Open Forum #51 Strengthening Cyber Resilience in Global Posts Logistics

Summary

The UPU Open Forum on Strengthening Cybersecurity for the Global Posts and Logistics Sector brought together experts to discuss the growing cyber threats facing postal services worldwide as they undergo digital transformation. Kevin Hernandez from the Universal Postal Union presented alarming findings from a survey of 52 countries, revealing that while 71% of postal services now offer digital services extending far beyond traditional mail delivery, their cybersecurity preparedness remains inadequate. The survey showed that less than two-thirds of posts have implemented basic cyber hygiene practices, with developing regions in Latin America, the Caribbean, Asia-Pacific, and Africa being particularly vulnerable.

Nigel Cassimire from the Caribbean Telecommunications Union highlighted the region’s digital transformation challenges and described their partnership with the UPU through a memorandum of understanding to enhance postal cybersecurity capabilities. Floretta Faber from Albania’s National Cyber Security Authority shared concrete examples of cyber threats, noting that over 15% of cyber attacks in Albania target postal services, primarily through domain impersonation and phishing campaigns designed to exploit public trust in postal brands. She emphasized the importance of proactive measures including staff training, early detection systems, and joint incident response protocols.

Mats Lillesund from Norwegian Post stressed the critical importance of collaboration between postal organizations and industry stakeholders, citing successful sector-specific initiatives like the Nordic financial CERT as models for information sharing. Tracy Hackshaw outlined the UPU’s comprehensive cyber resilience program, including the secure .post domain initiative and plans for a postal sector Information Sharing and Analysis Center (ISAC) to facilitate threat intelligence collaboration. The discussion concluded with recognition that securing postal services requires both technical solutions and human capacity building, as postal workers increasingly serve as the interface between citizens and digital services in an interconnected world.

Keypoints

## Major Discussion Points:

– **Current State of Postal Cybersecurity**: Kevin Hernandez presented alarming findings from a UPU survey of 52 countries, revealing that posts are rapidly expanding digital services (71% offering e-commerce, 58% digital financial services) but have poor cybersecurity implementation rates. Only basic practices like secure websites are implemented by two-thirds of posts, while critical measures like cybersecurity training and incident response plans lag significantly behind.

– **Regional Disparities in Cyber Preparedness**: The discussion highlighted stark regional differences in cybersecurity readiness, with developing regions—particularly Latin America and the Caribbean, Asia-Pacific, and Africa—showing the lowest implementation rates of cyber hygiene best practices and inadequate budget allocations despite increasing cybersecurity workloads.

– **Real-World Threat Landscape**: Floretta Faber from Albania’s National Cyber Security Authority provided concrete examples of postal sector attacks, noting that over 15% of cyber attacks in Albania target postal services through domain impersonation and phishing campaigns, demonstrating that these threats affect both developed and developing nations.

– **Collaborative Solutions and Partnerships**: Multiple panelists emphasized the critical importance of cross-sector collaboration, with examples including the CTU-UPU partnership in the Caribbean, Norway’s sector-specific CERT initiatives, and the UPU’s development of collaborative platforms like the postal ISAC (Information Sharing and Analysis Center).

– **UPU’s Cyber Resilience Program**: Tracy Hackshaw outlined comprehensive UPU initiatives including the .post secure domain infrastructure, the secure.post platform for threat detection, and plans for a global postal ISAC to facilitate secure information sharing among postal operators and their supply chain partners.

## Overall Purpose:

The discussion aimed to assess the current state of cybersecurity in the global postal and logistics sector, identify vulnerabilities and regional disparities, and explore collaborative solutions to strengthen cyber resilience as postal services increasingly become digital service hubs offering e-commerce, financial services, and e-government solutions.

## Overall Tone:

The discussion maintained a professional and urgent tone throughout, beginning with concern as alarming statistics were presented about the sector’s cyber vulnerabilities. The tone evolved to become more constructive and solution-oriented as panelists shared successful initiatives and collaborative approaches. While the gravity of the cybersecurity challenges was consistently acknowledged, the conversation remained optimistic about the potential for improvement through partnership, knowledge sharing, and the implementation of comprehensive cyber resilience programs.

Speakers

– **Mayssam Sabra** – Moderator from the DotPost Business Management Unit of the Postal Technology Center of the UPU (Universal Postal Union)

– **Kevin Hernandez** – Digital Inclusion Expert at the Universal Postal Union, works on Connect.Post project

– **Floreta Faber** – Deputy Director General and Director for International Project Coordination and Strategic Cyber Security Development at the Albanian National Cyber Security Authority

– **Nigel Cassimire** – Deputy Secretary General of the Caribbean Telecommunications Union (CTU)

– **Mats Lillesund** – Director of Governance and Communication Group Security at Postenbrink AS (Norwegian Post)

– **Tracy Hackshaw** – Head of the Dotpost Business Management Unit of the Universal Postal Union

– **Ihita Gangavarapu** – Representative of Youth IGF India, works in external threat monitoring

**Additional speakers:**

None identified beyond the speakers names list provided.

# UPU Open Forum on Strengthening Cybersecurity for the Global Posts and Logistics Sector: Discussion Report

## Executive Summary

The Universal Postal Union’s Open Forum on Strengthening Cybersecurity for the Global Posts and Logistics Sector brought together international experts to address cybersecurity challenges facing postal services as they expand their digital offerings. Moderated by Maysam Sabra from the UPU’s DotPost Business Management Unit, the forum featured presentations from the UPU, national cybersecurity authorities, postal operators, and regional telecommunications unions examining current threats and collaborative solutions.

The discussion highlighted how postal services are evolving beyond traditional mail delivery into comprehensive digital service providers, creating new cybersecurity vulnerabilities that require coordinated responses across the global postal network.

## Digital Services Survey Findings

Kevin Hernandez, Digital Inclusion Expert at the Universal Postal Union, presented findings from a survey of 52 countries revealing the extent of postal services’ digital transformation. The data showed that 71% of postal services now promote economic inclusion through e-commerce services, 58% offer digital financial services for financial inclusion, and 51% provide e-government services for social inclusion. Over one-third (34%) of postal services show signs of becoming comprehensive “one-stop shops” combining multiple inclusion services.

However, this expansion has not been matched by corresponding cybersecurity improvements. Less than two-thirds of postal services implement basic cyber hygiene practices such as secure websites, and essential security measures including cybersecurity training programmes and incident response plans lag behind service expansion. The survey revealed regional disparities, with developing regions showing lower implementation rates of cybersecurity best practices.

A significant concern identified was the budget-workload mismatch: while 70% of postal services report increased cybersecurity workloads, less than half have increased their cybersecurity budget allocations accordingly.

Hernandez also mentioned the Connect.Post project, which aims to connect all post offices to the internet, further emphasizing the digital transformation underway across the postal sector.

## Regional Perspectives

### Caribbean Telecommunications Union

Nigel Cassimire, Deputy Secretary General of the Caribbean Telecommunications Union, acknowledged that digital transformation in the Caribbean remains relatively underdeveloped. The CTU signed a memorandum of understanding with the UPU in 2023 to promote digital transformation and enhance cybersecurity capabilities across Caribbean postal services. The CTU conducts digital readiness assessments in member states to identify specific vulnerabilities and development needs.

### Albania’s National Cyber Security Authority

Floreta Faber, Deputy Director General of Albania’s National Cyber Security Authority, provided specific threat intelligence data showing over 6,500 indicators of compromise from January to March 2025, with over 15% linked to postal services. These attacks primarily involve domain impersonation and phishing campaigns exploiting public trust in postal brands.

Albania experienced significant state-sponsored cyber attacks in 2022 affecting over 1,200 e-government services, leading to comprehensive cybersecurity reforms. Faber emphasized that attacks on postal services extend beyond operational disruption to undermine public confidence in government institutions, noting that “the human layer is still the weakest link in cybersecurity attacks.”

### Norwegian Post

Mats Lillesund, Director of Governance and Communication Group Security at Norwegian Post, shared Norway’s experience with collaborative cybersecurity initiatives, highlighting the success of the Nordic Financial CERT in creating effective information-sharing mechanisms across the financial sector. He emphasized developing a culture of openness regarding security incidents, moving beyond traditional competitive secrecy to embrace collaborative defense strategies.

Norway faces similar global threats including sophisticated fraud campaigns using postal logos and computer-based attacks, but their collaborative approach has enhanced detection, response, and recovery capabilities through shared intelligence.

## UPU Cyber Resilience Programme

Tracy Hackshaw, Head of the DotPost Business Management Unit, outlined the UPU’s comprehensive cybersecurity initiatives designed to strengthen global postal cybersecurity.

### The .post Domain Initiative

The .post domain provides secure digital identity and services specifically for postal operators, offering enhanced security features and collaborative threat intelligence. The UPU has developed special funding packages for Small Island Developing States and Least Developed Countries, with QR codes provided for accessing these packages.

### Secure.post Platform

The secure.post platform offers URL checking services for suspicious links, with planned expansion to include comprehensive cybersecurity testing and learning resources. The Trust.post platform is currently live, providing accessible security tools for postal operators.

### Postal Sector Information Sharing and Analysis Center (ISAC)

The UPU is developing a postal sector ISAC to facilitate secure collaboration and threat intelligence sharing among postal operators and supply chain partners including airlines, shipping companies, delivery partners, and technology vendors. This platform will enable confidential collaboration and coordinated incident responses across the global postal ecosystem.

## Discussion and Q&A

### Human Factors and Workforce Development

During the discussion, speakers addressed the human element in cybersecurity. When asked about job creation versus replacement through digitalization, Hernandez emphasized that digitalization should focus on upskilling postal staff rather than replacing jobs, positioning postal workers as skilled digital service facilitators providing “digital services with a human touch.”

### External Threat Monitoring

Ihita Gangavarapu from Youth IGF India raised questions about balancing internal and external threat monitoring for resource-constrained organizations. The discussion highlighted the complexity of monitoring threats across diverse supply chains involving multiple stakeholders, each representing potential vulnerability points.

### Physical Infrastructure Considerations

A final question addressed the relationship between digital transformation and physical infrastructure resilience, including disaster fallback capabilities. This highlighted the need to consider both digital and physical security aspects as postal services expand their technological capabilities.

## Key Collaborative Approaches

All speakers emphasized the importance of collaboration in addressing postal cybersecurity challenges, though they proposed different models:

– Regional partnerships and assessments (CTU approach)

– National authority cooperation with postal operators (Albanian model)

– Sector-specific information sharing (Nordic Financial CERT model)

– Global collaborative platforms (UPU ISAC initiative)

These approaches are complementary, addressing various aspects of cybersecurity cooperation at national, regional, and global levels.

## Conclusion

The forum demonstrated both the scope of cybersecurity challenges facing postal services and the potential for collaborative solutions. As postal services transform into comprehensive digital service platforms, they face new vulnerabilities requiring sophisticated cybersecurity responses. The gap between service expansion and security preparedness, particularly in developing regions, represents an urgent challenge requiring immediate attention.

The collaborative frameworks outlined—from regional partnerships to global information sharing platforms—provide a foundation for coordinated action. The UPU’s cyber resilience programme, combined with national and regional initiatives, offers a multi-layered approach addressing diverse needs across the global postal network.

The discussion positioned postal cybersecurity as essential for maintaining public trust in digital services and supporting digital inclusion objectives. As postal services continue expanding their digital offerings, their security becomes increasingly critical not only for operational continuity but for broader national digital infrastructure protection.

Mayssam Sabra: Good afternoon, also good morning and good evening to our online participants who may be joining us from different time zones. Welcome and thank you for being here with us. For our UPU Open Forum on Strengthening Cybersecurity for the Global Posts and Logistics Sector. My name is Maysam Sabra from the DotPost Business Management Unit of the Postal Technology Center of the UPU and I will be your moderator for this session. Just quickly for those who may not know what is the UPU, the UPU is the Universal Postal Union, a United Nations agency dedicated to the postal sector. What we do is we mainly coordinate international postal policies and standards among our postal operators and member countries. We also assist the postal operators in the transformation of their services toward a secure digital connectivity and we help. We promote collaboration, we also help ensure an efficient and secure mail delivery worldwide. As you know, the Global Postal Network plays a critical role in facilitating trade, communication and economic development. However, as we rely more on digital technologies, we also face increasing cyber threats such as ransomware, phishing attacks, data breaches, supply chain attacks, and this is not disrupting our operations but also can compromise sensitive data, can damage reputation, and can erode the trust within consumers and businesses. So in today’s session, we aim to explore how we can strengthen our cyber security, how we can enhance the cyber resilience across the sector. We will be discussing maybe some strategies and best practices to build trust and security in the postal and logistics sector. So I am honored to share this platform with five distinguished panelists with me today. On my left, I have Mrs. Floretta Faber, the Deputy Director General and Director for International Project Coordination and Strategic Cyber Security Development at the Albanian National Cyber Security Authority, and Mr. Mats Lillesund, the Director of Governance and Communication Group Security Postenbrink AS, or Norwegian Post, and Mr. Kevin Hernandez, Digital Inclusion Expert at the Universal Postal Union. On my right, I have Mr. Nigel Cassimire, the Deputy Secretary General of the Caribbean Telecommunications Union, CTU and Mr. Tracey Hackshaw, the Head of the Dotpost Business Management Unit of the Universal Postal Union. So we have a limited amount of time. I encourage all of you please to keep your remarks concise so we can hear from all of you. And for our online participants, if you have any questions, please type them in the chat box and then we will raise it on your behalf. And now let’s kick off our discussion and I would like to start immediately with Kevin Hernandez. Kevin, you are the Digital Inclusion Expert at the Universal Postal Union and lately you have been working on a digital services report for the postal services in which you dedicated a specific section on the cyber security for posts. So maybe you could walk us through the state of cyber security in the postal sector so we can discuss further on the findings of what you will show us. Please proceed.

Kevin Hernandez: Thank you very much for the introduction, Massim. So as Massim said, my name is Kevin Hernandez. I am a Digital Inclusion Expert at the UPU where I work on a project called Connect.Post with the goal of connecting all post offices in the world to the internet and transforming them into one-stop shops for essential digital services. And for all of you interested in the project I just mentioned, I’m not going to speak about it in detail in this presentation, but I have some concept notes that I can share with you and they’re here in the front. And there’s also some at the .Post booth in the village. And although Connect.Post is not necessarily a cyber security, and I am the director of the U.S. Cyber Security Project. Ensuring that these newly connected post offices and the services that they offer are secure is one of our biggest concerns and I will explain why in this presentation. So as Massimiliano mentioned, I was recently working on a report for the UPU, which we call the Digital Panorama Report and it’s based on a survey which we did on digital services and cyber security and 52 countries responded to the survey. And the survey found that posts are offering many more digital services than we were even expecting. We thought that posts offered digital services, but we could never imagine how much. So 71, and these services go well beyond the postal sector, which is really important to highlight because posts are not just offering digital postal services, but are now also offering digital services across multiple sectors. And this is super exciting from an inclusion standpoint because there are, I don’t know if any of you know, but there are over 650,000 post offices in the world, the majority of which are located in rural areas, which are specifically the places where people are less likely to use the internet and where people are most at risk of being left behind. So digital services offered through the posts have significant potential to promote inclusion. For example, our survey found that 71% of posts are promoting economic inclusion for SMEs through e-commerce services, 58% are promoting financial inclusion through digital financial services, 51% are promoting social inclusion through e-government services, 11% are promoting universal health coverage through digital health services, and also 70% are directly contributing to bridging the digital divide and promoting digital inclusion by providing at least one digital connectivity service or solution. And going one step further, our survey also found that more than a third, So 34% of posts show signs of becoming a one-stop shop for economic, financial, social, and digital inclusion by providing all three services at once. So namely, digital financial services, e-commerce services, and e-governments all under the same roof. So this is one place where citizens can go and access all of these services. And this helps mitigate the risk of digital exclusion for less connected groups, while also helping governments achieve multiple public policy objectives related to these areas, and also the overarching leaving no one behind SDG goal. Also, we found that posts are offering these services through multiple channels. So as you would expect, the main channel that posts use to deliver digital services is a digitally equipped post office counter through interaction with postal staff. And this is, once again, this is especially useful for less connected users because they can receive help accessing a service in person that they may otherwise not be able to access on their own due to a lack of internet access, not having an adequate device, or not having the necessary digital skills to access that service on their own. However, many posts are also offering these digital services through fully digital channels, like a website or an app, while some posts are even leveraging their delivery staff to deliver these services through staff that are equipped with digital devices, like digital personal assistants, or tablets, or smartphones. And this can be especially useful for very remote communities or people whose mobility might be restricted. And it’s also important to note that in many cases, the post may only act as a physical extension of a partner’s digital service. So it’s not necessarily the case that all of these services belong to the post, but that the post is acting as a trusted partner. So, building on that, as posts begin to offer more and more digital services, they become an even more. critical infrastructure that must be secured, because they are now holding more sensitive data about customers and citizens across multiple sectors and across multiple aspects of life. And this makes the potential consequence of a disruption of a postal operator’s digital system more severe. And these disruptions would disproportionately impact people in rural areas and the elderly who rely on the post for digital services the most. This also makes the impacts of breaches, identity theft, and financial losses even more severe. And although, as I mentioned before, multi-channel service delivery is great from an inclusion perspective, it also opens up even more entry points for cyber attacks. And as a result of all this, the ability for posts to maintain trust is both more important than ever and more difficult. And it’s not just important to maintain this trust for customers or for citizens, but also, as I mentioned before, for partners. Because delivering digital financial services, e-government services, and e-commerce requires partnerships with private institutions and companies and government agencies who would be reluctant to partner with an institution that they see as insecure, especially when the digital service belongs to that institution. So at this point, you might be asking, how secure are posts across the world? Are they ready to offer these services in a secure way? And our survey found that the current state of cyber hygiene best practices within the postal sector is in need of a significant improvement. So we found suboptimal implementation rates across all cyber hygiene best practices which were surveyed. Posted websites were the only best practice implemented by at least two-thirds of posts. And only two other practices, namely secure emails, secure staff emails, sorry, and business continuity plans were implemented by at least half of posts. Meanwhile, other best practices, such as cybersecurity training, were implemented by less than half of POST. And this is extremely important given that, as mentioned before, POST are utilizing a multi-channel approach to digital service delivery, which means that the POST staff are likely to be involved in delivering these services, whether it’s at the counter of a POST office or through the delivery staff equipped with digital devices. And less than half of POST implement cybersecurity risk management plans, and only around 40% have incident response plans and crisis management plans. So this kind of paints a picture of POST that are largely unprepared and unable to adequately respond to cybersecurity threats. And the survey also found a drastic regional difference in the implementation of these best practices. I couldn’t fit all of them on this one slide, but this trend tends to hold true across all of the cyber hygiene best practices that were on the previous slide. So developing regions and POST from developing regions, and in particular three regions, Latin America and the Caribbean, Asia and the Pacific, and Africa regions, are the least likely to implement these cyber hygiene best practices. And I want to end by highlighting another scary finding from the survey. So cybersecurity budgets of POST are not keeping up with their cybersecurity workloads. So although around 70% of POST saw an increase in their cybersecurity workload in the last two years, less than half of POST reported that they increased their cybersecurity budget allocations. And POST, once again, from developing regions, and in those three regions in particular, were the least likely to increase their cybersecurity budgets in the last two years. So not only are they not well prepared from a cybersecurity standpoint, but their budgets are not keeping up with their workload. And one last thing. along with low implementation of cyber hygiene best practices and lagging budget allocations, posts are also not getting national level support responding to these cyber attacks. So only 35% of posts were affiliated with the National Information Security Incident Response Team. So as you can see, there is still a lot of work to do to secure the posts, especially as they begin to offer more digital services from multiple sectors through multiple channels. And that is it for me. I hope this presentation has helped set the stage for the discussion on cyber security and the posts. Thank you.

Mayssam Sabra: Thank you very much, Kevin, for the insightful presentation. Actually, it really indicates the urgent need for enhanced cyber resilience in some posts and in some regions. So in light of this, I would like to hear from Nigel. Nigel, as you see from the presentation of Kevin, it indicates a low percentage of cyber security being offered in some posts in the Caribbean region. So maybe now you will walk us through some slides to highlight the digital transformation in the Caribbean and the role that the STU is playing in improving the cyber resilience in the Caribbean. Please proceed, Nigel.

Nigel Cassimire: Yes, thank you. I’m Nigel Casimir from the Caribbean Telecommunications Union. I’ll be looking at our status of digital transformation in the postal industry, which is not very advanced. So I think that would be part of the reason why, sorry, Kevin’s results would have shown as he showed for Latin America and the Caribbean. Just to give a little background on the CTU, ICTU is an intergovernmental organization in the Caribbean specializing in ICT. Our members are 20 governments and, should I say, independent states and territories in the Caribbean. And we advise on ICT policy matters, and that includes things related to digital transformation, for example. Our involvement with the postal services in the member states would probably fall under our ICT policy formulation and project coordination type parts of our mandate, as shown on the screen there. So, just setting the context for the Caribbean as far as postal digital transformation is concerned. It’s happening in the more general context of our governments pursuing digital transformation generally. They’re looking at introducing e-government services, and they’ve done that in most of our member states, and also facilitating e-commerce generally to get the economies going and to help diversify their economies. Of course, the postal services has been evolving throughout the world, and the Caribbean is no different. We’ve seen traditional mail services going down, while things like courier services in support of e-commerce are going up. There is competition for the traditional postal services now. Private companies involved in the courier and delivery businesses, and logistics as well. And also, our traditional postal services have their obligations to continue. and others who continue to deal with. But in the face of all these environmental changes, there are opportunities noted for the postal services to modernize and become competitive in the markets. So really what you’ve been seeing, some of the initiatives, and a lot of them have been mentioned by Kevin already, they’ve been seeking to enhance their logistics and delivery, they’ve been trying to capitalize on that trusted nature of the postal services and being used as community hubs, delivering government services and products, facilitating access to government services for persons who may not have their own private internet connections. Some of the financial services that Kevin also mentioned, and in some cases even, they may have some facilities to help with some capacity building of the less technically savvy persons in the community. So there may be an area of a post office, especially in rural areas maybe, where the citizenry can come and get some help in maybe accessing some government services. But as the post offices try to modernize their operations and utilize the digital technologies and transform digitally, as mentioned, this comes with the attendant cyber risks and the requirements for resiliency. Now Kevin went into some of the very specific type things, but I’ll talk about the approach the CTU has been taking. Our involvement in the digital transformation and assisting our governments, of course, is more general. And the postal services is just one example. In 2022, at the ITU Plenipotentiary Conference in Romania, we had the opportunity to meet with the Universal Postal Union, and they apprised us of some of the new services that they had developed in the digital sphere. And we decided that, yes, we needed to partner with the UPU to help enhance the quality of our digital transformations in the postal services in the Caribbean. So, shortly after that then, an MOU was signed between the CTU and the UPU, and this is a picture. The initial meeting was in 2022, and this was the first half of 2023, when the Director General of the UPU signed this MOU with the Secretary General of the Caribbean Telecoms Union to cooperate in various areas. And this MOU, the focus of it was to promote the digital transformation of postal services in the Caribbean, and there were some specific things identified in there. Deployment of the UPU’s digital readiness for e-commerce assessment, that is a program whereby the UPU would come in to individual countries and do a comprehensive assessment of the state of the particular industry and the capabilities of the postal services, and make some specific recommendations in terms of how to go forward with modernization and secure digitalization of their operations. were seeking to promote the adoption of the UPU’s .post domain by our postal services. That is a secure domain that I think gels well with the trusted and would tend to preserve the trusted nature of doing business with the post offices and also implementing the UPU’s ConnectPost initiative in the region, which Kevin had mentioned. In fact, he said he works in the ConnectPost area. So since that 2023, we have had specific engagements in the Caribbean with, I think, at least three of our member states and typically with some of the larger ones, and we do have some specific recommendations now that they are implementing. Within the Caribbean, there’s a Caribbean Postal Union, which is an affiliate of the UPU, and we as CTU liaise as well with the CPU in terms of fulfilling the requirements of the MOU. So that’s kind of where we are. So we are getting the recommendations and start trying to implement the implementations from the UPU to enhance the cyber resiliency of the postal services in the Caribbean. Thank you.

Mayssam Sabra: Thank you very much, Nigel. It’s clear the focus of the CTU on cyber security through the adoption of initiatives like the .post domain or ConnectPost program. It’s absolutely vital to enhance the cyber security in the Caribbean region. Thank you very much for highlighting this. Now I would like to hear from Mrs. Floretta Faber. Floretta, you are the Deputy Director General at the Albanian National Cyber Security Authority, but you also coordinate and lead projects. on Cyber Security Strategies and Development. So, as you know today, as cyber threats evolve, how do you see these changes are impacting on cyber security strategies in our organizations? And maybe you can share with us any successful initiative or best practices from Albania that have improved cyber security in the post and logistics sector.

Floreta Faber: Thank you very much. I’m very happy to be here today and join this discussion. The Albanian National Authority on Cyber Security has been, especially in the last three years, focused on big changes in the cyber security domain in Albania. We had a strong state-sponsored cyber attack in mid-2022 all over the e-government services. Albania today has over 1,200 e-services towards its citizens. More than 95% of all the government services to citizens are given online. So, a cyber attack on all those services meaning really strong steps towards all the countries like Albania and democratization processes and transparency with the citizens. And since then, we have been taking strong reforms on cyber security and big steps forward. Part of all the transformation is the changes of law on cyber security. And we have a new one since May last year, which is according to the EU-NIST directive. And a number of sub-laws on cyber security, which still go through the model of the European best practices and the NIST directive. And we look at specific sectors on cyber security based on the criticality and the postal services. is one of this group, which we have been working specifically. The postal system has, as it was mentioned here from the studies in Albania as well, has increased its level of digitalization. And having the attacks through the postal service or using the name of the post has been really attacks of last year, over 15% of the attacks in the country, or efforts to attack the system. Out of 88 attacks we had last year, over 15% were through the postal system. And only three of them were successful cases, which the post office was dealing with and the National Authority on Cybersecurity was supporting hand to hand. We have seen specifically strong impersonating campaigns. And in 2024, the post office, according to our grouping, is with the transportation group. And almost all the attacks last year in this group were only through the post system, specifically through domain impersonification, aiming to exploit trust really in the public facing brand. The issue carries significant weight due to far reaching impact on the public trust and institutional integrity and the stability of critical infrastructures. Attacks on national post service are not isolated nor random. They have been calculated efforts to exploit institutions that serve as a fundamental touch point for millions of citizens who use the postal services and the digital services in their daily life. The impersonation of postal brand and the misuse of digital channels to spread fraudulent messages can erode confidence in public services and amplify the risk of financial and identity-related crimes. In this context, the importance of building a cyber-resilience in the postal sector goes far beyond working on the technical issues, and it becomes a matter of protecting civil trust and the continuity of essential services in the digital area, and in a time that most of the services through the post office as well are giving through the digital systems. Because these are not isolated cases, these patterns resonate globally. Maybe you have seen that in the last week, the FBI issued a new alert warning for iPhones and Android users about widespread smishing campaigns, as highlighted by Forbes and the New York Post as well. Malicious actors are leveraging the names of trusted institutions, including postal services, to decide to steal and to destabilize public trust. Our data confirmed that this was the case in Albania as well. Only from January to March 2025, we have seen that over 6,500 indicators of compromise that were found through our national search. Over 15% of them, again, were linked with the postal office. This means that the efforts to attack through the cyber systems on public infrastructure in Albania, over 15% really go to one of the critical infrastructures we have. And while the numbers remain high, we have seen promising numbers. I mentioned that last year… On the attacks we had, three of them really made some issues in the institution But this year, all the attempts, none of them has been coming to a point where there was an incident inside the post office In response to the growing threat landscape, the Albanian National Authority on Cybersecurity has taken concrete steps in partnership with the Albanian Post Office to strengthen the sector resilience These efforts include targeted cybersecurity training, implementation of early deduction system real-time monitoring of threat indicators and joint incident response simulation with the authority and the postal system We are also integrating cybersecurity requirements into the digital modernization roadmap on the national post system Our approach is not reactive, it is proactive, it is strategic, it is tailored to the unique challenges this sector face By aligning operational processes with security protocols, we aim to reduce the attack surface and enhance institutional readiness against evolving cyber threats The fact that nearly all the attacks on 2025 were smishing-based tells us something crucial that the human layer is still the weakest link in cybersecurity attacks That’s why our efforts must include not just the technical hardening, but also aware raising among citizens and postal employees So first, we have been investing heavily in capacity building and the cross-sector collaboration Cybersecurity is not a silent challenge, it requires ecosystem level resilience We have developed sector-specific early warning mechanisms and shared playbooks tailored for public services This is operators like the Post, the National CERT, which covers 7 days, 24 hours, overlooking at a number of institutions, 15 institutions, one of them is the Postal Office, because we believe that the strong efforts through this system are worth of having specifically focus on saving those systems. Second, we are working closely with postal operators to build internal cyber hygiene protocols and it’s part of all the cyber hygiene trainings that we are giving throughout the country, because since especially 2022, it was seen that it was given specific priority to the cyber security sector in the country, and only last year we had over 6000 people trained on cyber hygiene, including a specific focus on having all employees of the Postal Office, because among all the steps taken to change the cyber ecosystem in Albania and to take the steps for changing the laws, we believe it’s important to work with people and have the cyber hygiene and a new culture on cyber security in the country, and the request of people to have those training in increased numbers means that there is an awareness that people need to know more, unfortunately for bad reasons, because the attacks have been numerous and some of them have been successful on creating cyber incidents, people more and more are getting the awareness that they should know more, what they should do in order to protect themselves and the institutions they work with in cyber security. As we reflect on all the developments in the country and in the postal services, we understand that it’s important that this is a work in progress and this is something which doesn’t finish in a year or two. With the increase of the number of technologies used, with the increase of the number of attacks, with the increase of AI using on cyber attacks, it’s also important that we get prepared technically and not only on cyber security, even the postal office, and we believe that it’s very important that we have a strong bridge between people, how we get ready in changing technologies and having people prepared on facing those cyber attacks.

Mayssam Sabra: Thank you very much, Floretta, for these important highlights. The findings you indicated are very important and we hope the strategies you are developing will help your organizations become more resilient. Now I would like to move to Mr. Mats Lillesund, the Director of Governance and Security at Norwegian Post. So, Mats, as we mentioned earlier, we rely more and more on digital technologies and we also live in an increasingly connected world and the postal sector faces significant cyber threats, but sometimes we think that these threats are limited to developed countries but in reality they are also targeting big organizations and big countries. For example, we at the UPU, we have been informed of many, several cyber attacks that targeted big posts in big countries, and in today’s opening session, the speeches, most of the speeches highlighted, emphasized the collaboration part. I would like to know what is your view on the collaboration between postal organizations and industry stakeholders in enhancing cyber security in our sector and what initiatives or partnership has Norway Post taken or initiated to improve, to foster this cooperation?

Mats Lillesund: Thank you and thank you for the invitation of being here, ladies and gentlemen, I would like to address your question, it’s a big question and it’s an interesting one at that, but first off a little background about Postenbring, where I work, a Norwegian post, so we serve actually Nordic countries, so postal and logistic services, and we have approximately 14,000 employees, but our base is from Norway and Norway Post, where we have the largest market share and also an important society function, and of course it’s a global scale, as you point out, we have the same threat challenges as any other big company have in today’s threat landscape, being that our adversaries or nature-specific threats also, which I think is an important factor in today’s threat landscape, and addressing cyber resilience also. And just to point out a few of those, we have everything from from Fraud. The people in Norway, for example, is targeted for fraud, where the Posten logo and visual components are used in phishing campaigns. Two more aggressive computer attacks and vectors like that. So on the measurement side, we’re of course addressing this on various angles. We have both human and competence training, we have organizational measures, and of course a lot of technical measurements and controls in place to address this. And I think it was very interesting what Kevin and the other panelists described the different areas. I think that I recognize a lot of them, and I think that we’re always aiming to get better. I think we’re pretty good, but we’re always aiming to get better. And when it comes to cooperation, I think that’s a major factor in resolving issues. So here in Norway, I think we have a very open society, and we have a lot of openness in terms of security incidents. Companies and governments are very open, also in the media, talking about incidents. But it also means that this culture is something that you bring into your behind channels, and experts talking to experts on various issues. Some of the, I would like to emphasize, something that has grown in the financial sector in Norway, spread into something in the Nordic countries, is called financial cert, which is a very good example of how a sector cert function can work together among banks and insurance companies. Companies to leverage each other’s capacities and knowledge to address cyber issues. So I think it’s a very important aspect of both to be prepared and to discuss the issues when they arise as incidents.

Mayssam Sabra: Thank you very much. Actually it’s very important and inspiring, the cooperation you just highlighted. Thank you very much for your invaluable insights. I would move now to Tracy Hackshaw, last but not least. Tracy Hackshaw, you are the head of the post unit at the UPU and lately you have been working on some cyber resilience initiatives. So if you could please give us some details on the cyber resilience initiatives and the role of the UPU in promoting cyber resilience among the postal sector and logistics sector.

Tracy Hackshaw: Good morning, good evening, good afternoon, good night wherever you are in the world. I know time is short so I’m going to move pretty swiftly so we can get some questions in, if there are any questions already. I just wanted to make one observation. When Nigel pointed out the work we did with the CPU, the Caribbean Postal Union, just to reiterate that they were actually a dot post user. So they migrated their website from something else to cpu.post and then are running a secure email and secure hosting environment. I just wanted to make that observation. So I’m going to move pretty swiftly and show on this slide just reiterating some of the issues with attacks in the postal sector. As you can see from this slide, over the last several years we’ve had quite a number of reports, public reports of cyber attacks in the postal sector and not limited only to, as was said before, developing countries but also related to you know countries in North America and Europe and otherwise. So it’s not limited to countries which are least resourced but as Kevin’s research pointed out there’s a heavy risk or a large risk in those countries where the resources are the least deployed and therefore they could be seen as potential low-hanging fruit for cyber attackers. As we go into our initiatives, as Misa mentioned, we are implementing a series of projects at the UPU within our cyber resilience program. You would have heard mention already about the .post initiative and essentially that’s a program which looks to utilize the DNS, the domain name system, to secure what we call the edge of the network for the postal sector. So if you’re running a website, you’re running email and so on, you will be able to use a secure top-level domain which is what the UPU has, .post, that is dedicated to the postal sector and that you as the postal sector, as a post office, as a postal operator or as a postal player in the sector, meaning providing services, you’re a technology operator, you’re making envelopes, packages. you’re in the custom sector, you’re in the airline sector, you can utilize the .post domain and that’s available today via our Trust.post platform. As you can see from this slide, we’ve established a digital framework in which we look to, you know, wrap the entire sector with a series of services, including, as we just mentioned, our cyber-resilient services. Just briefly mentioning what .post brings to the table. It’s a major cyber-resilient infrastructure. Within that infrastructure, we have a series of compliance measures that relate to our overall cyber security framework and we look to implement it as a secure digital identity, that .post domain. We also are looking to deploy, as I said, services, secure email, secure hosting and other secure services. If you’re in the sector and you’re looking for secure services, please do reach out to us to see how best we can work with you to secure your online transactions and services. As I mentioned, we have a shared services platform via Trust.post. That’s live today and you can check it out as you speak right now. We also have an offer for all posts in the small island developing states category, SIDS or least developed countries. If you scan this QR code right now that you can see on screen, you can provide us with some information and we may be able to assist you with a funding package to get you up and running in your journey in digital transformation securely. We also have a project called secure.post, which we are currently rolling out. Today we are right now live only with our check URL. If you go to secure.post today, you’ll see a facility where You can test any URL that is suspicious to see if it’s been reported for scams or malware within the Global cyberspace and you can also use that same platform to report a suspicious link Potential phishing link etc. So that’s available via that platform today coming soon We’ll be rolling out an entire range of services on that platform learning Testing and also Potentially directing you to our various partners within the Secure Outposts framework I will just quickly run and show you who they are So today we’re running with just a short list of these partners who some of the top Alliances and and institutions within the cybersecurity space globally In addition to what we do in the Secure Outposts platform We also are about to implement something called an ISAC an information sharing and analysis platform and that ISAC essentially looks to provide a secure trusted platform where posts and other stakeholders within the sector can confidentially and secure securely share information and collaborate to Deal with the threat intelligence Landscape as was mentioned earlier by our colleague from Albania that intelligent that threatened landscape is Evolving on a daily basis and we encourage all posts and their stakeholders meaning in the supply chain vendors academic institutions As I said customs brokers and airlines etc to reach out to us to join us in this journey on building a global Postal ISAC. I will show you very rapidly a link in which you can reach out to us by completing this information on this form via QR code and you can express interest in joining us on this journey to implement a postal sector ISAC. I really no time is short and I apologize for being so rapid but I’m going to stop here to ensure we have some questions and maybe elaborate as a case maybe so thank you so much for listening to me and maybe hand back over to me somehow so she can facilitate any questions or comments either in the room or remotely. Thank you very much. Thank you very

Mayssam Sabra: much Tracy Hackshaw for your presentation. I believe like the cyber resilience program is essential for postal organizations to build a resilient infrastructure. So online with me actually we have eight minutes left so I’ll take a question from online from Mutu Sami. In the process of digitizing broadening and networking post offices and services is the physical non-tech infrastructure of the post offices and jobs expanded to suit the technological expansion. Also while postal services become digital the post office can become a fallback hub in extraordinary situations of disruption in digital infrastructure. Has the design of post modernization considered these possibilities and needs? Who would you like to answer the question?

Kevin Hernandez: That question had two parts. I guess I can go with the first part and from my understanding that the question was trying to get at whether this might the digitalization of the post replaces jobs in some way and I would say Not really. Actually, what’s happening is the post is now offering more services. But the problem is that these that the people who work at post offices need to be upskilled. Because in the past, they might not have been working on so many digital platforms at once, or they might not have been working on any digital platform at all. So they need to be upskilled, not just on how to use the digital technology, which is which is one thing, but then also on how to use these specific platforms and then also how to ensure that they’re doing it in a secure way. So you need basic digital literacy training, and then you’re going to also need digital training on the specific platforms that are used for each type of service because it might be the case that the e commerce platform is different from the digital government platform, which is different from the digital financial service platform. So they need to learn how to use all of them. And then on top of that, they need cyber hygiene training to ensure that you know, they’re not opening themselves up for some some cyber attacks. I have but just one last thing, we’re trying to really position the post as a place where you can access digital services with a human touch. Because I think that’s the key. And that’s the role that the postal sector can play is it’s a place where you can get help accessing a digital service. That’s that’s the unique value proposition of the post. So it is key. I mean, we need a postal staff. Yeah. Yeah, just just supplement what Kevin was saying. In fact, in terms of the question, I understood a little bit differently. And I see the questioner did put an additional comment that his implication was that it had the opportunity to create more jobs, right? And in addition to up scaling and so on. The other part of his question related to use of the postal infrastructure in in as a kind of a disaster fallback situation, it is something that could possibly

Mayssam Sabra: Thank you, Nigel and Kevin. I’ll take now a question from the audience. Please go ahead. Am I audible? Yes.

Ihita Gangavarapu: Okay, perfect. Hi everyone. Thank you so much for your insights. I’m Ahita. I’m representing the Youth IGF India. So I come from the, I work in the space of external threat monitoring. And when you talk about logistics and posts, that’s something that it’s an industry that we come across but not so often. So in terms of catering to a bunch of clientele, right. So I, my question is that when we are tracking a lot of these threats that could be your phishing kits that are impersonating the postal services or leaked credentials or you mentioned compromise third party vendors. These are all external threats. So when the focus, usually what we see in the industry is that the focus is on internal threats or having solutions that are monitoring all the internal possibilities of vulnerabilities. So I just want to understand how does and could be directed to Tracy Hackshaw because you mentioned post ISAC, that how is it positioned to shift that balance from bringing more attention to external risks and external threats, especially in regions which have very limited visibility or other resources to focus on external in addition to internal threats that are there in the space.

Tracy Hackshaw: Thank you very much. Very good question. That’s exactly what I think the ISAC is trying to do. So I’m not sure if I was able to convey the message clearly, but it’s focused on collaboration between all of the stakeholders in the sector. So the thinking is, I mean, just to give an example, if we are onboarding the post offices, let’s say all 1992 postal operators, the idea is that we will also onboard the supply chain for those who serve them. and it’s a very diverse and extensive supply chain including right up to the delivery partners, airlines, shipping companies, the whole thing. All of those external entities are essentially risk factors to the entire sector because they’re not only potentially targets by cyber attackers, but as you mentioned, the software that runs this environment which can be shared, you know, you’re sending messages between parties. So just to share with you and my colleague from the post may want to elaborate, when you scan a barcode, that message goes everywhere. So when you’re tracking and tracing, it’s going through a network and at every point in that network, there’s a potential failure and it’s a potential way of getting that attack, you know, literally speaking. So the ISAC is designed to identify those stakeholders and bring them together. I won’t say for the first time, but certainly in a way that would allow the information to be shared literally and for collaboration to begin happening so that it wouldn’t be seen only as an internal risk, but also identifying that the external risks and we deal with it from that standpoint. So I hope that will be the first and major time that that happens in the sector to get this done effectively. Thank you.

Mayssam Sabra: Okay, thank you very much. With this, we come to the end of our session. It was short, but I hope it was inspiring and insightful for all of you. I would like to thank my panelists for being with us today. I would like to thank the online participants. And if you would like to continue conversations or discuss further, please visit us at the UPUsecure.post booth. We will be happy to continue conversations. Thank you once again for your participation. Thank you.

Agreement points

Postal services are expanding beyond traditional mail to become multi-sector digital service providers

Speakers

– Kevin Hernandez
– Nigel Cassimire
– Floreta Faber

Arguments

Posts are offering extensive digital services beyond traditional postal operations, with 71% promoting economic inclusion through e-commerce and 58% offering digital financial services

Digital transformation in Caribbean postal services is not very advanced, contributing to lower cybersecurity implementation rates in the region

Albania experienced significant state-sponsored cyber attacks in 2022 affecting over 1,200 e-government services, leading to major cybersecurity reforms

Summary

All speakers acknowledge that postal services are transforming from traditional mail delivery to comprehensive digital service providers offering e-commerce, financial services, and e-government services, though at different stages of development across regions

Topics

Development | Infrastructure | Economic

Cyber threats targeting postal services are a global phenomenon affecting both developed and developing countries

Speakers

– Mayssam Sabra
– Mats Lillesund
– Floreta Faber
– Tracy Hackshaw

Arguments

Cyber threats are not limited to developing countries but also target large organizations and posts in developed nations, requiring global attention and collaboration

Norway faces similar global threat challenges including fraud campaigns using postal logos and more aggressive computer attacks

Over 15% of cyber attacks in Albania target the postal system, primarily through domain impersonation and phishing campaigns exploiting public trust

The postal supply chain involves diverse stakeholders including airlines, shipping companies, and delivery partners, all representing potential risk factors requiring collaborative security approaches

Summary

All speakers recognize that cyber threats against postal services are universal, affecting organizations regardless of their development level or geographic location, with attackers commonly exploiting trusted postal brands

Topics

Cybersecurity | Infrastructure | Cybercrime

International collaboration and partnerships are essential for strengthening postal cybersecurity

Speakers

– Nigel Cassimire
– Mats Lillesund
– Tracy Hackshaw
– Mayssam Sabra

Arguments

The Caribbean Telecommunications Union signed an MOU with UPU in 2023 to promote digital transformation and cybersecurity in Caribbean postal services

Norway has developed a culture of openness regarding security incidents, with sector-specific cooperation models like Financial CERT demonstrating effective collaboration

A postal sector Information Sharing and Analysis Center (ISAC) is being developed to enable secure collaboration and threat intelligence sharing among posts and stakeholders

Cyber threats are not limited to developing countries but also target large organizations and posts in developed nations, requiring global attention and collaboration

Summary

All speakers emphasize the critical importance of collaborative approaches, whether through formal MOUs, sector-specific cooperation models, or information sharing platforms, to address cybersecurity challenges effectively

Topics

Cybersecurity | Development | Infrastructure

Human factors and training are crucial components of postal cybersecurity

Speakers

– Kevin Hernandez
– Floreta Faber

Arguments

Digitalization requires upskilling postal staff in digital literacy, platform-specific training, and cyber hygiene practices rather than replacing jobs

The human layer remains the weakest link in cybersecurity, requiring both technical hardening and awareness raising among citizens and postal employees

Summary

Both speakers agree that addressing human vulnerabilities through comprehensive training and awareness programs is essential for postal cybersecurity, requiring investment in staff development and public education

Topics

Cybersecurity | Capacity development | Sociocultural

Similar viewpoints

Both speakers view postal services as critical infrastructure for digital inclusion, particularly for underserved populations, and emphasize the need for secure, accessible digital solutions tailored to resource-constrained environments

Speakers

– Kevin Hernandez
– Tracy Hackshaw

Arguments

Posts can serve as human-touch access points for digital services, particularly valuable for less connected users in rural areas

The .post domain initiative provides secure digital identity and services for postal operators, with special funding packages available for small island developing states and least developed countries

Topics

Development | Infrastructure | Cybersecurity

Both speakers identify significant regional disparities in cybersecurity preparedness, with developing regions facing the greatest challenges and requiring targeted support and intervention

Speakers

– Kevin Hernandez
– Mayssam Sabra

Arguments

Developing regions, particularly Latin America and the Caribbean, Asia Pacific, and Africa, show the lowest implementation rates of cybersecurity best practices

There is an urgent need for enhanced cyber resilience in postal services, particularly in certain regions like the Caribbean where cybersecurity implementation rates are low

Topics

Cybersecurity | Development

Both speakers advocate for proactive, collaborative approaches to cybersecurity that involve real-time monitoring, information sharing, and coordinated response mechanisms between postal operators and cybersecurity authorities

Speakers

– Floreta Faber
– Tracy Hackshaw

Arguments

Albania has implemented joint incident response simulations and real-time monitoring partnerships between the National Cybersecurity Authority and Albanian Post Office

A postal sector Information Sharing and Analysis Center (ISAC) is being developed to enable secure collaboration and threat intelligence sharing among posts and stakeholders

Topics

Cybersecurity | Infrastructure

Unexpected consensus

Postal services as digital inclusion facilitators rather than traditional mail providers

Speakers

– Kevin Hernandez
– Nigel Cassimire
– Tracy Hackshaw

Arguments

Posts can serve as human-touch access points for digital services, particularly valuable for less connected users in rural areas

Digital transformation in Caribbean postal services is not very advanced, contributing to lower cybersecurity implementation rates in the region

The .post domain initiative provides secure digital identity and services for postal operators, with special funding packages available for small island developing states and least developed countries

Explanation

There was unexpected consensus that postal services should be viewed primarily as digital inclusion facilitators rather than traditional mail providers. This represents a fundamental shift in how postal services are conceptualized, with all speakers agreeing on their potential role in bridging digital divides and serving as trusted intermediaries for digital services delivery

Topics

Development | Infrastructure | Sociocultural

Budget-workload mismatch as a critical systemic issue

Speakers

– Kevin Hernandez
– Floreta Faber

Arguments

Cybersecurity budgets are not keeping pace with increased workloads, with less than half of posts increasing budget allocations despite 70% experiencing higher cybersecurity demands

Albania has implemented joint incident response simulations and real-time monitoring partnerships between the National Cybersecurity Authority and Albanian Post Office

Explanation

There was unexpected consensus on the critical nature of the budget-workload mismatch in postal cybersecurity. While this might seem like an obvious operational challenge, the speakers’ agreement on its systemic importance and the need for strategic resource allocation represents a sophisticated understanding of cybersecurity as requiring sustained investment rather than ad-hoc responses

Topics

Cybersecurity | Economic | Development

Overall assessment

Summary

The speakers demonstrated strong consensus on the fundamental transformation of postal services from traditional mail providers to comprehensive digital service platforms, the global nature of cyber threats, the critical importance of international collaboration, and the need for human-centered approaches to cybersecurity. There was also agreement on regional disparities in cybersecurity preparedness and the importance of proactive, collaborative security measures.

Consensus level

High level of consensus with significant implications for the postal sector. The agreement suggests a shared understanding of the sector’s evolution and challenges, which could facilitate coordinated global action. The consensus on digital inclusion roles, collaborative security approaches, and the need for capacity building provides a strong foundation for developing unified strategies and standards across the global postal network. This alignment is particularly significant given the diverse geographic and developmental contexts represented by the speakers.

Different viewpoints

Approach to addressing human factors in cybersecurity

Speakers

– Floreta Faber
– Kevin Hernandez

Arguments

The human layer remains the weakest link in cybersecurity, requiring both technical hardening and awareness raising among citizens and postal employees

Digitalization requires upskilling postal staff in digital literacy, platform-specific training, and cyber hygiene practices rather than replacing jobs

Summary

Floreta emphasizes that humans are the weakest cybersecurity link requiring broad awareness campaigns for both employees and citizens, while Kevin focuses specifically on upskilling postal staff for digital service delivery without addressing broader public awareness needs

Topics

Cybersecurity | Capacity development

Unexpected differences

Scope of stakeholder inclusion in cybersecurity initiatives

Speakers

– Tracy Hackshaw
– Ihita Gangavarapu

Arguments

The postal supply chain involves diverse stakeholders including airlines, shipping companies, and delivery partners, all representing potential risk factors requiring collaborative security approaches

External threats including phishing kits impersonating postal services and compromised third-party vendors require attention beyond internal security measures

Explanation

While both recognize external threats, Tracy focuses on including supply chain partners in collaborative security frameworks, while Ihita questions whether the focus should shift from internal to external threat monitoring, representing different philosophical approaches to threat management

Topics

Cybersecurity | Infrastructure

Overall assessment

Summary

The discussion showed remarkable consensus on the fundamental challenges facing postal cybersecurity, with disagreements primarily centered on implementation approaches rather than core problems. Speakers agreed on the need for improved cybersecurity, the importance of collaboration, and the global nature of threats, but differed on specific methodologies and scope of solutions.

Disagreement level

Low to moderate disagreement level with high strategic alignment. The disagreements were constructive and complementary rather than conflicting, suggesting that different approaches could be implemented simultaneously or in different contexts. This consensus-building discussion indicates strong potential for coordinated action in postal cybersecurity, with various stakeholders contributing different but compatible solutions to address the sector’s cybersecurity challenges.

Partial agreements

Similar viewpoints

Both speakers view postal services as critical infrastructure for digital inclusion, particularly for underserved populations, and emphasize the need for secure, accessible digital solutions tailored to resource-constrained environments

Speakers

– Kevin Hernandez
– Tracy Hackshaw

Arguments

Posts can serve as human-touch access points for digital services, particularly valuable for less connected users in rural areas

The .post domain initiative provides secure digital identity and services for postal operators, with special funding packages available for small island developing states and least developed countries

Topics

Development | Infrastructure | Cybersecurity

Both speakers identify significant regional disparities in cybersecurity preparedness, with developing regions facing the greatest challenges and requiring targeted support and intervention

Speakers

– Kevin Hernandez
– Mayssam Sabra

Arguments

Developing regions, particularly Latin America and the Caribbean, Asia Pacific, and Africa, show the lowest implementation rates of cybersecurity best practices

There is an urgent need for enhanced cyber resilience in postal services, particularly in certain regions like the Caribbean where cybersecurity implementation rates are low

Topics

Cybersecurity | Development

Both speakers advocate for proactive, collaborative approaches to cybersecurity that involve real-time monitoring, information sharing, and coordinated response mechanisms between postal operators and cybersecurity authorities

Speakers

– Floreta Faber
– Tracy Hackshaw

Arguments

Albania has implemented joint incident response simulations and real-time monitoring partnerships between the National Cybersecurity Authority and Albanian Post Office

A postal sector Information Sharing and Analysis Center (ISAC) is being developed to enable secure collaboration and threat intelligence sharing among posts and stakeholders

Topics

Cybersecurity | Infrastructure

Key takeaways

The postal sector faces significant cybersecurity challenges with only basic practices like secure websites implemented by two-thirds of posts globally

Developing regions (Latin America/Caribbean, Asia Pacific, Africa) show the lowest cybersecurity implementation rates and are most vulnerable to attacks

Posts are rapidly expanding digital services beyond traditional mail, offering e-commerce, digital financial services, and e-government services, creating new attack vectors

Cybersecurity budgets are not keeping pace with increased workloads – less than half of posts increased budgets despite 70% experiencing higher cybersecurity demands

Human factors remain the weakest link in cybersecurity, requiring both technical solutions and comprehensive awareness training for staff and citizens

Collaboration between postal operators, national authorities, and international organizations is essential for effective cybersecurity resilience

Posts serve as critical infrastructure and trusted community hubs, making them attractive targets for cybercriminals seeking to exploit public trust

Resolutions and action items

UPU to continue rolling out the .post domain initiative to provide secure digital identity for postal operators

Implementation of the postal sector Information Sharing and Analysis Center (ISAC) to enable secure threat intelligence sharing

Expansion of the secure.post platform to include comprehensive cybersecurity testing and learning resources

Caribbean Telecommunications Union to continue implementing UPU digital readiness assessments in member states through their 2023 MOU

Albania to continue joint incident response simulations and real-time monitoring partnerships between national cybersecurity authority and postal services

UPU to provide special funding packages for small island developing states and least developed countries to support secure digital transformation

Continued upskilling of postal staff in digital literacy, platform-specific training, and cyber hygiene practices

Unresolved issues

How to effectively balance internal versus external threat monitoring with limited resources in developing regions

Specific mechanisms for scaling cybersecurity budget allocations to match increasing workloads across all postal operators

Detailed implementation timelines for the postal ISAC and how to ensure participation from diverse stakeholders across the supply chain

Standardization of cybersecurity practices across different regional postal unions and national postal operators

Integration of physical infrastructure resilience with digital transformation initiatives

Specific metrics and benchmarks for measuring cybersecurity improvement across the global postal network

Suggested compromises

Posts positioned as human-touch access points for digital services rather than fully automated systems, balancing efficiency with accessibility for less connected users

Phased implementation of cybersecurity measures starting with basic practices before advancing to more sophisticated solutions

Shared responsibility model where UPU provides frameworks and tools while national authorities and postal operators adapt them to local contexts

Collaborative funding approaches combining international support with national budget allocations for cybersecurity improvements

Posts are offering many more digital services than we were even expecting… 71% of posts are promoting economic inclusion for SMEs through e-commerce services, 58% are promoting financial inclusion through digital financial services, 51% are promoting social inclusion through e-government services… More than a third (34%) of posts show signs of becoming a one-stop shop for economic, financial, social, and digital inclusion.

Speaker

Kevin Hernandez

Reason

This comment fundamentally reframed the discussion by revealing that postal services have evolved far beyond traditional mail delivery into comprehensive digital service hubs. It challenged the conventional understanding of what postal services do and highlighted their critical role in digital inclusion, especially for underserved populations.

Impact

This insight set the foundation for the entire discussion by establishing the stakes – if posts are now critical digital infrastructure serving multiple sectors, their cybersecurity becomes exponentially more important. It shifted the conversation from viewing postal cybersecurity as a niche concern to recognizing it as a matter of national digital infrastructure security.

As posts begin to offer more and more digital services, they become an even more critical infrastructure that must be secured, because they are now holding more sensitive data about customers and citizens across multiple sectors… These disruptions would disproportionately impact people in rural areas and the elderly who rely on the post for digital services the most.

Speaker

Kevin Hernandez

Reason

This comment was particularly insightful because it connected cybersecurity vulnerabilities to social equity issues. It demonstrated that postal cybersecurity isn’t just a technical problem but a social justice issue, as attacks would disproportionately harm the most vulnerable populations.

Impact

This observation elevated the urgency of the discussion and provided a compelling rationale for why postal cybersecurity deserves priority attention and resources. It helped other panelists frame their responses around the human impact of cyber threats.

Only 35% of posts were affiliated with the National Information Security Incident Response Team… cybersecurity budgets of posts are not keeping up with their cybersecurity workloads… less than half of posts reported that they increased their cybersecurity budget allocations.

Speaker

Kevin Hernandez

Reason

This stark revelation exposed a critical gap between the expanding digital responsibilities of postal services and their cybersecurity preparedness. It highlighted systemic underinvestment and lack of integration with national cybersecurity frameworks.

Impact

This data point created a sense of urgency that permeated the rest of the discussion. It prompted other panelists to share specific examples of how their regions/countries were addressing these gaps, turning the conversation toward concrete solutions and partnerships.

Out of 88 attacks we had last year, over 15% were through the postal system… The impersonation of postal brand and the misuse of digital channels to spread fraudulent messages can erode confidence in public services and amplify the risk of financial and identity-related crimes.

Speaker

Floretta Faber

Reason

This comment provided concrete evidence of the threat landscape with specific statistics, demonstrating that postal services are actively being targeted. More importantly, it highlighted how attacks on postal services undermine broader public trust in government institutions.

Impact

This real-world data validated Kevin’s theoretical framework with actual attack statistics, lending credibility to the urgency of the issue. It also introduced the concept that postal cybersecurity is tied to institutional trust and democratic governance, broadening the discussion’s scope.

The human layer is still the weakest link in cybersecurity attacks. That’s why our efforts must include not just the technical hardening, but also awareness raising among citizens and postal employees.

Speaker

Floretta Faber

Reason

This insight shifted focus from purely technical solutions to the human element of cybersecurity. It recognized that even the best technical defenses can be undermined by human error or lack of awareness, particularly relevant given posts’ multi-channel service delivery involving staff interaction.

Impact

This comment redirected the conversation toward training and capacity building as essential components of postal cybersecurity. It influenced subsequent speakers to discuss collaboration and knowledge sharing as key strategies.

We’re trying to really position the post as a place where you can access digital services with a human touch… That’s the unique value proposition of the post… it’s a place where you can get help accessing a digital service.

Speaker

Kevin Hernandez

Reason

This comment articulated a clear vision for the future role of postal services in the digital economy, emphasizing their unique position as trusted intermediaries that can bridge the digital divide through human-assisted digital service delivery.

Impact

This vision statement helped crystallize the discussion around why postal cybersecurity matters strategically. It provided a framework for understanding posts not as declining institutions but as evolving digital inclusion platforms that require protection.

Overall assessment

These key comments fundamentally transformed what could have been a narrow technical discussion about postal cybersecurity into a comprehensive examination of digital equity, institutional trust, and national infrastructure security. Kevin Hernandez’s opening presentation established the surprising scope of postal digital transformation and its implications, creating a foundation that elevated the entire discussion. Floretta Faber’s concrete examples from Albania provided real-world validation and introduced the critical connection between cybersecurity and public trust. Together, these insights shifted the conversation from viewing postal cybersecurity as a sector-specific concern to recognizing it as a cross-cutting issue affecting social inclusion, democratic governance, and national resilience. The comments created a compelling narrative arc: posts have become critical digital infrastructure (Kevin), they are actively under attack (Floretta), and protecting them requires both technical and human-centered approaches (multiple speakers). This framing influenced all subsequent contributions and positioned the UPU’s cybersecurity initiatives as essential infrastructure protection rather than optional enhancements.

How can posts effectively upskill their staff to handle multiple digital platforms while maintaining cybersecurity hygiene?

Speaker

Kevin Hernandez

Explanation

Kevin highlighted that postal staff need training on basic digital literacy, specific platforms for different services (e-commerce, e-government, digital financial services), and cyber hygiene practices, but the specific methodologies and best practices for this comprehensive training approach need further exploration.

What are the specific technical requirements and implementation strategies for posts in Small Island Developing States (SIDS) and Least Developed Countries (LDCs) to adopt secure digital infrastructure?

Speaker

Tracy Hackshaw

Explanation

Tracy mentioned funding packages available for SIDS and LDCs but the detailed technical requirements, implementation roadmaps, and success metrics for these countries need further research and documentation.

How can the postal sector effectively balance internal versus external threat monitoring, especially in resource-constrained regions?

Speaker

Ihita Gangavarapu (audience member)

Explanation

The question highlighted a gap in understanding how postal organizations can shift focus to include external threats (phishing kits, leaked credentials, compromised third-party vendors) in addition to internal vulnerabilities, particularly in regions with limited resources.

What are the specific mechanisms and protocols for information sharing within the proposed postal sector ISAC?

Speaker

Tracy Hackshaw

Explanation

While Tracy introduced the concept of a postal ISAC for secure information sharing, the detailed operational framework, governance structure, and specific protocols for confidential collaboration need further development and research.

How can post offices serve as disaster recovery and fallback infrastructure during digital disruptions?

Speaker

Mutu Sami (online participant)

Explanation

The question raised the important consideration of whether postal modernization design accounts for post offices serving as backup hubs during extraordinary digital infrastructure disruptions, which requires further research into disaster recovery planning.

What are the most effective sector-specific early warning mechanisms for postal services?

Speaker

Floreta Faber

Explanation

Floreta mentioned developing sector-specific early warning mechanisms but the detailed technical specifications, implementation strategies, and effectiveness metrics of these systems need further research and documentation.

How can the financial sector CERT model be adapted and implemented for the postal and logistics sector?

Speaker

Mats Lillesund

Explanation

Mats highlighted the success of financial CERT cooperation in Nordic countries as a model, but the specific adaptation requirements, governance structures, and implementation strategies for the postal sector need further exploration.

What are the long-term sustainability models for cybersecurity budget allocation in postal organizations, particularly in developing regions?

Speaker

Kevin Hernandez

Explanation

Kevin’s research showed that cybersecurity budgets are not keeping up with workloads, especially in developing regions, but sustainable funding models and budget allocation strategies need further research and development.