Every company is vigilant in preparing for and staying aware of the many cybersecurity risks in the modern world, and will undoubtedly have a variety of measures in place to protect against online attacks. Unfortunately, some attack vectors are less well-known or expected because they combine the physical and the digital. One example is physical mail, which can contain digital devices that pose a threat to cyber security.
This merger of physical mail threats with cybersecurity attacks poses a big risk to office buildings and corporate infrastructure. Known as “phygital” (a portmanteau of “physical” and “digital”) or “warshipping” threats, these aggressions involve hackers sending Wi-Fi cards or cellular-enabled mini computers through the mail, which can gain access to a company’s network while sitting inside the facility.
Companies should make it a priority to educate themselves and take steps to protect against these attacks, regardless of size. This is especially true considering that the median cost of a cyberattack for businesses increased by 80% between 2021 to 2022.
Let’s take a look at some of the different types of mail security threats businesses can face, why they are so serious, and how businesses can protect themselves.
New cybersecurity threats in the mail
Again, phygital threats are the intersection of physical and digital cyberthreats. Rather than a purely digital threat, in which a malicious actor might attempt to hack your network remotely, a phygital incident involves a physical object in proximity to your servers, network systems, or other essential digital infrastructure. That object may be a miniature computer like a Raspberry Pi, or it could be a basic WiFi card with some type of cellular connection and power supply.
The goal of a phygital attack is to establish a connection on-site locally, rather than at a distance. The phygital device can easily scan for and exploit open ports on the network within a short range.
The risk of a phygital threat is even more present now due to the increase in hybrid work. Consider a business that has transitioned to half or more of the workers coming into the office once or twice a week yet receive all of their packages and mail at their workplace instead of their homes. Those packages could sit in a mailroom or on a desk for days, even weeks, and if any package should contain a phygital device, chances are that it will go undetected. This presents a very real cybersecurity risk to your company.
Not to mention, with the surge in technology layoffs, there is the risk of threats from former employees seeking revenge. The act of sending a phygital hacking device through the mail costs very little, making it an attractive option for anyone who might want to hurt your company with a ransomware attack or by leaking important data.
If your systems get taken hostage by a ransomware attack, you will likely lose productivity or have to pay to gain reentry to your infrastructure and data. Thankfully, there are things you can do to mitigate the risk.
Addressing the mail security gap
There are several best-practice steps and precautions that organizations can take to catch mail threats at the door.
First, one of the top measures mail security leaders recommend is basic visual screening of every incoming mail item. The majority of businesses accept mail into the building without question, and those items may sit for weeks before being opened. Mailroom personnel need to be able to identify suspicious packages quickly. For example, if a package has no return address, or has been sent to the wrong address, those are signs of a suspicious package and warrant further scrutiny and inspection.
Second, mail security leaders are increasingly relying on technologies like X-ray and T-ray scanning. X-ray scanning can catch larger electronics or other large threats, but employees require special training to read the static 2D images, and since X-ray radiation is harmful, operating these machines requires additional certification, licensing, and training. Plus, X-ray can’t reliably detect certain threats like small quantities of liquids and powders.
By contrast, T-ray scanning allows personnel to effectively scan for threats with minimal training. T-ray technology can identify smaller electronics or electronic components with ease, along with many other types of purely physical threats such as powders and liquids, that can go undetected with X-ray. In addition, T-ray scanners are safe to operate and provide a live 3D video of the contents concealed inside the mail – without opening the package.
Third, if you don’t have an expert in-house who can safely review a potential threat, there are ways of calling upon third-party providers for their expertise on an as-needed basis.
People from industries like law enforcement, the military, and USPIS have particular skills in identifying mail-borne threats. Companies should form relationships with such experts for guidance on how to identify suspicious packages, how to remediate, and future steps to take to prevent these threats from happening in the future.
The bottom line
With the increasing prevalence of both mail and cyber threats each year and the growth of phygital technologies, companies need to step up their game when it comes to mail security.
Hopefully you now have a better view of what kinds of threats your business may face so you can respond more effectively. The productivity, security, and future of your company may depend on it.
Written by: Will Plummer, military veteran and Chief Security Officer at RaySecur
Will is 25-year veteran of the US Army, where he earned a Bronze Star with Valor as a Master Explosive Ordnance Disposal (EOD) Technician, and commanded multiple Special Operations units with multiple combat deployments. He has an MA from the Naval War College and a BA from the University of California at Chico. Currently, Will is the Chief Security Officer for next-generation mail screening technology provider RaySecur. He leads the company’s physical security efforts, overseeing a team of EOD professionals, and managing clients’ threat mitigation efforts. visit: https://www.raysecur.com
See more articles on: RAYSECURSource: raysecur.com