. They used to make people wear gloves, but why should they now? Nothing's happened." Guevremont estimates that only 3 percent to 5 percent of private industry is currently prepared to handle a mail-borne security threat.
Few organizations understand the stakes of mail security better than the United States Postal Service. Two postal workers died from inhalation anthrax in 2001, and another seven survived exposure. The Brentwood postal facility in Washington, DC, required a $US130 million decontamination and renovation before finally reopening in December 2003. And another facility in New Jersey, underwent an $US80 million cleanup and is expected to reopen by the end of 2004. Since the attacks, the Postal Service has taken the lead in educating private companies and citizens about the standards and practices that are fundamental to good mail security, offering onsite consultations to help companies improve their security procedures. Thomas Day, vice president of engineering for the USPS, has seen his job transformed by the anthrax attacks from a focus on expediting the movement of mail to strengthening the Postal Service's defences against future attacks. Day says that CSOs have an important role to play in ensuring mail security. But that message has yet to be received in many security departments. "There's a tendency to forget about the mailroom," he says. "Security focuses on the front door, not the back door, which can be a greater threat. At least at the front door you have to identify yourself. When you're coming in the back [as the mail usually does], there are ways to sneak around that process."
We spoke to inspectors, security executives and industry experts to get their perspective and experience on the challenges of securing corporate mail facilities, and we gleaned their best advice on how CSOs can begin to repair this hole in their security defences.
The Problem with Stale MuffinsWith all the "suspicious white powder" incidents reported in the news, one could assume that awareness about what can and can't be sent through the mail would be high. But the Postal Service still witnesses more than its share of bad packaging decisions. Just ask Molly McMinn, a postal inspector and national public information officer with the United States Postal Inspection Service, who has seen everything from beach sand to crushed lentils cause alarm when shaken loose from packages. One woman was so upset by the quality of an English muffin that she put it in an envelope and mailed it back to the manufacturer. It was crushed en route by mail sorting machinery, producing — as one might guess — a fine white powder that caused much concern. Letter-size envelopes are not the only cause for concern. At the headquarters of Citizens Bank in Boston the company has been screening packages for the last two years with X-ray technology from Michael Stapleton Associates (MSA). The product, called SmartTech, allows mailroom personnel to scan packages for the telltale signs of explosive devices.
But other mail doesn't need a high-tech solution to be deemed suspect. Omer Recore, Citizens' executive security officer, recalls, "We had one package, an envelope in disrepair with horrible scribbled handwriting. 'Supreme Court of the United States of America' was crossed out on the back, and on the front it said 'Citizens Bank, Boston' and no return address. Packages like that are easy — you just don't even accept them."
But many security executives overplayed the mail security issue during the anthrax attacks, investing in expensive technologies and instituting procedures that seemed unnecessary once the panic subsided. Those CSOs are now in the position of having to garner support from a deeply suspicious executive leadership team.
There are a number of effective arguments that they can make, however. The first — and perhaps, most compelling — is that mail security does not have to be expensive. Instituting a set of vigorous processes and procedures to govern mail handling and distribution is inherently cheap, compared with the cost of responding to a real threat or a well-executed hoax striking the enterprise. "Consider that situation in our company," says Recore. If a substance or explosive device were received by an employee, "we would have to shut down business operations and lose money. We'd get fire, police and emergency services to respond, which means disrupting every other business in the building. If our knowledge and training can eliminate that from happening, it's a cost savings all around. One incident can probably save the cost of the [technology investment]."
EPS worked with a Florida-based nonprofit called Project Hope, which received a delivery containing an unknown powdery substance. The company had to shut down for several days while samples were tested in a lab. The substance turned out to be innocent enough, but it was a wake-up call for the company, which hadn't worried about mail security up to that point. After experiencing the disruption of a false alarm, the organization decided to put procedures in place. "You have to weigh a little bit of training against the prospect of having an employee breathe something in," says Guevremont, "and the psychosomatic trauma that comes with that. Proper mail handling should be considered a corporate benefit. It gives employees peace of mind and shows that you will do what it takes to protect their health. Plus it could save a lot of money from the lawsuits that will inevitably arise if you're not prepared."
Finally, it's important to remember that the culprits behind the 2001 anthrax attacks and the more recent ricin mailings to the Capitol are still at large. While your company might not be in an industry or geographic area that would intuitively be a target, cross-contamination — which exacerbated the potency of the 2001 attacks — still remains a very real threat.
"If anybody is going to raise the alarm on this issue, it should be the senior security executive," says R Douglas Nunes, a certified protection professional with ASIS International and retired US Postal Inspector with 30 years of experience in mailroom security, mail bombs and bioterrorism. "If time passes and nothing has happened, the CSO needs to rejuvenate that awareness because you don't know when you're going to be a target. And the CSO will be the first one criticized for not raising that alarm."
The precursor to creating a mail security policy and the appropriate procedures is to first understand the threat and what the unique risks are for your company. Factors such as the type of industry and geographic location of corporate assets are obvious contributors to a company's risk level. "If the company is a defence contractor or has a lot of foreign investments, it would certainly face more risk than a medical supply company or a financial institution," says Nunes. Many otherwise low-risk companies are located next to high-risk entities such as a consulate or may even share building mail facilities with a company that could be threatened.
In many cases, the location of the mailroom within the building can be a risk factor in itself. Companies seldom have the option of moving the mailroom to a lower level or loading dock area, but mailroom positioning is one of the critical elements that security experts look at in assessing a company's risk. When a mailroom is located on a middle level within a building it dramatically increases a company's overall exposure because, as the mail travels through the building, any contaminants that are present have a greater opportunity to spread to other floors and work areas. Ideally, the mailroom should have its own HVAC controls and be located on the lowest level in an area that is easily cordoned off. Some federal buildings and other high-risk companies have even gone to the expense of installing negative pressure rooms, where the airflow can be reversed into the room to ensure that any contaminated air is contained.
CSOs should consider international terrorism as just one item in the portfolio of risks that can manifest in the mailroom. Domestic terror groups, disgruntled employees, spurned lovers and your basic slacker employee looking for a free day off work can all use the mail system as a means to carry out threats. For this reason, it's critical that the mailroom be included in the communication chain during times of heightened security.
An Ounce of PreventionOnce a company has determined its risk level, it can start to address and mitigate those areas of concern. The first step that most experts recommend is to ensure that there is a single point of entry for all mail into the enterprise. All packages and envelopes should go through a centralized facility where they can be subjected to the same screening process. Many companies send USPS mail through the mailroom but make the mistake of allowing delivery people to walk in the front door or deliver packages directly to the recipient. The lack of unique packaging on an expedited delivery leaves the recipient with even less information to determine whether the contents are hazardous. "There's nothing magical about what they ship or send that makes it safe," notes USPS's Day. "We often see that mail from the Postal Service is subjected to heightened security screening, when a FedEx or UPS package is allowed to go straight through." The single-point-of-entry policy should be extended to couriers and bicycle messengers who are also often allowed to wander a building and deliver their packages directly. "The biggest mistake is to exclude [those deliveries] from scrutiny in favour of expediting delivery to the CEO," says Nunes. "It makes no sense to have access control for personnel while allowing the entrance of something through a delivery service. But we see that kind of contradiction in many places. It's just dumb."
CSOs should also decide what base level of precaution they want mailroom personnel to take. Though technology has made significant strides in the detection and prevention of mail-borne threats, some of the most effective measures that mailroom workers can take are surprisingly economical. Experts recommend that all mailroom employees wear latex gloves, masks and safety glasses while sorting and processing the mail. Unlike some of the cheaper face masks, Guevremont recommends an N95 mask, a paper respirator that can be purchased at do-it-yourself hardware chains. These are the same masks that have been used to control the SARS outbreak in Asia and Canada. At $2 to $3 apiece, they are more expensive than disposable masks but are much more effective in filtering out particles. Although workers may find latex gloves sweaty and cumbersome, they are also an inexpensive preventive measure. Another good argument for gloving-up when handling mail — aside from the potential bioterrorism threats — is that it's also just plain dirty. "The mail goes through lots of machines with powders and dust, and wearing gloves and masks reduces the level of exposure to all of that," says Nunes. "I've heard complaints that having gloves available is a visual cue that [the company] perceives a risk. But the notion that there is potential risk should be a given."
At Pitney Bowes, which handles the mail processing and distribution for a number of Fortune 100 companies, basic precautions include reminding employees consistently about facility security no-nos, like propping doors open and letting in unidentified individuals. Food is forbidden in mailrooms and employees are asked to wash their hands before starting work to avoid bringing material into the workplace that could raise a security alarm.
Educating mailroom staff to look for suspect mail is a critical step in the planning process. The USPS has been active in publicizing the basic characteristics of questionable letters or packages, even offering a security self-assessment worksheet on their website that companies can use to identify gaps in their defences (see www.usps.com/communications/news/security/b22_saw.htm).
Some articles of mail are obviously dubious: a hand-printed address or return address from a business that would normally type its correspondences; postage — particularly excessive postage — from a business that would use a meter; a disparity between the return address and postmark; a mailing that feels unusually heavy for its size or is lumpy indicating a buildup of a substance. "With employees, we mainly deal with handling, identifying and containing suspicious packages," says James Sartori, assistant vice president and threat management and intelligence manager for Citizens. "It's very basic. We don't get too involved in explaining how a substance may affect them. We want them to know how to identify any suspicious packages and how to escalate that up." A mailroom worker should follow up on iffy mailings first to see if the recipient was expecting anything, and if not, to contact the sender to identify the package's contents. "If [the mail] actually has a threat printed on the outside, that's helpful, but in most cases employees will have to rely on mail profiling," says Nunes.
Finally, CSOs can learn a great deal by including mailroom workers in strategy development. They see what comes in through the mail service every day and their experience is invaluable. Mailroom personnel can provide the practical input that is often lacking when security folks and consultants run the show.
Crisis Response When a piece of suspect mail is identified, it can tax the nerves of even the most level-headed mailroom employee, so it's critical to have a written plan to detail what should happen next. Nunes has seen cases where panic sets in. "You don't want them to run out of the room, package in hand, and take a cab to the hospital, potentially exposing everybody along the way," he says. "That has happened."
Companies need to establish a set of procedures for containing the area: Immediately shut down the HVAC system, remove gloves, glasses, smocks and anything that may have come in contact with the substance, and then notify the appropriate personnel. Define the chain of contact from security and facilities personnel to emergency responders, and post contact information in the mailroom. Rick Barnes, director of security for Brookfield Financial Properties in Boston, also uses the SmartTech X-ray screening technology and has established a set of procedures for mail centre employees if they find anything shady. The operator is to leave the package in the machine, evacuate the mail centre, and immediately apprise building management of the situation. Their response program includes a bomb sniffing dog and certified bomb technicians who can be onsite within minutes as well as evacuation procedures and steps for contacting local authorities. Barnes stresses that technologies are only as good as the processes and procedures that surround them. "You don't want a situation where [the technology] is just window dressing," he says. "Otherwise it's like putting tap water ice cubes in a glass of Perrier."
Once you establish a plan, there are two final steps to take. The first is to practice and update your plan as often as possible to keep it fresh in the minds of employees and to allow for continual improvement in the company's response.
The final step — particularly for companies that have invested a great deal of time and money in technology and planning — is to keep quiet about it. "We tell people that, once they have plans and procedures in place and have bought equipment, don't publicize it," says Guevremont. "You have two kinds of bad guys: those who will hear you've implemented a system and will move on to someone else, and those who will try to break in anyway." For example, if a would-be perpetrator hears that your company is irradiating its mail to kill anthrax spores, he may decide to send ricin instead (which can't be killed by those means). In fact, several high-profile companies declined to be interviewed for this article citing just those concerns.
In the past two years, the technologies available to screen mail have progressed by leaps and bounds, especially in the area of detecting chemical agents. Smiths Detection North America provides detection systems to the USPS. Some of their technologies, like the Mail Sentry system, can test for multiple biological agents at once by puncturing minute holes in envelopes as they are run through the machine, squeezing out the air and testing the extracted air for the presence of biological agents. The system can look at thousands of packages at a time; it costs about $US150,000. However, the same technology is also offered in a portable handheld form. This device, called Bio-Seeq, can be used by companies and emergency responders to test a dubious substance for bacterial and viral pathogens. That might be an appealing alternative to calling in a hazmat team every time a questionable substance is found.
For companies that want to kill rather than detect airborne pathogens, there are products like the IQAir CleanZone from IQAir and the MailDefender from BioDefense. With the IQAir product, mailroom personnel can open up any suspect mail under its protective hood and shake it out to ensure there are no dangerous substances inside. Anything that falls out is sucked up into a double HEPA filter. The MailDefender is one of the few products able to kill ricin, and it works as a point-of-entry decontamination system for mail. It also uses electromagnetic irradiation and oxidization to kill any contaminants.
In evaluating these types of technologies, USPS's Day stresses the importance of paying attention to false positive rates. In fact, the USPS has put a number of these technologies through their paces and found that many don't live up to their billing. Part of the problem is that paper dust contains biological components from the original cell structure of the tree. If a detection technology isn't precise enough, such particles can trigger a false positive. The USPS has set the standard false positive threshold for its analytic systems to 1 in 500,000. Companies must also ensure that any technology they select can handle the volume of incoming mail.
Explosives detection is another area where mailroom technology is rapidly progressing. The SmartTech system from MSA uses X-ray technology to screen packages for explosives and includes a real-time consultation component. Mailroom employees can go online and connect with an MSA analyst (most of whom are former bomb technicians from the New York City bomb squad) for help evaluating the screen images of a given package. SmartTech has been helpful at Citizens Bank, where the mailroom receives everything from cell phones to gimmicky promotional items that at first glance can look suspicious. Recently, a local chamber of commerce sent a promotional device to Citizens' CEO and a number of other Fortune 500 CEOs. But the SmartTech scanner detected switches and batteries — some of the earmarks of a suspicious device. The ability to connect with an expert in real-time prevents these kinds of situations from triggering a false alarm. Smiths also offers a trace detection technology, the Ionscan 400B, that functions like the swab-and-scan technologies used at airports. It allows mailroom personnel to take a swab from the outside of a package and analyse it for any trace of explosive materials.
One of the most interesting technology trends for the mailroom is the movement toward digitizing mail delivery, allowing employees to circumvent the mail opening process completely. Pitney Bowes Management Services (PBMS) is testing a pilot program at two sites that will have the mail opened in a secure centralized area, electronically scanned into the network and delivered to the desktop of the intended recipient. While there are a few companies working on this kind of technology, PBMS is focusing on creating a system that will be secure enough to comply with legislative requirements like the Health Insurance Portability and Accountability Act and Sarbanes-Oxley. PBMS has also developed an internal system that allows it to take a photo of any unexpected package that is received in the mailroom and e-mail it to the recipient, who can determine whether the package should be forwarded, returned or destroyed.
It's important to remember that at the root of all the policies, procedures and technologies there is a fundamental dependence on people. The mailroom staff is hardly ever under the purview of the CSO, but by developing a close relationship with facilities personnel, CSOs can influence the training and selection of mailroom personnel. One of the biggest problems in many enterprises is that mailroom employees, like custodial staff, are placed in a trusted position, with a great deal of access and very little oversight, and are seldom run through background checks. "You have to make sure that you don't have a problem from within," says Kevin Swailes, chairman and CEO of Swailes & Co., a consultancy that specializes in investigations and security management. "We've worked cases where mailroom employees used their access to get information from HR for identity theft, and where they have been involved in sexual harassment cases." By not checking these employees' backgrounds, the company is opening itself up to tremendous risk. Tied to that is the fact that mailroom work is often a high-turnover, low-pay position. Swailes suggests that if companies are serious about mailroom security, there will have to be a paradigm shift in how they think about mailroom work. "We've seen that a package can get in and create havoc and even loss of life," he says. Companies need to recognize that the mailroom is a strategic point of defence for the company. The real danger, according to Swailes, is this: If you relegate mailroom security to the lowest bidder, you're going to get what you paid for.