The National Health Service (NHS) is phasing out the use of fax machines after Health secretary Matt Hancock banned the purchase of any more of the devices and set a March 2020 deadline to get rid of them altogether.
It begs the question, is it safe to use a fax machine nowadays and why are people opting for such an old technology? In trying to find an answer, I was surprised to find my own position shift in its favour.
Opinions on fax security differ
My first assumption was that fax is outdated and completely insecure. But not everyone agrees.
Following North Korea’s devastating cyber attack on Sony Pictures in 2014, Michael Lynton, then chief executive of Sony Pictures, immediately switched to sending confidential information by fax instead of email. Considering hundreds of his embarrassing emails were stolen and leaked, you can hardly blame him for losing faith in the medium.
According to BBC news, one NHS service was able to keep running through the May 2017 WannaCry ransomware attack because, even with their computers and network down, their fax machines still worked. How will they feel about giving up the one thing that kept them running?
In fact, more individuals own a fax machine than you might think. Although it’s rare to see them connected to the phone line, all-in-one or multifunction printers generally come with fax capability. Chances are, if you own a printer, you own a fax – even if not a good one.
Fax machines rarely sit in locked rooms where access is restricted. Instead, they tend to be found found out on the office floor and, worse still, at reception desks. The biggest risk by far is that the information you send will either be misplaced or viewed by people who aren’t the intended recipient.
Where large network printers also serve as fax machines, expect a steady footfall of workers collecting their printed documents and, potentially, your fax along with them. It’s all too easy for an incoming fax to find its way between documents being printed. Then, before you know it, stapled amongst other papers, stuck in an envelope and posted to someone outside the organisation.
Making matters worse, all-in-one multifunction printers with fax ability pose a serious network exploitation risk too. In August 2018, Eyal Itkin and Yaniv Balmas from Checkpoint demonstrated how an attacker can send a picture by fax that allows them access to the computer network at the other end.
I’ve come to understand why, despite these risks, fax is still being used in 2018.
First, it’s incredibly easy to use for people who aren’t confident using a computer or tablet. There are no complicated screens, keyboards, passwords, setup or commands to remember. It’s easy to show others how to send a fax and the process can be written up in big letters on single sheet of paper (usually found stuck to the wall by the machine). You get audio feedback in the sound of the fax connecting and a printed confirmation that it has been sent.
Fax is point to point. To intercept one, a hacker needs to tap the phone line at the exact moment the fax is being sent. That’s beyond the capabilities of most threat actors. Comparatively, it can be relatively straightforward to get access to the contents of an entire email inbox from thousands of miles away.
The recipient gets a physical document and let’s face it, some people, me included, prefer to work with actual paper. Some professions even require it.
A good old-fashioned telephone line is all you need to send a fax. You don’t need broadband internet or even the internet. This means fax works in places the internet doesn’t and, even in 2018, there’s still too many places in the UK where internet connections are unreliable. When the only choice is between fast and cheap fax or increasingly expensive snail mail – take your pick.
Alternatives to fax
Many of these benefits can, of course, be realised through these modern alternatives.
- Secure email is the route the NHS has been told by the Health Secretary to take. Many companies provide services and software that allow emails and their attachments to be encrypted, stored and delivered securely. Secure email takes a little knowledge and effort to setup and use, but it’s a worthwhile investment. One downside is that a recipient outside your organisation will probably need to login to a website to download the file that was sent to them.
- Cloud faxing or fax to email (and vice versa) services allow you to send and receive fax with a computer, tablet or smartphone. Providers vary in what they offer, but most will provide encryption facilities like those found in secure email with the added benefit that you can send something to a recipient who is still using a traditional fax machine.
- Apps offer a good alterative to email and fax. The secure messaging app Signal became the go to choice for the Clinton campaign after email accounts were hacked during the US presidential election.
All these options demand a good internet connection and people being comfortable with giving up paper for computers, smartphones or tablets. Since providers of secure email, cloud fax and messaging apps will store your data, it’s important that you trust them and the promises they make about encryption and security.
Is fax safe? It depends
Before writing this post, I would have said not.
But then I thought about it. I wondered if there were still benefits to maintaining a fleet of dedicated fax machines from a business continuity perspective. Imagine if your entire computer network went down or you lost internet access. Could the age-old fax be your best link to the outside world?
Having said that, the data breach risk is simply too high to use fax in day to day operations. If you have the infrastructure to use alternatives, then you should do so and hang on to your fax machines solely as a backup.
Keep in mind, I’m talking about dedicated fax machines and not the all-in-one multifunction printers that Checkpoint discovered vulnerabilities with. If you have an all-in-one, make sure it never gets connected to a telephone line and get yourself a dedicated fax if you need one.
And you can anticipate few problems getting your hands on a dedicated device in 2019. After all, the NHS, once the biggest buyer, won’t be procuring them anymore.
How to use Fax safely
- Don’t use networked or ‘all-in-one’ fax machines. Stick to a traditional fax that only connects to your phone line.
- Keep your fax in a place where you can restrict who has access to it.
- Turn off and disconnect your fax if it will be left unattended for long periods of time.
- Never transmit sensitive or personal information from or to a shared fax machine like those at hotels or shops that provide drop-in faxing services.
- It’s best to send a fax when the recipient is present at their machine.
- Always use a fax cover sheet that names the intended recipient and contains no confidential material.
- Verify that you have the correct number for the recipient before sending any sensitive data. Check the number again before you hit send.