Mailroom security remains an unaddressed security gap for many organizations and given increased shipping volume and operational changes as more employees work from home, it is especially critical that organizations and individuals take precautions in how they handle mail and packages. In this article, we will offer best practices for secure package handling in both mailrooms and private residences, as well as related security practices.
As COVID-19 cases surge across the United States ahead of the holiday season, the U.S. Postal Service is advising customers to get an early start on purchasing and mailing holiday gifts in anticipation that increased online shopping and virtual celebrations due to the pandemic may lead to shipping delays.
Considerations for Commercial Facilities and Private Residences
Before implementing new screening technologies and processes, organizations should map current end-to-end mail receiving and delivery processes to assess volume, accountability, courier routes, and existing workflows.
● Conduct a diagnostic risk assessment, to define and analyze risks associated with:
o Designated points of contact for overseeing facilities and residence management.
o Current protocols for employee pre-hire screening and training.
o Current screening, handling, containment, sorting and final delivery procedures.
o Current screening, detection and threat-escalation procedures for suspicious packages, suspicious substances, and letters of all types.
● Commercial facilities: Depending on results of initial assessment, organizations may consider handling screening and/or sorting on- or off-site.
● Private residences: Initiate a companywide policy that only packages from known senders or containing pre-established content shall be sent to homes of designated senior leadership. Individuals may also have personal mail routed to a universal company post office box for screening and handling through commercial facilities procedures.Mailroom Procedures and Best Practices
Establish a minimum threshold of visual screening and X-ray scanning for low-risk facilities. Red flags include mail or packages which contain any of the following characteristics:
● Labeled with the words, “personal” or “private;”
● Mail from a sender which is unexpected;
● Mail/package with distorted handwriting;
● Name and/or address prepared with homemade labels or cut-and-paste lettering;
● Unknown/absent return addresses;
● Excessive postage;
● Odors;
● Residues, staining or discoloration on package exterior;
● Ticking sounds;
● Protruding wire(s);
● Aluminum foil;
● Odd shaped packages.
Consider the following actions to mitigate overall risk:
● Perform pre-hire and periodic background screening for all mailroom personnel.
● Ensure the results of the firm’s Intelligence Program, i.e., the identification of any threats or risks, are shared with both the global security and mail operations staff, possibly leading to enhanced screening procedures.
● Build redundancy in mailroom capabilities, conforming with an organization’s business continuity or disaster recovery plans.
● Isolate HVAC, loading docks, access points and access control systems for each mail-processing facility from main business operations.
● Employ a negative-pressure environment at inbound loading dock doors.
● Mandate, through companywide policy, the use of personal protective equipment commensurate with level of risk (e.g., protective masks or Nitrile gloves).
● Develop a Global Security Suspicious Package Program detailing incident response procedures and ensuring all requisite staff receives appropriate training.
● Develop an enterprise-wide Global Security Suspicious Package Dashboard tracking operational activities in support of mailroom operations.
Tactics and Considerations
Designate authorized personnel to sign for USPS packages and courier vehicles to transport items from mail center to screening location. The following actions and tactics should be considered:
● Develop procedures for tracking all items en route from mail center to screening location through receipt by designated personnel.
● Ensure that all packages are attended to on loading docks or in public areas.
● Validate external courier personnel and package contents ahead of item intake.
● Define and analyze risks associated with various types of mail streams.
● Understand the most likely types of threats that may appear in the mail.
● Analyze and compare efficacy, efficiency, and economics of alternative mail screening technologies, facilities, and processes.
● Establish liaisons with local first responders, emergency personnel, law enforcement, and postal inspectors.
● Employ professional security personnel to staff mail facilities.
● Restrict facility access to authorized users only.
● Keep detailed logs of visitor arrivals and departures.
● Install an intrusion-detection system.
● Use CCTV to record and store surveillance of operational areas and exterior perimeters.
● Ensure adequate lighting and CCTV coverage for operations and exterior areas.
● Use easily distinguishable badges for staff and visitors and require that they be displayed while on company grounds.
Incident Response, Escalation and Follow-Up
Mail center managers and global security personnel should periodically review incident response procedures with mail center employees and first responders to establish good habits around handling and reporting practices and tracking activity via established dashboards.
● Avoid any contact with a suspicious package, including attempts to move the suspicious item or access its contents.
● Develop protocols for initial handling of suspicious substances or packages/devices and ensure appropriate training is afforded mailroom operations staff.
● For a suspected incident, employees should alert an organization’s security command organization, as well as local law enforcement or first responders, as appropriate.
● If the facility is multi-tenant, notify building management.
● Employees should be given the opportunity to speak with medical personnel, HR representatives, environmental health and safety representatives or other agency personnel, as desired and deemed appropriate by the organization.
● Global security and/or mail center manager should document and share information about incidents with other internal mail center managers for both post-incident review and training purposes.
● Global security and/or mail center manager, dependent upon company policy, should liaise with and coordinate access related to a potential investigation by law enforcement (e.g., local/state police, FBI, US Postal Inspection Service).
● Mail center to retain all suspicious evidence and records of related activity for anticipated release to law enforcement.
Design Robust Employee Training
Organizations should develop curriculum to incorporate basic security procedures, to include the recognition, identification, and reporting of suspicious packages/substances, the proper use of personal protection equipment, and the appropriate protocols related to packages/mail containing possible chemical, biological, and/or radiological components.
● Establish ongoing liaison between internal security and mail center personnel related to changes in threat level and/or the identification of any threats to either individuals or the firm/industry, so that mail screeners perform requisite activities and/or upgrade processes or technologies accordingly.
● Integrate the efforts of senior organization officials, mail center management, security officials, technology providers, and first responders.
● Maintain a log of all mail operations employees and training dates.
● Utilize posters, videos and online training packages.
Develop a Regular Review Process
Organizations should evaluate on a periodic basis mailroom security screening and handling policies and track this activity via company dashboards.
● Complete risk assessment and map current workflows and processes.
● Identify key gaps and vulnerabilities.
● Based on assessment results, develop a prioritized list of gaps for remediation and to inform process/policy development and training initiatives.
● Socialize policy implementation and development with management stakeholders and identify key vendors and technology to support process development, implementation and administration.
Further Reading
Who Protects Your Mail? US Postal Inspection Service
The Five Pillars of Mailroom Security Security Industry Association
Mitigating Mistakes: Don’t Overlook the Mailroom SecurityInfoWatch
About the author: Brian W. Lynch is the Executive Director for Safety & Security at RANE. Lynch brings nearly four decades of senior management and executive-level experience in the fields of law enforcement, safety, and security.Previously, Lynch served as Head of Global Security at Vanguard. He designed and executed the firm’s enterprise-wide Eight Phase Global Security Program which included the design and execution of the firm’s secure mail operations processes and training, as well as a 24x7 global operational model responsible for the identification, analysis, response, and resolution of security incidents. Lynch was also a Special Agent with the FBI, serving in investigative and senior executive-level positions, over a 22+ year career.
About RANE: RANE (Risk Assistance Network + Exchange) is an information and advisory services company that connects business leaders to critical risk insights and expertise, enabling risk and security professionals to more efficiently address their most pressing challenges and drive better risk management outcomes. RANE clients receive access to a global network of credentialed risk experts, curated network intelligence, risk news monitoring, in-house analysts and subject matter experts, and collaborative knowledge-sharing events.