Do You Think Faxing Something Means It's Secure?

Not necessarily. There are vulnerabilities that can make faxing risky. The first, and most obvious, is that faxes are initiated by people. People make mistakes. People punch in the wrong number. People inadvertently fax things to the wrong person. It happens. You can remind people to be careful, but mistakes are just going to happen. Just the other day someone I know received a fax from a Bank that included a list of names, social security numbers, and account numbers. A big oops.

To help address this issue, pre-program the fax numbers for the recipients that you commonly send sensitive information to. Also make sure that you use a cover page that clearly states who the intended recipient is, that the fax is only for that recipient, and provide instructions for an accidental recipient to follow in case they were to receive a fax in error.

The other issue is that many fax recipients are not walking up to the fax machine to pick up the received document. Instead, faxes are forwarded to the organizations email system where they are attached as images or as a PDF document. Why does this matter? You may not have intended for that potentially sensitive fax to be stored in the recipients email inbox on their local hard drive, on their corporate email server, in their email archiving solution, and now stored permanently on the email server backup media. Will the access controls you intended for this document continue to be upheld for these additional digital copies now floating around? Probably not. If that fax included payment card information or personally identifiable information, like social security numbers, then a law or rule was just broken. That sensitive information is now likely stored unencrypted on multiple systems that do not provide the access controls and protection now required for such data.

Just because it's faxed doesn't mean it's completely immune to security risk.

©2008 Kenneth M. Smith

No comments:

Post a Comment