Skip to main content

The myth of the secure fax machine

(Image credit: Image Credit: KlausAires / Pixabay)

Technology has fundamentally changed the way all organisations operate and communicate, with the speed of information sharing almost instantaneous. While private sector businesses are free to rip and replace technology systems at will, public sector organisations are slower on the uptake thanks to restricted budgets. The NHS is most frequently lambasted for its use of older technology and in 2018 Health Secretary Matt Hancock criticised the health service for its continued use of fax machines, prohibiting any use of the devices from the end of March 2020. When announcing the ban, Hancock claimed fax machines were ‘archaic’ and that ‘everyone else had got rid of them years ago’. That isn’t, however, entirely true.

A recent freedom of information request found that almost a thousand fax machines are known to be in use across local councils, fire services, police stations and universities in the UK, with more than 125,000 faxes sent and received across these organisations in 2019. And it isn’t just the public sector. While faxing may seem like a communication method of a bygone era, in reality nearly 17 billion faxes are sent around the world every year. Many believe that fax machines are more secure than more modern forms of communication – in fact, Sony Pictures CEO Michael Lynton revealed that, after the infamous hack in 2014, he had taken to sharing sensitive information via fax – but the technology is old and that does not equate to security.

Analogue data breaches

While fax machines are analogue and therefore not at risk from the same hacking techniques as digital technology, that does not mean they are immune. In fact, the very thing that protects them from modern forms of data exfiltration is what makes them vulnerable. Often, a belief that fax machines are secure comes from the fact they cannot be accessed remotely, unlike digital communication tools. However, this doesn’t automatically equate to privacy and protection. While in transit, fax documents are not encrypted which means anyone who can access the phone line can, theoretically, can also access information sent via the fax machine.

While the vast majority of organisations are unlikely to suffer an attack targeted enough to hack their phone lines, the lack of encryption presents a major flaw that will impact every single organisation using fax machines. They produce paper documents. Fax machines are often communal, positioned in the middle of the office and easily accessed by anyone who passes the machine. As soon as the fax is printed, unless the intended recipient is waiting at the machine, it can be seen and picked up by any passer-by. There’s then the issue of misplacing any paper documents. There are countless examples of pieces of paper containing highly confidential and sensitive information going missing or being stolen. Paper is simply an analogue data breach waiting to happen.

According to Verizon’s 2019 Data Breach Investigations Report, 35 per cent of all data breaches are caused by human error – an issue fax machines are hugely prone to. It is all too easy for users to type the wrong number into a fax machine and just one incorrect digit can lead to disaster. Last year it was revealed that a number of faxes containing patient prescription information had been sent to a hotel group inadvertently. While all forms of communication are prone to human error, faxing is extremely prone to the ‘fat finger’ problem thanks to the sheer number of mistakes that can easily be made when dialling a phone number.

On top of these data privacy issues, fax machines are decades-old technology and were never built to deal with modern security threats. While in previous incarnations fax machines were only connected to phone lines, these days the rise of multi-functional devices (MFDs) means they are now often hooked up to the wider business systems to allow, for example, printing over WiFi. While the complexities of the different vulnerabilities that fax machines face are myriad, the basic issue is that technology has evolved beyond them making it even easier for attackers to exploit their archaic practices to gain access to wider business systems. A vulnerability discovered by security company CheckPoint discovered, for example, allowed hackers to exploit flaws in the communication protocols of millions of MFDs and share malware-infected image files, with that malware then spreading to other connected devices. 

Despite these inherent security risks, faxing as a method of communication is unlikely to disappear any time soon. For many, the reliance on faxing – especially in highly regulated industries like healthcare and finance – makes it almost impossible to do away with the technology altogether. And, fortunately, the approach doesn’t have to be that extreme.

The modern approach to fax

Cloud technologies have enabled organisations to transform their IT infrastructure – from getting rid of their server room and back-up tapes to allowing increased collaboration across borders – and the fax machine has been long overdue the same treatment. The security concerns, plus inflexibility of the fax machine given it is inherently not mobile, means we are now seeing a rise in cloud faxing. 

Cloud faxing allows the entire fax process to be handled digitally via the web; either through a company’s email application, a multifunctional device, workflow application, mobile app or secure web-portal. This provides users with a huge amount of flexibility as they are no longer tied to a physical fax machine and faxes can be sent from and to any device – whether the person you are communicating with uses fax machines or not. For example, if a supplier asks for orders to be submitted via fax, I can photo the order on my mobile phone, access the cloud faxing app and send the order to my supplier’s fax machine.

Not only does this make faxing hugely more accessible, but it also increases security. Cloud faxes are sent over the internet, via encrypted channels meaning they cannot be accessed by anyone else and faxes in storage are also encrypted for security and compliance.  Delivery confirmations provide a clear audit trail of everything that was sent or received and when, which provides reassurance information is shared with who it was intended for.

What’s more, cloud faxing provides a level of control for the organisation that traditional fax machines just can’t afford – even if they are kept in a locked room – by allowing admins to develop permissions and restrictions to ensure that only those authorised to send and receive faxes do so.

Fax machines are a hidden problem – but they are a big one. We know the public sector are prolific users, especially the NHS, and instead of insisting a complete policy shift in the way those using faxes communicate, there needs to simply be a more modern solution in use.

Cloud faxing enables organisations to maintain all of the benefits of fax, without the need for cumbersome machines or paper records and with increased security, privacy and compliance. Everything else has moved to the cloud, it’s time for the fax to follow suit.

Scott Wilson, Director of Sales and Service, eFax

Scott Wilson is Director of Sales and Service at eFax (part of J2 Global). Prior to joining eFax, Wilson held various roles at organisations including Dell, Perlico (Vodafone) and IBM.