September 11 2001 was a massive wake-up call to the United States and the rest of the free world that the spectre of terrorism is never far from our doorsteps. As is the case with many events of that nature, it’s ripples spread far and wide throughout the business community. Who can forget those chilling television images from America, for example, wherein white-suited specialists were sent in to inspect envelopes faithfully delivered by the United States Postal Service prior to warnings from terror groups that they contained anthrax spores?
It’s not just the terrorist threat that security managers must guard against. Animal rights activists, disgruntled shareholders, anti-abortion campaigners, members of the anti-hunting and environmental lobbies… They – and others of their ilk – are all on the list of direct action groups that make it difficult for security professionals to determine where the next attack will come from.
One of the simplest methods of attack has been parcels and letters containing substances or explosive devices, both of the genuine and hoax variety. Razor blades in letters, chemical powders in envelopes and small incendiary devices housed in seemingly harmless packages are favoured by protest groups.
In this day and age, then, there are several fundamental questions to be asked. How resilient is your company’s postal reception area? What are the likely consequences of a harmful package finding its way into the centre of your organisation? Could the business survive the evacuation of the building while the threat is neutralised (an occurrence which, in the case of a chemical or biological attack, could well take days to resolve)?
The Post Room is central to all building security schemes, and all manner of threats can enter the premises through the internal ‘sorting office’. Generally speaking, the risk levels will vary from business to business, although a general guideline would be something along the lines of the following:
It’s worth security managers remembering that, where a courier-delivered parcel is involved, the risk is greatly increased as impersonating a motorcycle courier is a relatively simple task. That’s why couriers are no longer allowed access to many buildings.
The Duty of Care
There is a high Duty of Care to the Post Room staff, who may well find themselves contaminated or suffer from injury as a result of suspect packages. Staff should, of course, be correctly trained, but the degree of training necessary is difficult to quantify without an actual incident having taken place (by which time any failure in procedure may be all-too-late for the personnel concerned). Employees receiving post in the office may be trained to look out for suspect letters, but will usually place total reliance on the Post Room staff to block any dangerous mail at the outset.
The risk to the business of a suspect package being found is no doubt documented, and all (foreseen) precautions will have been taken. Procedures should be continually reviewed to meet the evolving company standards and threats to the organisation.
If a package or letter which passes by the Post Room is then identified as a threat after it has landed on someone’s desk, this will (with the exception of ‘sharps’ such as razor blades) require the building to be evacuated. In the event of a powder being found, a test must be carried out before staff are allowed back into the building. Losses to the company – not to mention the shock and trauma experienced by members of staff – may be considerable.
The most effective way of testing Post Room performance is by carrying out an actual event (ie sending a harmless but allegedly suspect package to a company Director). Although it would be ideal to send the test package via Royal Mail, unfortunately this service is in such a state of disarray that the package may well be delivered to the wrong address. Conversely, it might be discovered at one of the Royal Mail’s sorting offices, which may bring about the temporary closure of the mail network. Instead, you should make an arrangement with a local courier firm, and time the delivery to coincide with that from the Royal Mail.
It’s obviously a requirement to discuss the proposed test with senior management, and agree on the type of package or letter most suitable for the test. It’s usually a good idea to assemble a selection of various types used in previous attacks and present them for review.
An envelope full of ‘powder’ and a video tape device should offer ample opportunity for staff to be ‘tested’.
A typical test would be as follows: 9.30 am: Royal Mail delivery effected. 9.32 am: Deliver the suspect package/letter by courier. The progress of the package through goods inwards and the Post Room is to be monitored by the site security manager and the incident manager. If – as is to be hoped – the package is found within the Post Room, then the staff are to be congratulated. The exercise is then repeated in three months’ time using a different type of package.
However, if the staff in the Post Room fail to identify the suspect package, and it’s subsequently distributed within the building to the addressee, a thorough review of your Post Room’s working practices must be undertaken as a matter of urgency.
Testing Post Room procedures
As part of the test, the current Code of Practice for operating Post Rooms should be reviewed, and staff actions measured against its contents. The Post Room’s construction – and its associated electronic security installation – must also be reviewed to assess suitability and identify any obvious weaknesses.
What of the measures to be taken? Contain any contamination within the Post Room or directly outside. All venting should be directly through external walls. All air gaps must be sealed, while air conditioning systems serving the space should be stand-alone and capable of negative air pressure to the rest of the building. In addition, no ducts or pipework should be routed through the space.
In terms of physical construction, the Post Room walls should be formed of concrete blocks from slab to slab. Doors must be of a robust construction. All must have air seals. In an ideal world, the number of doorways must be kept to a minimum (in truth, there should be only one).
No false ceilings are permissible, while floors ought to be covered with sealed vinyl. Avoid carpets at all costs. Both the walls and the ceiling should be painted with oil-based gloss paint. Fire exits must be through an external wall.
All access to the Post Room must be controlled by electronic access systems. The installation of a dedicated CCTV system means that you can monitor and record the Post Room operatives’ actions clearly, particularly during the lead up to – and during – any security-related event. On evacuation, the surveillance system will greatly assist the emergency services in making certain decisions. Decisions which could be crucial in saving lives.
One last point or two… Is the incident manager on your site fully-trained? Are there deputy managers in place to cover during times of absence? Is the company’s Major Incident Plan available to staff and, every bit as importantly, are its contents fully understood? Make sure the answer to all of these questions is: “Yes”. Otherwise, your company may be in for something of a rude awakening.
