Mind The Snail Mail
We seem to be very conscious of e-mail security, but are often oblivious to the security of the “snail mail” we receive at our homes and offices. Recently, in our role as consultants in the due diligence arena, we were asked a series of questions of snail mail and corporate snail mail security. The answers bear repeating for a wider audience.
• What type of mail security should we have?
Each type of company will have its own requirements and each specific company will have further refinements of those requirements. If the company regularly handles payments through the mail with a significant volume of payments arriving via postal mail or courier, a lock box service is often a sensible investment, both for security and efficiency.
For smaller companies, I strongly recommend that all mail go to a post office box, not a private mailbox. Post office boxes are securely constructed and often continuously monitored by CCTV. However, private mailboxes (e.g., from the UPS Store) offer a street address for delivery of packages via courier, and may be more practical but not as secure as private mailbox should be securely constructed of heavy gauge steel and accessible only to employees of the mailbox company. A mail box at a home or office location, if needed should be also be very secure and made of steel with a locking system to gain access to the snail mail.
• How can one segregate mail streams?
Mail drops and drawers can be used to segregate the mail according the wishes and needs of the company. However segregated, mail in significant volume should be picked up by a trusted employee or delivered by postal services in bulk, ending up in a secure location. If that location is at a company facility, it should be segregated from the remainder of that facility. Mail may be received, but should never be kept or even exposed, at a loading dock.
Once in the secure location, the mail can be delivered to the proper department. The mail can be pre-coded by agreement, such as adding to the address of certain locations or functions by adding additional addressing information such as Station A, Building 14, or to the attention of a specific employee. These codes should not interfere with the regular postal addressing.
* How should junk mail be dealt with?
All physical mail should be treated as one would treat e-mail. It should be kept free from the prying eyes and the letter openers of others. Junk mail often originates from companies offering credit cards or financial services. If such mail winds up in the wrong hands, it can lead to identity theft. Yep – even junk mail may have value
Unsecured mail streams are also vulnerable to industrial espionage without opening up a single envelope or parcel and with nearly zero risk of detection. Think of the unopened mail as the cleaner version of dumpster diving, but without the leftover food bits. One just needs to look at the front of the envelope to make conclusions about the company and the receiver. For example, an envelope containing a credit card will never have any identification on the envelope other that a post office box address. But, with a minor amount of research, one can link the address to the proper credit card issuer.
Mail stream analysis can also reveal the identity of a company’s clients, the nature of the relationship, the names and addresses of key suppliers, etc. It is also possible to decode Pitney Bowes franking stamps to determine the, senders names and physical address of where that piece of mail originated.
Now imagine what about what you can learn about a company if one you can open their mail!
* How can I tell if the mail has been tampered with?
Look for smudged ink, as many letters are now printed with jet ink printers. The inks will bleed if the paper is treated with chemicals or water (steam) to pen open the envelope and read the contents. Also examine the corners of the envelope for small tears. They may indicate that a tool was inserted to either spool the contents for removal from the envelope or that a small scope was inserted to read the document while still in the envelope
Many correspondents will tape over the corners of an envelope to prevent tampering. However, someone who tampers with an un-taped envelope may also tape it over to conceal the tampering. For very high security mailings, wax seals may be employed to prevent tampering and authenticate the sender as well as security envelops and tamper evident tape and seals. But yet, that too draws attention..
* How can I be more proactive to see if my mail stream(s) are being tampered with?
Have a letter sent to you, at the address of your choice, on a regular basis. Record the number of days it takes to arrive. If you see an increase in the numbers of days it takes for the test letter to arrive, on a consistent basis, this may indicate tampering or the monitoring of your mail stream, as the mailed items must be diverted for at least a few hours for fiddling purposes. This diversion may result in the mailed items missing the cutoff times for sorting and delivery for a day or more.
Include in your own correspondence a small sheet of rice paper inside the envelope. Rice paper turns to goo when it gets moist, such as in from steam when trying open steam open a glued envelope.
Add chemical dots to the paper and envelope that react to the different types of solvents used such as some of the dry cleaning solvents.
Use inks that react to heat, such as lemon juice that turns brown when heated.
Consider sending to yourself regularly a package that contains a mobile tracking device such as a cell phone, thus allowing you to follow your package from the time of mailing to the time of delivery. Come to think of it I should do that with my luggage I check with the airlines .
As always, specific recommendations for action depend upon specific fact patterns. If competitors of your business can gain a competitive advantage through surveillance of your snail mail, you’ll want to act proactively to prevent such surveillance.
Much thanks to Mark Nestmann for his help with this topic – very cool indeed.