How .POST powered services build Cyber Resilience within the global Postal and Logistics Sector

Summary

This UPU (Universal Postal Union) session focused on strengthening cyber resilience in the postal and logistics sector, bringing together experts from various organizations to discuss current challenges and solutions. The discussion was moderated by Mayssam Sabra and featured panelists from the UPU, Caribbean Telecommunications Union, Post Italiane, and Albania’s National Cyber Security Authority.

Kevin Hernandez presented alarming findings from a UPU survey of 152 countries, revealing that while postal operators are increasingly offering digital services across multiple sectors including e-commerce, financial services, and e-government, their cybersecurity preparedness is severely lacking. The survey found that only encrypted websites were implemented by two-thirds of posts, with most other cybersecurity best practices adopted by less than half of operators. Particularly concerning was that 70% of posts experienced increased cybersecurity workloads, but less than half received additional budget allocations to address these challenges.

Massimiliano Aschi outlined the Post-ISAC (Information Sharing and Analysis Center) initiative, designed to address the unique cybersecurity needs of postal operators who now manage diverse business models spanning logistics, banking, telecommunications, and e-commerce. This initiative aims to create a collaborative platform for sharing threat intelligence and best practices among postal operators globally.

Nigel Cassimire discussed the Caribbean perspective, highlighting the region’s digital transformation efforts and the recent MOU between the Caribbean Telecommunications Union and UPU to enhance postal cybersecurity through assessments and the adoption of secure .post domains. Esmeralda Kazia shared Albania’s comprehensive approach to cybersecurity, including new legislation aligned with EU NIS2 Directive and the designation of Albanian Post as critical infrastructure, while noting that 83% of transport sector cyber attacks targeted postal services.

Tracy Hackshaw concluded by presenting UPU’s suite of cybersecurity solutions, including the secure .post domain, shared services platform, and upcoming cybersecurity awareness portal, emphasizing the organization’s commitment to building a trusted digital infrastructure for the global postal sector.

Keypoints

## Major Discussion Points:

– **Current State of Postal Cybersecurity**: Kevin Hernandez presented alarming survey findings from 152 countries showing that postal operators are expanding digital services across multiple sectors (e-commerce, financial services, e-government) but have inadequate cybersecurity measures, with only encrypted websites implemented by two-thirds of posts and most other security practices adopted by less than half.

– **Post-ISAC Initiative**: Massimiliano Aschi outlined the vision for a specialized Information Sharing and Analysis Center (ISAC) for the postal sector, designed to address the unique multi-business nature of postal operators and create a collaborative platform for sharing threat intelligence, best practices, and coordinated cyber defense strategies.

– **Regional Cybersecurity Challenges and Solutions**: Multiple speakers addressed regional disparities, with Nigel Cassimire discussing Caribbean initiatives through CTU-UPU collaboration, and Esmeralda Kazia sharing Albania’s comprehensive national cybersecurity framework and specific challenges faced by Albanian Post, including 83% of transport sector cyber attacks targeting postal services.

– **UPU’s Comprehensive Cyber Resilience Framework**: Tracy Hackshaw presented the UPU’s suite of cybersecurity solutions including the secure .post domain, shared services platform, cybersecurity awareness portal, and partnerships with global security organizations, emphasizing the creation of a trusted digital infrastructure for the postal sector.

– **Critical Infrastructure Vulnerability**: The discussion highlighted how postal services have evolved into critical digital infrastructure handling sensitive data across multiple sectors, making them attractive targets for cybercriminals while serving as essential access points for digital services, particularly in rural and underserved communities.

## Overall Purpose:

The discussion aimed to address the urgent need for enhanced cybersecurity in the global postal sector as postal operators transition from traditional mail services to comprehensive digital service providers. The session sought to present current challenges, share successful initiatives, and promote collaborative solutions through UPU’s cyber resilience framework and international partnerships.

## Overall Tone:

The discussion maintained a professional and urgent tone throughout, with speakers consistently emphasizing the critical nature of cybersecurity challenges facing the postal sector. The tone was collaborative and solution-oriented, with participants sharing both concerning statistics and practical initiatives. While the data presented was “scary” (as noted by speakers), the overall atmosphere remained constructive and forward-looking, focusing on concrete steps and partnerships to address identified vulnerabilities. The session concluded on a positive note with calls for continued collaboration and available resources for underserved postal operators.

Speakers

– **Mayssam Sabra** – Moderator, Universal Postal Union (UPU)

– **Kevin Hernandez** – Digital Inclusion Expert, Universal Postal Union (UPU), works on Connect.Post project

– **Tracy Hackshaw** – Head of the Dotpost business unit, Universal Postal Union (UPU)

– **Massimiliano Aschi** – Senior IT Security Specialist and Dotpost Group Chair, Post Italiane

– **Esmeralda Kazia** – Director of Monitoring and Incident Response Operations Centers (SOC, CSIRT), National Cyber Security Authority in Albania

– **Nigel Cassimire** – Deputy Secretary General, Caribbean Telecommunications Union (CTU)

– **Audience** – Various audience members asking questions during the session

**Additional speakers:**

None – all speakers identified in the transcript were included in the provided speakers names list.

# Strengthening Cyber Resilience in the Postal and Logistics Sector: A Comprehensive Discussion Report

## Executive Summary

This Universal Postal Union (UPU) session brought together cybersecurity experts from across the postal and telecommunications sectors to address the urgent need for enhanced cyber resilience in global postal operations. Moderated by Mayssam Sabra from the UPU, the discussion featured insights from Kevin Hernandez (UPU Connect.Post project), Tracy Hackshaw (Head of Dotpost business unit), Massimiliano Aschi (Senior IT Security Specialist, Post Italiane), Esmeralda Kazia (Director of SOC/CSIRT, Albania’s National Cyber Security Authority), and Nigel Cassimire (Deputy Secretary General, Caribbean Telecommunications Union).

The session revealed a critical transformation in the postal sector, with operators evolving from traditional mail services to comprehensive digital service providers handling e-commerce, financial services, and e-government operations. This expansion has created significant cybersecurity vulnerabilities, particularly affecting developing regions. The discussion presented concrete solutions through the UPU’s cyber resilience framework, the innovative Post-ISAC initiative, and regional cooperation models.

## Digital Transformation and Cybersecurity Gaps: Survey Findings

Kevin Hernandez presented findings from a UPU survey covering 152 countries, revealing the extent of digital transformation within the postal sector and corresponding cybersecurity challenges. The data showed that postal operators have expanded far beyond traditional services, with 34% showing signs of becoming comprehensive digital service hubs.

“Posts are offering many more digital services than we were expecting. And these services go well beyond the postal sector… posts are not just offering digital postal services but are also now offering digital services across multiple sectors,” Hernandez explained. These operators now provide digital financial services, e-commerce platforms, and e-government services, fundamentally transforming their role as critical infrastructure.

The cybersecurity preparedness data revealed concerning gaps. Only two-thirds of postal operators have implemented encrypted websites, while most other cybersecurity best practices are adopted by fewer than half of operators. The situation is particularly challenging in developing regions, with Latin America and the Caribbean, Asia Pacific, and Africa showing lower implementation rates.

A critical resource problem emerged: nearly 70% of postal operators experienced increased cybersecurity workloads, yet fewer than half received additional budget allocations. Perhaps most concerning, only 35% of postal operators maintain affiliations with National Information Security Incident Response Teams, leaving them isolated during cyber incidents despite their critical infrastructure status.

## Post-ISAC Initiative: Federated Cybersecurity Collaboration

Massimiliano Aschi outlined the innovative Post-ISAC (Information Sharing and Analysis Center) initiative, designed specifically for postal operators’ unique multi-sector nature. “While conventional ISACs are often confined to specific sectors, post-ISAC distinguishes itself by its ability to adapt to the highly diverse nature of postal operators,” Aschi explained.

The initiative operates as a federated environment promoting local collaboration while maintaining global connectivity under strict confidentiality protocols. This structure allows customization based on regional needs while maintaining global standards. The pilot programme has attracted 40 parties expressing participation intentions, with ongoing recruitment through hello@trust.post.

The Post-ISAC provides strategic guidance tailored to postal operators’ unique position as multi-sector service providers, addressing the sophisticated, cross-border nature of modern cyber threats through collaborative threat intelligence sharing and coordinated defense strategies.

## Regional Perspectives and Experiences

### Caribbean Digital Transformation

Nigel Cassimire highlighted the Caribbean region’s approach to postal cybersecurity through the Caribbean Telecommunications Union. Economic pressures are driving postal digitalization as “traditional mail, basically, those services are way down in terms of volume and revenue. Courier service-type things are up.”

The region has leveraged postal networks’ trusted nature for government service delivery, with governments increasingly using postal infrastructure to distribute e-services. A significant development was the March 2023 MOU between the Caribbean Telecommunications Union and the UPU, following their meeting at the ITU Plenipotentiary in Bucharest in 2022.

The partnership includes digital readiness assessments, with three completed in Jamaica, Barbados, and Trinidad and Tobago, and adoption of secure .post domains across the region. Cassimire noted potential for knowledge sharing among Small Island Developing States globally through existing networks.

### Albania’s National Approach

Esmeralda Kazia presented Albania’s comprehensive approach, demonstrating national-level coordination for postal cybersecurity. Albania has implemented extensive cybersecurity legislation aligned with the EU NIS2 Directive through Law No. 25-2024, establishing robust critical infrastructure protection.

The Albanian experience provides stark evidence of postal service targeting: in 2024, out of 18 cyber attack attempts in the transport sector, 15 targeted Albanian Post, representing 83.3% of transport-related threats. Albania operates 24/7 National SOC operations and has designated Albanian Post as critical infrastructure.

The country has invested heavily in cybersecurity awareness, training 6,505 individuals in 2024 (3,942 women, 2,563 men) and an additional 2,537 in the first half of 2025. Albania has also blocked over 50 malicious domains associated with postal scams and identified an international postal scam campaign beginning in January 2022 that continues today.

## UPU’s Comprehensive Cyber Resilience Framework

Tracy Hackshaw presented the UPU’s suite of cybersecurity solutions designed to create trusted digital infrastructure for the global postal sector.

### Secure .post Domain Initiative

The .post top-level domain serves as a cornerstone of UPU’s cybersecurity strategy, requiring strict registration requirements and implementing robust security protocols including DNSSEC, DMARC, DKIM, SPF, and SSL. This creates a trusted namespace specifically for postal services, enhancing public confidence in postal digital offerings.

### Shared Services Platform

The UPU offers comprehensive shared services providing secure email, hosting, and e-commerce services linked to the .post domain. This platform allows smaller postal operators to access enterprise-level security capabilities without significant individual investment, addressing resource constraints identified in the survey data.

### Cybersecurity Awareness Portal

The secure.post portal serves as a comprehensive resource for cybersecurity tools, training, and capacity building. Currently offering a “check my link” service, the portal addresses knowledge and skills gaps across the postal sector by providing accessible training materials and practical guidance.

### Strategic Partnerships and Support

The UPU has established partnerships with major cybersecurity organizations including APWG, Global Anti-Scam Alliance, Global Cyber Alliance, GFCE, ICANN, Internet Society, ITU, and FIRST. Starter packages for Small Island Developing States and Least Developed Countries are immediately available through a QR code application process demonstrated during the session.

## Discussion Themes and Outcomes

Participants generally agreed on several key points: the urgent need for sector-wide cybersecurity improvements, recognition of postal services as critical digital infrastructure serving multiple sectors, and the necessity for enhanced support to developing regions facing greater challenges.

A question from a South African participant about postal regulators’ roles in enforcing cybersecurity standards highlighted ongoing governance framework gaps. Kevin Hernandez briefly noted this varies by country, with Tracy deferring detailed response, indicating this remains an area requiring further development.

## Concrete Next Steps and Action Items

The discussion concluded with several specific commitments:

### UPU Congressional Proposal

The UPU will propose a comprehensive cyber resilience initiative at the upcoming Congress, seeking sector-wide mandate and resources for sustained implementation.

### Post-ISAC Implementation

The Post-ISAC pilot programme proceeds with 40 interested parties, with continued recruitment through hello@trust.post for organizations seeking to participate in this federated cybersecurity collaboration.

### Immediate Support Availability

UPU starter packages for Small Island Developing States and Least Developed Countries are immediately accessible through the QR code application process, providing immediate relief for vulnerable postal operators.

### Regional Knowledge Sharing

The Caribbean Telecommunications Union committed to sharing cybersecurity advances with SIDS affiliates globally through existing networks, extending successful regional initiatives.

## Conclusion

This discussion revealed both the concerning cybersecurity challenges facing the transformed postal sector and promising solutions through coordinated international action. The evolution of postal services into critical digital infrastructure serving multiple sectors creates vulnerabilities requiring immediate attention, particularly in developing regions where resource constraints are most severe.

The UPU’s comprehensive framework, combined with innovative initiatives like Post-ISAC and regional cooperation models, provides practical pathways for addressing these challenges. The combination of immediate support for vulnerable operators, capacity building through shared resources, and long-term structural improvements through international cooperation offers a balanced approach to enhancing global postal cybersecurity.

Success will depend on sustained commitment to the collaborative approaches demonstrated in this discussion, adequate funding for proposed initiatives, and continued development of governance frameworks that recognize postal services’ evolved role in digital infrastructure. The sector’s transformation from traditional mail delivery to comprehensive digital service provision makes cybersecurity not just an operational concern but essential for maintaining public trust in critical infrastructure serving multiple sectors globally.

Mayssam Sabra: Good morning everyone, also good afternoon and good evening for our online participants who may be joining us from different time zones. Welcome and thank you for joining us today for our UPU session on strengthening cyber resilience for the postal and logistics sector. My name is Maysam Sabra and I’m glad to be moderating this session. Maybe to give a quick overview for those who may not know the UPU, the UPU is the Universal Postal Union, a United Nations agency dedicated to the postal sector and our headquarters are in Bern, here in Switzerland. What we mainly do is we coordinate international postal policies and standards among our member countries. We also help the postal operators in the transformation of their services towards secure digital connectivity. We also promote collaboration and digital innovation in the postal sector to make sure that everyone is included. As we gather this week and today here for the WSIS Plus 20, it’s important to note that the UPU has been involved from the start as a co-facilitator for WSIS Action Line C7, which focuses on e-business and in this role, the UPU plays a crucial part by encouraging the cooperation among governments, international organizations and the private sector to support e-business models, especially in developing countries. But also as we speak about e-business and online services, it’s also important to protect our systems and helps organizations be more resilient and have secure and safe online presence. So this session will explore how we can strengthen together the cyber resilience of our organizations and ensure that our systems are safe and secure. So I’m happy to share this platform today with five distinguished panelists. I have two of them with me here on site. On my right, I have Mr. Tracy Hackshaw, the head of the Dotpost business unit from the Universal Postal Union and on my left, I have Mr. Nigel Cassimire, the head of the Deputy Secretary General of the Caribbean Telecommunications Union or CTU and online. And with us, we have Mr. Massimiliano Eschi, Senior IT Security Specialist and Dotpost Group Chair from Post Italiane and Dr. Esmeralda Kazia, Director of Monitoring and Incident Response Operations Centers, SOC, CSIRT from the National Cyber Security Authority in Albania and Mr. Kevin Hernandez, the Digital Inclusion Expert from the Universal Postal Union. Of course, we wish everyone could be here with us, but we believe that your online participation will be valuable as well. So we have a short session, now less than 16 minutes. Let’s be very concise on our interventions and I would like to kick off our discussion immediately and I go to Kevin, who is online with us. Kevin, do you hear us?

Kevin Hernandez: Yes, can you hear me?

Mayssam Sabra: Yes. So Kevin, I would like to start by discussing your recent work on a digital services report which includes a focus on the state of cyber security in the postal sector. Could you please share an overview of your findings?

Kevin Hernandez: Great. Can you see my screen?

Mayssam Sabra: Yes. Okay, perfect.

Kevin Hernandez: Thank you very much, Mayssam. So hello everyone. So as Mayssam said, my name is Kevin Hernandez and I am a Digital Inclusion Expert at the Universal Postal Union where I work on a project called Connect.Post with the goal of helping bridge the digital divide by connecting all post offices to the internet and transforming them into one-stop shops for essential digital services. And although Connect.Post is not necessarily a cyber security project, ensuring that these newly connected post offices and that the services that they offer are secure is one of our biggest concerns and I will explain why in this presentation. So the UPU recently conducted a survey on digital services and cyber security and posts from 152 countries responded and the survey found that posts are offering many more digital services than we were expecting. And these services go well beyond the postal sector which is important to highlight. So posts are not just offering digital postal services but are also now offering digital services across multiple sectors. And this is super exciting from an inclusion standpoint because there are over 650,000 post offices across the world, a majority of them are located in rural areas which are specifically the places where people are less likely to use the internet and where people are more at risk of being left behind. So digital services offered at posts have significant potential to improve inclusion. For example, we found that 71% of posts are promoting economic and digital inclusion through offering e-commerce services, 58% are promoting financial and digital inclusion through digital financial services and 51% are promoting social and digital inclusion through e-government services and also 70% are directly contributing to bridging the digital divide by promoting at least one digital connectivity service or solution. And going one step further, our survey also found that 34% of posts are showing signs of becoming a one-stop shop for economic, financial, social and digital inclusion by providing digital financial services, e-commerce services and e-government services all under the same roof. And this helps mitigate the risk of digital exclusion once again for less connected groups while also helping governments achieve multiple public policy objectives related to these areas and leaving no one behind. But taking things even a step further, we also found that posts are offering these services through multiple channels and as you would expect, the main channel that post offices use to deliver these services is a digitally equipped post office counter through interaction with postal staff and this is especially beneficial for less connected users because they can receive help in accessing a service in person that they may otherwise be unable to access on their own due to a lack of internet access, devices or digital skills. However, many posts are also offering these services through fully digital channels like a website or an app while some posts are even leveraging their postal delivery staff to deliver these services through staff equipped, delivery staff equipped with digital devices and this can be especially beneficial for very remote communities or people whose mobility is restricted and it is important to note that in many cases, the post may also act as a physical extension for a partner’s digital services. So it’s not necessarily the case that these digital services all belong to the post and this is important and I’ll come back to this later. As posts offer more digital services, they are becoming a more critical infrastructure because they hold more sensitive data about customers and about citizens across multiple sectors and this makes the potential consequence of a disruption of a postal operator’s digital systems more severe and these disruptions would disproportionately impact people in rural areas and the elderly who rely on the post for digital services the most and this also makes the impacts of breaches, identity theft and financial losses even more severe and although this multi-channel service delivery approach that I was mentioning is great from an inclusion perspective, it also opens up more entry points for cyber attacks and as a result of all this, the ability for posts to maintain trust is both more important than ever but also more difficult and it’s not just important to maintain this trust for customers or citizens but also for partners because delivering digital financial services, e-government services and e-commerce services requires partnerships with private companies and government agencies who would otherwise be reluctant to partner with an institution that they see as unsecure especially when the digital services belong to them. So at this point, you might be asking how secure are posts across the world? Are they ready to offer these services in a secure way? So our survey found that the current state of cyber hygiene best practices within the postal sector is in need of significant improvements. So we found some optimal implementation rates across all cyber hygiene best practices that we surveyed but encrypted websites were the only best practice implemented by at least two-thirds of posts and only two other practices specifically secure staff emails and business continuity plans were being implemented by more than half of posts. Meanwhile, the other best practices as well as a number of other organizations such as cybersecurity training were implemented by less than half, which is extremely important given that, as mentioned before, posts are utilizing a multi-channel approach to digital service delivery, and this means that the postal staff are likely to be involved in delivering these services, whether at the counter or to the delivery staff, and less than half are implementing cybersecurity risk management plans, and only around 40% have incident response plans and crisis management plans. So this is painting a picture of posts that are largely unprepared and unable to adequately respond to cybersecurity threats, and their survey also found very drastic regional differences in the implementation of these best practices, and I couldn’t fit them all on this slide, but this trend tends to hold true across the cyber hygiene best practices that I showed on the previous slide. So developing regions, and in particular three regions, or posts from these regions, from Latin America and the Caribbean, Asia and the Pacific, and Africa regions, are less likely to implement these cyber hygiene best practices, and I want to end with highlighting another scary finding from our survey. So cybersecurity budgets of posts are not keeping up with their increased workload. So almost 70% of posts saw an increase in cybersecurity workload in the last two years, however, less than half of posts reported additional cybersecurity budget allocations to match it. And posts from developing regions were the least likely, once again, to increase their cybersecurity budgets in the last two years, with the posts from these three regions, once again, being the least likely to do so. And one last thing, along with low implementation of cyber hygiene best practices and lagging budget allocations, posts are not getting national level support responding to cyber attacks. Only 35% of posts are affiliated with the National Information Security Incident Response Team. So as you can see, there is still a lot of work to do to secure posts, especially as they begin to offer more digital services from multiple sectors through multiple channels. And that’s it for me. I hope that this presentation has helped set the stage for the rest of the discussion on cybersecurity of posts. Thank you so much.

Mayssam Sabra: Thank you very much, Kevin. Definitely it helped set the stage and it gave us a good understanding about the current cybersecurity state in the postal sector. Thank you for your presentation. Now I would like to hear from Massimiliano. Thank you for joining us. Do you hear me? Yes, we’re fine. Okay. Massimiliano, the presentation of Kevin highlighted that the cybersecurity situation is concerning and needs to be improved. Since you are involved in the UPU cyber resilience initiatives such as the .post-ISAC initiative and in your role as the .post group chair representing Post Italiane, how do you envision post-ISAC addressing the specific cybersecurity challenges faced by the postal sector? And what role can it play to enhancing the overall cyber resilience for our connected ecosystem?

Massimiliano Aschi: Thank you, Mayssam, for your question. First of all, good morning, everyone. The data Kevin presented are really scary and also interesting at the same time. So today I would like to share our vision on post-ISAC and how it stands apart from traditional ISACs. While conventional ISACs are often confined to specific sectors, post-ISAC distinguishes itself by its ability to adapt to the highly diverse nature of postal operators. As Kevin described in detail in the previous speech, it is a rather complex ecosystem that now extends well beyond traditional postal services to include logistics, e-commerce, banking, financial services, insurance, and telecommunications. Post-ISAC aims to serve as a reference point for both public and private multi-business operators, each managing different business models and facing a wide variety of cyber threats. The uneven development of digital services and cyber resilience capabilities, combined with generally low levels of awareness and skills, all of this calls for a coordinated and structured effort to bridge these gaps and to strengthen the sector as a whole. The objective is to make it more robust, resilient, and prepared to face increasingly sophisticated cyber attacks. Postal operators form a highly interconnected and synergic network. Therefore, it is essential to adopt a systemic approach to cybersecurity. In this context, post-ISAC can be a real game-changer, becoming a center of expertise and support in the fight against cyber threats. Postal operators often handle high-value services, informational assets, and intellectual property, making it critical to ensure their confidentiality, integrity, and availability, especially in a time of growing geopolitical instability and cyber aggression. Post-ISAC aims to become a hub for knowledge sharing, a strategic guidance center for cyber resilience, and a tactical community where professionals with common challenges can quickly find practical solutions, shared experiences, and effective risk mitigation tools. It will also serve as an engine for developing advanced capabilities to understand and counter threats, promoting resilience that is real, sustainable, and not merely symbolic. The goal is not only to restore operations after an incident, but to prevent and withstand extreme conditions, including operational stress and situational darkness, minimizing the impact of potentially devastating cyber attacks. Post-ISAC is building a strategy based on mutual trust within a federated and domain-structured environment. Designed to encourage local collaboration while remaining connected to global resources and communication channels. All of this will be developed in a context of maximum confidentiality and security, aligned with the interests of businesses, institutions, and the citizens we serve. Particular attention will be given to the initiative’s financial sustainability and the promotion of win-win collaboration models, where strengthening one part of the value chain becomes a shared investment with clear benefits for all the stakeholders. Post-ISAC aspires to be a one-of-a-kind initiative with real, tangible potential. Its success will depend on the credibility we are able to build, and on our collective commitment to transparency, integrity, and continuity. Only through this effort can we establish a solid, aware, and resilient community, united in the fight against cyber threats. Thank you very much.

Mayssam Sabra: Thank you very much, Massimiliano, for your insightful remarks on Post-ISAC. And our colleague Tracy will be complimenting on what you just started during his presentation with further details. And thank you for your ongoing support. Thank you, Massimiliano. Now I would like to turn to Nigel Cassimire. Nigel, also the cybersecurity in the Caribbean is also concerning and alarming. So we have observed a low percentage of cybersecurity services being offered in some posts in the Caribbean region. So what are your thoughts on this, and what role can the CTU play in enhancing the cyber resilience in the Caribbean postal sector?

Nigel Cassimire: Yes, thank you. Thank you for the question, Mayssam. I can give a Caribbean perspective on this. I’m with the Caribbean Telecommunications Union, and basically we are an intergovernmental organization in the Caribbean that advises our member governments on ICT policies generally. We haven’t had a lot of interface traditionally with the postal services, but there have been some recent developments that I’ll go through quickly. The CTU basically handles five different areas of operation. Harmonizing policy formulas, in the Caribbean, capacity development, coordinating regional projects representing the Caribbean, for example, at a forum like this. And we also serve an industry watch function. The context in the Caribbean with respect to postal services is that we are seeing the post offices modernizing and digitizing, like Kevin mentioned and found in the survey. The context in which that is happening, though, is that Caribbean governments are generally pursuing a digital transformation of their governments, of their countries, and so on. So we are seeing e-government services coming into play. We are seeing e-commerce, like Kevin said, and that has impacted, actually, the postal market as well. The traditional mail, basically, those services are way down in terms of volume and revenue. Courier service-type things are up. We have competition in courier services and delivery services and logistics. And we are seeing our post offices also competing in that space. So in the context of governments wanting and pursuing digital transformation, the post offices have opportunities as well to modernize and digitize. With respect to some specific things that we are seeing, and I can draw a couple of examples, enhancing logistics and delivery services, and a very important thing Kevin mentioned is that the post offices are a trusted network. They are traditional, and people know they can go to the post office and get certain services. And what we are seeing is that governments are leveraging that to help distribute their various government e-services and products. It helps to facilitate access to government services and digitizing financial services as well. A couple of examples I can think of off the top of my head, we are seeing post offices with delivery services, with online tracking and so on, being able to compete, basically, in that space effectively. We are seeing them acting as channels for government ministries and even embassies to facilitate visa processing for government ministries. We’re seeing things like you can go to the post office and pay a traffic fine, you pay a traffic ticket, you can apply for a birth certificate, you can have it delivered there, and things like that. And given that the post offices are in the rural areas as well, it’s a great convenience for those who are living in remote areas. And we are seeing them offering services online as well, online payments and so on. So as was mentioned, it really increases the potential for cyber incidents to take place. So it’s incumbent upon the postal operators to be aware of these attendant cyber risks and design their services for resiliency. Now, as I mentioned, the CTU hasn’t been traditionally dealing with postal services, but in 2022, actually, at the ITU Plenipotentiary Conference in Bucharest, we had the opportunity to meet with the UPU. And the UPU apprised us of the various modernization and digitalization thrusts going on in the postal sector. We weren’t aware at the time, and in fact, we realized then that there were opportunities for us to work with the UPU to enhance the quality of our postal services in the Caribbean. So what happened was that in Bucharest was in 2022 at the plenipotentiary, and by March of 2023, we had an MOU signed between the Caribbean Telecommunications Union and the UPU to work together to promote digital transformation and postal services in the Caribbean. This is actually a picture of our CTU Secretary General on the left, Mr. Rodney Taylor, and Mr. Masahiko Mitoki of the UPU on a trip that the Secretary General made to Switzerland, not just to do that, but that was part of his itinerary to sign that MOU. What this MOU, as I said, seeks to do very specifically is promote and carry out deployment of the UPU’s digital readiness for e-commerce assessments in the Caribbean. Kevin didn’t mention some statistics that showed we were lagging in terms of cyber hygiene. So this program of the UPU’s is an assessment of individual national postal services to see where shortcomings exist and make recommendations for improvements. The adoption of UPU’s sponsored .post top-level domain is just a secure domain and a trusted domain for postal services, and also implementation of the UPU’s connect.post initiative, which Kevin is a key in. Just to mention that in the Caribbean, there is a regional postal organization, the Caribbean Postal Union, also affiliated with the UPU, and I forget exactly how many members they have. It’s 20-something, I believe. And the CTU is also working with the CPU, also under the rubric of that MOU with the UPU. And they have adopted .post. I’m sorry? And they have adopted .post. Oh, right. They have adopted .post. But there are other postal services in the Caribbean that have not yet adopted .post. And CTU’s headquarters is based in Trinidad and Tobago, and they are still .net. As I say, yes, the TT Post, Trinidad and Tobago Post, is still a .net domain. So there are still some ways to go. And I should mention as well that three of the assessments have been, at least three of the assessments have been completed with the UPU in the Caribbean. I think it’s Jamaica, Barbados, Trinidad and Tobago, for sure. And those have resulted in reports and recommendations to those national postal organizations. So Maysam, that gives you an idea of where we are at, and it’s good news to the extent that things are progressing to improve cyber hygiene in the Caribbean.

Mayssam Sabra: Thank you very much, Nigel. Thank you. This was very important to know the achievements of the CTU and the activities that are going on in terms of your collaboration with the UPU or with the adoption of the .post domain or connect .post. Thank you. I would like to invite Esmeralda, who is joining us online. Esmeralda, given the rapidly evolving cyber threats landscape, what strategies is the National Cyber Security Authority in Albania implementing to enhance the incident response capabilities and ensure an effective monitoring of cyber threats, especially in critical industries like postal and logistics sectors? And how can the cooperation or collaboration among other stakeholders contribute to enhance the national or to bolster the national cyber resilience, cyber security resilience in Albania?

Esmeralda Kazia: Thank you. Thank you, dear Mayssam. Distinguished Delegates, Partners and Global Colleagues, first of all, it’s an honor and a responsibility to address you today on behalf of the Republic of Albania and the National Cyber Security Authority, an institution at the forefront of our country’s digital transformation and defense. In a world where digital trust has become the backbone of every transaction, every connection and every public service, postal and logistic systems stand as critical enablers of connectivity, commerce and citizen engagement. Yet, these very systems are increasingly vulnerable. And so our message is simply but urgent. Trust in digital infrastructure, especially in the postal sectors, must not be seen as an afterthought. It must be designed, defended and delivered. So today, I will share with you Albania’s experience. experienced lessons and vision in transforming cybersecurity from a niche concern into a national priority. So, this includes the protection of one of our most essential yet frequently overlooked sectors, the postal system, which we have officially designed as critical information infrastructure. Our journey is one of reform, investment, collaboration, and resolve. So, let me walk you through the steps we have taken, the gaps that persist, and the partnerships we now seek as we aim to build a secure, inclusive, and digitally sovereign Albania in line with European values and global standards. So, over the past year, Albania has taken bold and forward-thinking steps to build a secure digital ecosystem. In 2024, we adopted a new cybersecurity law, Law No. 25-2024, fully aligned with the European Union NIS2 Directive. This legislative framework redefined the scope of national cyber defense by classifying critical and important information infrastructures, including the Albanian Post, requiring mandatory risk assessments and incident reporting, empowering the National Cyber Security Authority of Albania to coordinate incident response and oversee compliance. In parallel, Albania launched its National Cybersecurity Strategy 2025-2030, focused on prevention, protection, education, and resilience. So, for the first time, a national risk assessment methodology has been developed and applied to CIIs, creating a unified and transparent baseline for cybersecurity posture across government and critical sectors. At the heart of our operational framework stands the National Security Operations Center, National SOC, a state-of-the-art facility operating 24-7, ensuring real-time monitoring, detection, and coordinated response across the national digital space. From April to December 2024, the SOC detected 83 cyber attack attempts and 32 confirmed cyber incidents. In the first half of 2025, from January to June, we recorded 44 attack attempts and 42 confirmed cyber incidents. So, each alert represents more than just a technical anomaly. It is a threat to public trust, to service continuity, and to national stability. Let me now bring attention to a sector that often remains underrepresented in cybersecurity conversations – the postal system. Albania currently has one state-owned postal operator, the Albanian Post, and 22 licensed private postal companies. So, as the Albanian Post is officially recognized as a critical information infrastructure, it is vital for last-mile citizen services, document authentication, and financial operations, and cross-border trade. And yet, this very infrastructure has been a primary target for cyber attacks. In 2024, out of 18 total cyber attacks attempts recorded in the transport sector, 15 were directed at the Albanian Post, that is, 83.3% of all transport-related threats. We registered three confirmed incidents of domain impersonation, attempting to deceive citizens through fake websites or email campaigns. In the first quarter of 2025, we observed nine new phishing, smishing attempts targeting the Albanian Post. No major breach occurred, but the volume and the frequency continued to rise. So, the threats are not only domestic. Albania was among the first countries in the region to identify and respond to an international postal scam campaign that began in January 2022 and continues to this day. However, in Albania, this was the first time such a campaign was observed at a national scale. During the first half of 2025, NCSA and partners blocked over 50 malicious domains associated with the scam. In one case, a postal member of the postal operator fell victim to a phishing attack. Thanks to SOC alerting and automated response protocols, the incident was contained immediately with minimal operational impact. So, cyber resilience begins with people. In 2024, NCSA and its partners trained 6,505 individuals, 3,942 women and 2,563 men. From January to June 2025, another 2,537 were trained. These numbers reflect our national commitment to include digital security and equitable workforce development. Despite improvements, the Albanian Post faces three major areas of vulnerability. Technological gaps like outdated core systems and lack of EDR tools, weak encryption standards, insufficient endpoint protection, process gaps, no automated alerting for impersonation, absence of full crisis response plan, and from human factor gaps, limited phishing awareness training and scarcity of in-house cybersecurity professionals. While no attack has yet caused nationwide disruption, the risks are real and growing. Albanian Post is a high-volume, public-facing infrastructure with millions of transactions annually, and every citizen impacted is a reminder of the need to act proactively, not proactively. So, as Albania advances toward deeper digitalization and EU integration, we know that security must grow at the same pace as innovation. Therefore, we call on our international partners to support the technological modernization of the postal infrastructure, to facilitate cross-border intelligence sharing against scam campaigns, to help us create a dedicated postal resilience program under the Post framework aligned with the EU Cyber Solidarity Act, and to reinforce regional partnerships for simulation, training, and crisis response. Our mission is clear – to safeguard the trust of our citizens in every interaction, physical or digital, and Albanian Post must stand as a symbol of that trust. Together, let us build a postal and logistics system that is not only fast and efficient, but resilient, secure, and future-ready. So, thank you. Albania is ready to partner, protect, and progress.

Mayssam Sabra: Thank you very much, Esmeralda, for this detailed overview, and well done on your achievements in the cybersecurity area to protect your systems in Albania. This is really great. Thank you once again. Now, last but not least, I would like to invite Tracy, Tracy Heckshaw, to give us an overview about the UPU, Cyber Resilience Initiatives, and the role that the UPU is playing to enhancing the cybersecurity of the postal sector. Over to you, Tracy. Thank you very much, Mayssam. So, as was said earlier, there are quite a series of initiatives that the UPU is currently engaged in. You would have heard earlier from Massimiliano about the Post-ISAC, but there are quite a few other initiatives that we have deployed to sort of complement that. And I’ll just go through a few of them since time is against us, I’ll quickly run through a few of the, let’s go straight to them directly here. So on this slide, as you can see, we are, we have a suite of services, of solutions, of initiatives that are directed towards the postal sector, and by that I mean not just the designated operators, but also the wider postal sector players, the private sector, the academic community, and others. The first one, as you would have heard earlier, is our .post domain, our secure top-level domain, and what we do utilizing the .post domain is deliver secure digital identity to the sector, and I’ll explain a little bit more of that in a couple slides from now. Along with that, we have our .post shared services platform, which is linked to the .post top-level domain, and with that, you can obtain secure email, secure hosting certificates, secure e-commerce services, et cetera. Alongside that, we also have our soon-to-be-launched cyber security awareness portal, secure .post. Currently we have one service live, which is a check my link service, available through our partnership with the Global Anti-Scam Alliance and Scam Advisor, and that’s currently live today, but soon we’ll be launching a few other services, including a natural language processing platform, a testing platform, and a learning platform under secure .post, which will form a major toolkit within the post ISAC, of which you heard earlier from Massimiliano, the information sharing and analysis center. This is all part of our overall digital framework at UPU, the .post digital framework, in which we are seeking to deploy a series of digital services securely and build a trusted network for the sector. So just mentioning what we do on .post, it’s a very secure top-level domain. It’s probably the most secure, I would say, in the DNS space, not because we are doing something unique or different, but what we’re trying to do is ensure compliance with a series of robust security protocols, such as DNSSEC, DMARC, DKMSPF, and of course ensuring that there’s SSL deployed on your websites at all times. We believe that this .post identity will allow the posts and network members in this network, the operators, the private sector, and so on, to build out a series of services that ensure a secure identity for this industry. And this trust mark will serve as a digital trust infrastructure for the entire postal logistic sector, and in doing so, we believe this increases security of the postal and logistic services. How we do this? We introduce strict registration requirements. It is very difficult, if not impossible, to obtain a .post top-level domain if you are not a legitimate business entity. We don’t allow individuals to access to obtain it, and we do due diligence on any applicant to ensure that they are legitimate, they are fully operational, and they are not in the business of doing DNS abuse, which is a major problem within the industry. So we have strict registration requirements for the TLD, and in doing so, we believe that this brings improved trust and confidence to the sector. Not only that, it improves your brand recognition and improves reputation management. In addition to this overarching top-level domain, we believe that the support provided by the UPU will reduce your costs overall and increase your visibility. And then linked to that, we have our shared services platform, where with the .post top-level

Tracy Hackshaw: domain, you can actually access email hosting, secure email services, web hosting on a secure level, e-commerce services, again, secure, secure DNS management services, and that way you can start to focus on dealing with cyber incidents proactively before they actually come in, because many of these cyber incidents are infiltrated through the DNS system, and also by ensuring that you’re compliant with all the modern internet-based secure technologies such as SSL and TLS. So those who are operating within countries that are classified as small island developing states and least developed countries, we do have a starter package offer available to you, where there’s some funding available from the UPU, and if you scan this QR code that you see on the screen, you’ll be able to access or at least apply for this funding from the UPU, where we’ll be able to get you going with a starter package under the .post top-level domain and associated services. So we hope for those who are interested in this, feel free to scan this code now and apply to us for this offer. Now getting to the portal that I mentioned earlier, without getting into too much detail or demonstrating it today, this is really a cybersecurity awareness portal that we believe will allow posts, operators, wider post sector players, private sector, and so on, a one-stop shop where they can access cybersecurity information, training, awareness, capacity building, tools, toolkits, the works. We have a series of partners that we work with that will be able to access their tools through this portal, and we believe that through this partnership alliance, as a sector and as an individual operator or entity, you’ll be able to benefit fully from our secure and trusted platform. So just to show you the partnerships that we have currently deployed, APWG, the Global Anti-Scam Alliance, the Global Cyber Alliance, the Global Forum on Cyber Expertise, ICANN, we’re working now with the Internet Society, we’ve worked with ITU, and we’re currently formalizing agreements with FIRST, who is the forum of incident response teams globally. So the .post environment establishes digital trust and creates a secure platform for you as an operator or as a business to obtain secure services through a network. And we mentioned our cybersecurity framework. I don’t want to get too much into detail here. These are the elements of the framework which we deploy to ensure that you are fully secure within this environment. And reiterating on the ISAC, without getting into too much detail, because that was explained earlier by Massimiliano, it’s a really essential space to share and collaborate with your colleagues, with your other entities in the sector about cyber resilience, whether you’ve had a recent attack, you’re undergoing a current attack, or you’re fearful of being attacked in the future. This is a space where you can, in a secure manner, share information and collaborate with others in this regard. And to do that, we are trying to establish a pilot, which is launching this year. This is an opportunity for you to engage with us right now to roll this ISAC out. We are currently, we have about 40 interested parties, and we are still looking for others to start this pilot rolling. You can do so by contacting us today at hello at trust.post, or by utilizing this QR code, which you can scan and express interest in participating with us to onboard yourselves into the post-ISAC in a pilot manner. And this is available today. Again, scan the QR code, and you should be able to express your interest to us to participate today on this. And with that, I think I will end here and open up for any discussion and questions. Thank you very much. Thanks.

Mayssam Sabra: Thank you very much, Tracy, for your presentation. Maybe now we open the floor for two or three questions before we close this session. Are there any questions from the audience? Yes, please. Excuse me. Sorry. Yes, please.

Audience: Thank you very much for the panelists for the excellent presentation. We would like to express our gratitude to all the presenters for the excellent contribution that they have said. Also in South Africa, we had the recent amendment of the South African Post Office Act, which significantly broadens the mandate for the South African Post Office beyond the traditional postal services. And this expansion then also allows SAPO to offer logistics, e-commerce, and digital hub services. So as we move towards the digitization, it is then essential that we then implement robust cybersecurity measures in order to protect the infrastructure and sensitive information, which will then foster confidence and utilization of the postal services for variety of the services. On the survey that was presented, I think it was indicated that the postal services are not receiving adequate support from the national levels regarding the cybersecurity. So the question that we would like to then post is then what are some of the roles from the postal regulators that they can take in terms of addressing some of these challenges. Is there any benchmark from the survey that was presented that they can be able to share with us in terms of the role?

Mayssam Sabra: Thank you very much for your question. I would like to see if Kevin is still online with us. Maybe you can answer this question, Kevin.

Kevin Hernandez: Thank you very much for the question. So as I presented in the presentation, the question that we had regarding national support was whether the post was included in the national information security incident response team. And unfortunately, it’s only the case in 35% of countries. And actually, you see that they are less likely to be included in developing regions, which is also more concerning. So specifically in those three regions, once again, in Asia and Pacific and Africa and Latin America and the Caribbean, posts tend to be least likely to be affiliated with the national information security incident response team. So I think one of the things at the national level is to make sure that they’re getting support from this team. But I think Tracy probably has more to add. Thanks.

Mayssam Sabra: Thank you, Kevin. Thank you.

Kevin Hernandez: No problem.

Mayssam Sabra: So now I take two final questions from the audience here as we have to conclude the session. But I take two more questions. Please go ahead.

Audience: Thank you very much. Can I raise two questions? Yes, thank you very much. I’m able also to raise two questions. But anyway, I will be concise and briefly as soon as possible. Yes, I appreciate and thank you very much for organizing this meeting during the OASIS process and during the 20th edition, which is the best age of life. Personally, I’m Riyad Fazia. I’m involved in the OASIS process since the beginning. I used to be an international expert in the Coordination Office for Non-Governmental Organizations. Since then, the process, OASIS process in the UN, which is more recognizable, appreciated. But what I want to raise, yes, about the topic of our sessions, it is very interesting what you said. And also, speaker of Caribbean, but what I’m following also in the negotiation with the other UN agencies. But you can also, you are able to share your experiences with the African group and also in Pacific, what you raised. It’s very interesting. But yes, I have been, because during U.P.U. Congress, when dot post had been adopted, it hosted in Geneva in 2008. But my question just to Mr. Speaker, he raised, yes, I appreciate also what you raised for LDCs and STs. But I don’t know if what you are offering, it is limited or it is still going on until when. But are you organizing or there is sessions concretely with member of governments or private sectors to concretely having this? And this is what I hope was clear. Yes, there is sessions. We can have sessions working with you as member of government or any company like that, how it works. Or by Zoom call, I don’t know.

Tracy Hackshaw: Thank you very much for your question. So, yes, the short answer is yes. Actually, at Congress this year, the cyber resilience initiative for the postal sector will be proposed as an overarching proposal, I should say, for the wider, for the whole sector. The ISAC and the other initiatives we mentioned here are funded independently. But we are looking for additional funds to widen that scope to the wider network. And hopefully during Congress we will have that approved. But even if it is challenging for budgetary purposes, we will continue to reach out to what I would call underserved posts. So the thinking here is that we would not necessarily focus on posts who are well resourced with the funds that we currently have. I’m not sure if Massimiliano is still online, but I know he has a thought on this and a position. So Massimiliano, if you’re online, maybe you can respond as well based on the question I was asked about whether or not we are going to be working with the wider communities. Beyond CEDS and LDCs and so on. And what you can do in terms of cyber resilience. Massimiliano, perhaps you can respond.

Massimiliano Aschi: Oh, yes. I can share with you a few more thoughts on that regarding the ISAC initiative. By nature, it is an initiative which tends to interconnect many different players because the value is built by the contribution of many. And the views of the many could be essential and particularly relevant when talking about a complex business like the postal one, which today we have described. So definitely, yes, this is the main mission of an ISAC, I guess, to put into strict relations many different players coming from different realities. Not only the postal operators, which could be a closed, confined environment. We have to work exactly as CERT would do in communicating with many other places, while at the same time granting, of course, confidentiality and restricted access to confidential information. At the same time, we can’t lose the opportunity to share the views, to share the experiences coming from the others. So the answer is basically yes.

Mayssam Sabra: Thank you very much, Massimiliano. And I hope this answers your question. Now I take the last comment from Nigel. Before we conclude the session.

Nigel Cassimire: Thank you, Mayssam. Just to respond to what Teed asked about the SIDS cooperation with Pacific and so on. The CTU has links with the Pacific. We run, for example, a SIDS Internet Governance Forum, and we’ve established through the ICANN network as well a space for SIDS to come together. So when those global meetings take place, we get together and discuss a range of issues. So the advances that maybe we are able to make in the Caribbean through the MOU with the UPU, we could share with our SIDS affiliates from all over the world. Thank you.

Mayssam Sabra: Thank you very much. Thank you. Thank you, Nigel. Thank you, everyone. Thank you, our online and on-site participants, panelists, and also the technology team. We must conclude now. I hope you found this session interesting and insightful. Thank you once again.

Agreement points

Postal sector cybersecurity requires urgent improvement and coordinated response

Speakers

– Kevin Hernandez
– Massimiliano Aschi
– Tracy Hackshaw
– Esmeralda Kazia

Arguments

Current cyber hygiene practices in the postal sector need significant improvement, with only encrypted websites implemented by two-thirds of posts

Post-ISAC aims to serve as a reference point for multi-business postal operators facing diverse cyber threats through knowledge sharing and strategic guidance

UPU offers .post secure top-level domain with strict registration requirements and robust security protocols including DNSSEC and DMARC

International collaboration is essential for addressing cross-border postal scam campaigns and sharing threat intelligence

Summary

All speakers agreed that the postal sector faces significant cybersecurity challenges requiring coordinated solutions, improved practices, and international cooperation to address evolving threats.

Topics

Cybersecurity | Infrastructure | Development

Developing regions face greater cybersecurity challenges and need targeted support

Speakers

– Kevin Hernandez
– Tracy Hackshaw
– Nigel Cassimire

Arguments

Developing regions, particularly Latin America and Caribbean, Asia Pacific, and Africa, are less likely to implement cybersecurity best practices

UPU has established partnerships with major cybersecurity organizations and offers starter packages for small island developing states and least developed countries

SIDS cooperation through existing networks can facilitate sharing of cybersecurity advances across small island developing states globally

Summary

Speakers recognized that developing regions, particularly SIDS and LDCs, face greater cybersecurity challenges and require targeted support, funding, and cooperation mechanisms to improve their cyber resilience.

Topics

Cybersecurity | Development | Infrastructure

Posts have evolved beyond traditional services to become critical digital infrastructure

Speakers

– Kevin Hernandez
– Massimiliano Aschi
– Audience

Arguments

Posts are offering extensive digital services beyond traditional postal services, including e-commerce, financial services, and e-government services, making them critical infrastructure

Post-ISAC aims to serve as a reference point for multi-business postal operators facing diverse cyber threats through knowledge sharing and strategic guidance

Posts require better integration with national cybersecurity frameworks and incident response teams

Summary

Speakers agreed that postal services have transformed from traditional mail delivery to comprehensive digital service providers, making them critical infrastructure requiring enhanced cybersecurity measures.

Topics

Cybersecurity | Infrastructure | Economic

Similar viewpoints

Both speakers emphasized the critical gap in national-level cybersecurity support for postal operators and the need for better integration with national cybersecurity frameworks and international cooperation.

Speakers

– Kevin Hernandez
– Esmeralda Kazia

Arguments

Only 35% of posts are affiliated with National Information Security Incident Response Teams

International collaboration is essential for addressing cross-border postal scam campaigns and sharing threat intelligence

Topics

Cybersecurity | Legal and regulatory

Both speakers advocated for comprehensive, integrated cybersecurity platforms that provide multiple services while maintaining security and enabling collaboration among postal operators.

Speakers

– Tracy Hackshaw
– Massimiliano Aschi

Arguments

UPU provides shared services platform offering secure email, hosting, and e-commerce services linked to .post domain

Post-ISAC will operate as a federated environment promoting local collaboration while maintaining global connectivity in maximum confidentiality

Topics

Cybersecurity | Infrastructure

Both speakers recognized the resource constraints facing postal operators and the need for external support, particularly for underserved regions, to address cybersecurity challenges.

Speakers

– Kevin Hernandez
– Tracy Hackshaw

Arguments

Cybersecurity budgets are not keeping up with increased workload, with almost 70% of posts seeing increased cybersecurity workload but less than half receiving additional budget allocations

UPU has established partnerships with major cybersecurity organizations and offers starter packages for small island developing states and least developed countries

Topics

Cybersecurity | Economic | Development

Unexpected consensus

Postal operators as multi-sector digital service providers requiring specialized cybersecurity approach

Speakers

– Kevin Hernandez
– Massimiliano Aschi
– Audience

Arguments

Posts are offering extensive digital services beyond traditional postal services, including e-commerce, financial services, and e-government services, making them critical infrastructure

Post-ISAC aims to serve as a reference point for multi-business postal operators facing diverse cyber threats through knowledge sharing and strategic guidance

Posts require better integration with national cybersecurity frameworks and incident response teams

Explanation

The consensus on postal operators as complex multi-sector digital infrastructure was unexpected, as traditional views of postal services focus on mail delivery. All speakers recognized this transformation requires specialized cybersecurity approaches different from traditional sector-specific solutions.

Topics

Cybersecurity | Infrastructure | Economic

Need for federated yet globally connected cybersecurity solutions

Speakers

– Massimiliano Aschi
– Tracy Hackshaw
– Nigel Cassimire

Arguments

Post-ISAC will operate as a federated environment promoting local collaboration while maintaining global connectivity in maximum confidentiality

Cybersecurity awareness portal secure.post provides one-stop shop for cybersecurity tools, training, and capacity building

SIDS cooperation through existing networks can facilitate sharing of cybersecurity advances across small island developing states globally

Explanation

Unexpected consensus emerged on the need for cybersecurity solutions that are both locally adapted and globally connected, balancing regional needs with international cooperation – a sophisticated approach not typically seen in traditional cybersecurity discussions.

Topics

Cybersecurity | Infrastructure | Development

Overall assessment

Summary

Strong consensus emerged on the urgent need for improved postal sector cybersecurity, recognition of posts as critical multi-sector digital infrastructure, and the requirement for coordinated international support particularly for developing regions. Speakers agreed on the importance of comprehensive solutions combining technical tools, capacity building, and international cooperation.

Consensus level

High level of consensus with complementary rather than conflicting viewpoints. This strong agreement suggests significant potential for coordinated action and implementation of the proposed cybersecurity initiatives, particularly the UPU’s integrated approach through .post domain, ISAC, and capacity building programs. The consensus indicates readiness for sector-wide transformation in postal cybersecurity practices.

Different viewpoints

Unexpected differences

Overall assessment

Summary

The discussion showed remarkable consensus among all speakers regarding the cybersecurity challenges facing the postal sector and the need for enhanced protection measures. No significant disagreements were identified.

Disagreement level

Very low disagreement level. All speakers aligned on the fundamental issues: the critical need for improved cybersecurity in the postal sector, the particular vulnerability of developing regions, and the importance of international cooperation. The speakers complemented each other’s perspectives rather than contradicting them, with each contributing different aspects of solutions (technical, regulatory, organizational, and international cooperation). This high level of consensus suggests strong professional alignment on cybersecurity priorities, which could facilitate effective implementation of proposed solutions but might also indicate a need for more diverse perspectives to challenge assumptions and identify potential blind spots in the proposed approaches.

Partial agreements

Similar viewpoints

Both speakers emphasized the critical gap in national-level cybersecurity support for postal operators and the need for better integration with national cybersecurity frameworks and international cooperation.

Speakers

– Kevin Hernandez
– Esmeralda Kazia

Arguments

Only 35% of posts are affiliated with National Information Security Incident Response Teams

International collaboration is essential for addressing cross-border postal scam campaigns and sharing threat intelligence

Topics

Cybersecurity | Legal and regulatory

Both speakers advocated for comprehensive, integrated cybersecurity platforms that provide multiple services while maintaining security and enabling collaboration among postal operators.

Speakers

– Tracy Hackshaw
– Massimiliano Aschi

Arguments

UPU provides shared services platform offering secure email, hosting, and e-commerce services linked to .post domain

Post-ISAC will operate as a federated environment promoting local collaboration while maintaining global connectivity in maximum confidentiality

Topics

Cybersecurity | Infrastructure

Both speakers recognized the resource constraints facing postal operators and the need for external support, particularly for underserved regions, to address cybersecurity challenges.

Speakers

– Kevin Hernandez
– Tracy Hackshaw

Arguments

Cybersecurity budgets are not keeping up with increased workload, with almost 70% of posts seeing increased cybersecurity workload but less than half receiving additional budget allocations

UPU has established partnerships with major cybersecurity organizations and offers starter packages for small island developing states and least developed countries

Topics

Cybersecurity | Economic | Development

Key takeaways

The postal sector is undergoing significant digital transformation, expanding beyond traditional services to include e-commerce, financial services, and e-government services, making cybersecurity critical for maintaining public trust and service continuity

Current cybersecurity practices in the postal sector are inadequate, with developing regions (Latin America/Caribbean, Asia Pacific, and Africa) showing particularly low implementation rates of cyber hygiene best practices

There is a significant gap between increasing cybersecurity workloads (70% of posts experienced increases) and budget allocations (less than 50% received additional funding), creating unsustainable security postures

Most postal operators (65%) lack integration with national cybersecurity incident response teams, leaving them isolated during cyber incidents

The UPU has developed a comprehensive cyber resilience framework including Post-ISAC, .post secure domain, shared services platform, and cybersecurity awareness portal to address sector-wide vulnerabilities

Regional cooperation models, such as the CTU-UPU MOU in the Caribbean and Albania’s alignment with EU cybersecurity standards, demonstrate effective approaches to enhancing postal cybersecurity

International collaboration is essential for combating cross-border postal scam campaigns and sharing threat intelligence across the interconnected postal network

Resolutions and action items

UPU will propose cyber resilience initiative as an overarching proposal at the upcoming Congress for sector-wide implementation

Post-ISAC pilot program is launching with 40 interested parties, with ongoing recruitment for additional participants through hello@trust.post

UPU offers starter packages for Small Island Developing States and Least Developed Countries, accessible through QR code application process

CTU will continue sharing Caribbean cybersecurity advances with SIDS affiliates globally through existing networks like SIDS Internet Governance Forum

Albania calls for international support in four areas: technological modernization, cross-border intelligence sharing, dedicated postal resilience programs, and regional partnerships for training

Participants can access UPU’s cybersecurity tools immediately through secure.post portal and express interest in Post-ISAC participation

Unresolved issues

How to address the fundamental budget gap where cybersecurity workloads are increasing faster than budget allocations across the postal sector

Specific mechanisms for integrating postal operators into national cybersecurity incident response teams, particularly in developing regions

Long-term sustainability and funding models for Post-ISAC and other UPU cybersecurity initiatives beyond current pilot phases

Standardized benchmarks and metrics for measuring cybersecurity maturity across diverse postal operators with varying business models

Regulatory frameworks and roles for postal regulators in enforcing cybersecurity standards, as raised by the South African participant

Coordination mechanisms between postal operators and private sector partners to ensure end-to-end security in multi-channel service delivery

Suggested compromises

UPU will prioritize underserved and under-resourced postal operators for cybersecurity support while continuing to seek broader funding for comprehensive sector coverage

Post-ISAC will operate as a federated environment balancing local collaboration needs with global connectivity while maintaining strict confidentiality protocols

Phased implementation approach for cybersecurity improvements, starting with basic cyber hygiene practices before advancing to more sophisticated security measures

Leveraging existing regional organizations and partnerships (like CTU-UPU MOU) to extend cybersecurity support rather than creating entirely new frameworks

Posts are offering many more digital services than we were expecting. And these services go well beyond the postal sector… posts are not just offering digital postal services but are also now offering digital services across multiple sectors… 34% of posts are showing signs of becoming a one-stop shop for economic, financial, social and digital inclusion by providing digital financial services, e-commerce services and e-government services all under the same roof.

Speaker

Kevin Hernandez

Reason

This fundamentally reframes the understanding of postal services from traditional mail delivery to comprehensive digital service hubs. It reveals the massive scope expansion that creates both opportunities and vulnerabilities, challenging the conventional view of what postal services represent in the digital age.

Impact

This comment established the foundational context for the entire discussion, shifting the conversation from traditional postal security concerns to a much broader cybersecurity challenge. It directly influenced subsequent speakers to address the complexity of securing multi-sector digital services and informed the development of solutions like Post-ISAC.

As posts offer more digital services, they are becoming a more critical infrastructure because they hold more sensitive data about customers and about citizens across multiple sectors and this makes the potential consequence of a disruption of a postal operator’s digital systems more severe and these disruptions would disproportionately impact people in rural areas and the elderly who rely on the post for digital services the most.

Speaker

Kevin Hernandez

Reason

This insight connects cybersecurity vulnerabilities directly to social equity and digital inclusion issues. It demonstrates how cybersecurity failures in postal systems could exacerbate existing digital divides, making this not just a technical issue but a social justice concern.

Impact

This comment elevated the discussion from technical cybersecurity measures to broader societal implications, influencing other speakers to consider the human impact of their initiatives and reinforcing the urgency of the cybersecurity improvements being proposed.

While conventional ISACs are often confined to specific sectors, post-ISAC distinguishes itself by its ability to adapt to the highly diverse nature of postal operators… Post-ISAC aims to serve as a reference point for both public and private multi-business operators, each managing different business models and facing a wide variety of cyber threats.

Speaker

Massimiliano Aschi

Reason

This comment introduces a novel approach to cybersecurity collaboration that acknowledges the unique complexity of the postal sector. It challenges the traditional sector-specific ISAC model and proposes an innovative solution that could serve as a template for other complex, multi-business sectors.

Impact

This insight provided a concrete solution framework that other speakers could reference and build upon. It shifted the discussion from problem identification to solution architecture, demonstrating how the postal sector’s complexity could be turned into a strength through proper collaboration structures.

In 2024, out of 18 total cyber attacks attempts recorded in the transport sector, 15 were directed at the Albanian Post, that is, 83.3% of all transport-related threats… Albania was among the first countries in the region to identify and respond to an international postal scam campaign that began in January 2022 and continues to this day.

Speaker

Esmeralda Kazia

Reason

This provides concrete, alarming evidence of how postal services are disproportionately targeted by cybercriminals. The specific statistics and real-world examples transform abstract cybersecurity concerns into tangible, immediate threats, while also demonstrating the international scope of postal-targeted attacks.

Impact

These specific threat statistics validated the urgency established by earlier speakers and provided concrete evidence for the need for international cooperation. It influenced the discussion toward practical, immediate response measures and reinforced the value of initiatives like Post-ISAC for threat intelligence sharing.

The traditional mail, basically, those services are way down in terms of volume and revenue. Courier service-type things are up. We have competition in courier services and delivery services and logistics. And we are seeing our post offices also competing in that space… governments are leveraging that [trusted network] to help distribute their various government e-services and products.

Speaker

Nigel Cassimire

Reason

This comment reveals the economic pressures driving postal digital transformation and highlights the strategic value of postal networks as trusted government service delivery channels. It shows how market forces and government digitization strategies are converging to create new cybersecurity challenges.

Impact

This insight added an important economic and policy dimension to the discussion, helping explain why postal services are expanding into digital services despite cybersecurity risks. It influenced the conversation toward understanding the business case for cybersecurity investment and the role of government partnerships.

Overall assessment

These key comments fundamentally transformed the discussion from a narrow focus on traditional postal cybersecurity to a comprehensive examination of postal services as critical digital infrastructure serving multiple sectors. Kevin’s opening insights about the scope of postal digital transformation established the foundation that allowed subsequent speakers to build increasingly sophisticated analyses and solutions. The progression from problem identification (Kevin’s survey data) to solution architecture (Massimiliano’s Post-ISAC framework) to real-world validation (Esmeralda’s threat statistics) to regional implementation strategies (Nigel’s Caribbean experience) created a coherent narrative that elevated the conversation beyond technical cybersecurity measures to encompass social equity, economic transformation, and international cooperation. The comments collectively shifted the discussion from reactive security concerns to proactive, collaborative approaches that recognize the unique position of postal services in the digital ecosystem.

What specific roles can postal regulators take in addressing cybersecurity challenges at the national level?

Speaker

Audience member from South Africa

Explanation

This question was raised in response to the survey finding that postal services are not receiving adequate support from national levels regarding cybersecurity, and the speaker wanted to understand what benchmarks or specific actions regulators could take

What is the duration and scope of the starter package offer for LDCs and SIDS, and how can concrete working sessions be organized with governments or private sectors?

Speaker

Riyad Fazia (audience member)

Explanation

This question seeks clarification on the practical implementation and availability timeline of the UPU’s funding offer for developing countries, as well as how to access concrete training or working sessions

How can the advances made in the Caribbean through the MOU with UPU be shared with SIDS affiliates from other regions?

Speaker

Nigel Cassimire

Explanation

This represents an area for further collaboration and knowledge sharing among Small Island Developing States globally, building on the Caribbean experience with postal cybersecurity improvements

How will the cyber resilience initiative for the postal sector be funded and implemented if approved at Congress?

Speaker

Tracy Hackshaw

Explanation

This relates to the sustainability and scalability of cybersecurity initiatives beyond the current independently funded programs, particularly for reaching underserved postal operators

What specific technological modernization support is needed for postal infrastructure in developing regions?

Speaker

Esmeralda Kazia

Explanation

This area for further research was highlighted as part of Albania’s call for international partnership, particularly focusing on addressing technological gaps like outdated core systems and insufficient endpoint protection

How can cross-border intelligence sharing against postal scam campaigns be enhanced?

Speaker

Esmeralda Kazia

Explanation

This represents a critical area for international cooperation, given that Albania identified international postal scam campaigns as an ongoing threat that requires coordinated response across borders