We briefly discussed the rising risk of mail attacks in our previous post about lesser-known threats. In this blog, we dig further into mail threats and vulnerabilities, why they increasingly matter to executive protection professionals, and how we can now mitigate these risks for organizations and family residences with the help of new screening technology.
Mail threats matter
Mail-borne threats, especially those due to explosives and biological and chemical agents, are real, deadly, and on the rise.
In addition to lethal improvised explosive devices (IEDs) and incendiary devices, mail threats containing dangerous biological and chemical compounds are also increasing – as are white powder hoaxes.
Whether real or hoax, intended to do bodily harm, disrupt business, intimidate, or blackmail, mail threats are a relatively easy to execute and difficult to trace back to the perpetrators. Given their potential impact and the widespread vulnerabilities of most organizations and families, we believe that mail screening will play an increasingly vital role in comprehensive executive protection programs in particular and in corporate security in general.
Of the five types of mail threats, two are most relevant for executive protection
Government agencies such as the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and the U.S. Bomb Data Center categorize mail threats into five types: chemical, biological, radiological, nuclear, and explosive – commonly referred to as “CBRNE.” While all threats must, of course, be considered, this blog will focus primarily on biological and explosives threats, as these are the most common and likely to occur in the settings in which we, as execuitive protection professionals, work.
As mentioned above, explosives in mail are disturbingly common. Many of these are pipe bombs – relatively simple to make but deadly. Explosives are easier to detect visually than powders due to their density and appearance.
Two of the most well-known biological threats are anthrax and ricin, both extremely toxic substances that are lethal in even minute quantities when inhaled in powder form (anthrax) or ingested or injected into the body (ricin and anthrax). Anthrax spores in powder form sent in anonymous letters killed five persons in 2001, injured 17, and revealed just how vulnerable we are to this deadly threat. Ricin-laced letters have been sent to Presidents Obama and Trump and other officials – and just recently to California prisons. A wide range of copycat hoaxes shows how easy it was to wreak havoc, close offices, and create an environment of fear by sending innocuous white powders (baby powder, soap powder, sugar, flour…) to businesses, media outlets and residences.
Powders can be difficult to detect visually using conventional technologies. They are small in size and can be confused with the large amounts of dust common in mail centers.
All physical mail streams are vulnerable to mail threats
Although electronic mail continues to chip away at the number of snail-mail letters we send each other, postal carriers and couriers deliver an ever-increasing volume of goods we purchase online. By 2021, worldwide ecommerce sales are expected to reach almost $5 trillion, or 17.5% of all retail sales. That’s a lot of parcels and small packages moving around, and the trend is only expected to continue upwards.
While convenient for consumers and companies, the huge flow of post and package deliveries to homes and businesses represent a growing security vulnerability. Because anyone can send mail via these streams anonymously, the risk of detection is low for those who wish to do harm. Furthermore, carriers do only very limited screening in these streams. According to the U.S. Bomb Data Center, incidents regarding explosives in packages and parcels increased 99% from 2017 to 2018. Furthermore, the rise in outsourced “last mile” delivery introduces even greater vulnerabilities in the chain of custody. It is now common for parcels to arrive in unmarked cars and vans, dropped off at residential front doors or company receptions by outsourced individuals and small companies – not the big carriers themselves.
Interoffice or intra-campus mail is an often-overlooked vulnerability. Even though the organization might do some kind of screening “at the gates,” once inside, such screening is rare. Envelopes and packages are often transported internally in open containers, making it easy for malicious visitors or disgruntled employees to end-run most mailroom screening procedures and introduce mail threats directly into the internal delivery stream.
Understanding the risks due to biological and explosives in mail and parcels
Bodily harm is obviously the most serious risk due to mail-borne biologicals and explosives, but these threats expose organizations to other types of risk – and potential costs – as well:
- Financial costs: Companies incur significant expenses when forced to deal with mail threats, often closing the affected facilities for days while investigations take place and even longer if remediation is necessary.
- Psychological costs: Organizational morale and productivity suffer when staff doubt the organization’s ability to protect them and are worried about their safety at work.
- Reputational costs: The negative PR resulting from mail attacks can impact sales and the company’s capacity to attract and retain the best employees.
The psychological and reputational costs are real, albeit difficult to calculate. The financial costs due to facility evacuations and closures, however, are more straightforward. Depending on the circumstances, expenses related to such shutdowns can far outweigh the costs of mail screening.
The location of mail screening facilities matters
As we outline above, the bad news is that mail threats are deadly and on the rise, putting both organizations and families at risk. The good news is that mail threats are possible to mitigate with mail screening.
For both organizations and residences, the location of mail screening facilities matters. Here is how some of the options compare, in descending order of security:
- Offsite screening – In high-risk situations, it’s best to do mail screening (and screen all deliveries, including those for canteens, office supplies, etc.) offsite in dedicated, isolated facilities.
- Isolated on-campus or on-residence screening – This option is not as secure as offsite screening, but it is in most cases better than those described below. These screening facilities are located within the security perimeter but separate from other buildings. Importantly, their HVAC systems are also separate in order to keep any air-borne threats isolated and away from the rest of the organization or residence.
- Non-isolated on-campus or on-residence screening – Such facilities are attached to a building, preferably with direct access from outside, so unchecked mail doesn’t have to be transported through working or living spaces. Separate HVAC, which should be able to be shut down quickly if necessary, is preferable.
We do not have any statistics, but we suspect that with the exception of government offices and major corporations, many companies and most private residences do not have any special location for mail screening. And as we shall see below, nor do they have any appropriate technology, procedures or trained personnel.
Mail screening technology and executive protection
A wide variety of technologies mitigate mail threats. All have their advantages and disadvantages regarding substance detection, operator safety, operator training, throughput, complexity, and cost.
Visual inspection, for example, can detect the most common mail threats effectively if slowly, but depends on a human operator to open and examine every individual parcel or piece of mail, directly exposing him or her to threats from all types of substances.
At the other end of the complexity spectrum are high-throughput automated systems utilizing various types of sensors and identification technologies to detect then identify a wide range of CBRNE threats. While complex and costly, these systems make sense for law enforcement and first responders. Those responsible for corporate, executive protection, and residential security programs should note that such complex systems require a large amount of training and financial resources to sustain operations. False positives, a significant issue with these complex systems, can lead to multiple unnecessary shutdowns. Risk profiles and delivery volumes must also be considered.
Until recently, executive protection programs, not least at the residential level, have lacked technology suitable for mail screening. Automated sensor systems that protect principals at the office rarely do so at home. X-ray scanners have been used in some residential security programs, and while they are good for spotting explosives, they are ineffective in detecting other substances, such as powders and liquids. It’s an unfortunate fact that visual inspections, with all their risks for the household staff, executive protection agents, or principals opening the mail, have probably been the most common “technology” used for mail screening in residential contexts.
Fortunately, this situation has recently changed. New millimeter technology, or mmWave, using ultra-short wavelengths and operating in the spectrum between 30 and 600 GHz, coupled with new imaging systems and software, are now capable of detecting and then isolating the most common mail threats including chemical, biological, explosive and suspicious powders. The systems also contain an integrated radiation detector, thus enabling detection of most CBRNE threats. We have tested the solution developed by RaySecur, for example, and found it suitable for residential programs as well as organizations that want better mail security, but are not ready to invest in high-volume automated sensor solutions.
The need for solid procedures and well-trained staff
Of course, technology on its own is not enough. Executive protection teams need reliable people and procedures, too, in order to carry out mail screening effectively and safely.
In addition to determining the best possible location and isolation of the mail screening facility, as we discussed above, executive protection managers also need to establish reliable KPIs regarding:
- Training of staff
- Personal protection equipment for staff
- Incident response procedures – what to do if you find something (you don’t want to run through the residence or office landscape carrying a suspicious package, exposing more to the threat), evacuation plans, internal and external communications
We believe more clients will soon include mail scanning as part of comprehensive executive protection programs
Given the increasing incidence of mail threats, growing vulnerabilities in mail and package distribution systems – and thanks to the latest mitigation technologies – we believe more clients will soon include mail scanning as part of comprehensive executive protection programs.
The security and peace of mind benefits are high, and the incremental costs of adding effective screening to new or existing protective programs are low. That’s why we are now offering mail scanning as standard in new SOWs and talking to existing clients about adding this important component to their programs.