how_email_security_has_kept_fax_alive-plain-1

How the Limitations of Email Security has Kept Fax Alive

David Hold | Jun 17, 2019

The Centers for Disease Control and Prevention has been studying US phone ownership for more than a decade. In 2004, they found almost 93% of American homes had a landline phone, while just 5% had a cell phone. But by 2017, the percentage of homes with landlines had dropped by more than half, to just 44%. Meanwhile, a majority of those households (53%) had mobile phones.

Source: CDC/NCHS, National Health Interview Survey

This makes sense. When new technology makes a task or activity easier, less expensive, or more fun, it tends to enjoy widespread adoption while the older technology fades away. The abacus gave way to the original clunky adding machine, which gave way to the handheld programmable calculator, which gave way to the spreadsheet with calculation capabilities. VCRs gave way to DVDs, which gave way to streaming video services.

With that common trend in mind, let’s think about what it takes to transmit a business document using email (a relatively new protocol) and using a fax machine (commercially available since 1851).


Fax machine:

  • Print document
  • Draft and print (or hand-write) cover page
  • Walk document to the fax machine (and possibly wait in line for your turn)
  • Feed document into fax machine
  • Dial recipient’s fax number (and possibly redial, and redial again)
  • Wait until every page has been transmitted successfully and the machine produces a delivery confirmation receipt
  • If the fax contains sensitive or regulated data, take the hardcopy fax away for filing, scanning and/or shredding.
Average time to send a fax:  5.3 Minutes - Davidson Consulting

Email:
  • Open new message and address it
  • Type subject line and body copy, and attach document
  • Hit send

Wow. Shouldn’t fax machines have gone the way of the VCR and the abacus by now?

Actually no, at least not for many businesses — particularly businesses in heavily regulated industries. The reason for this is simple: email still isn’t secure enough to transmit highly sensitive corporate data, and many businesses know it.


High-Profile Hacks Continue to Hurt Email’s Reputation

One reason many businesses don’t trust email to transmit their mission-critical and regulated data is that hackers keep finding new ways to break into organizations’ emails, often in high-profile incidents. Consider just a few of the headline grabbers:

  • 2014: More than 170,000 Sony Studios emails were stolen and released on Wikileaks (Forbes). The subject of the conversations involving movie star contracts and other sensitive items created an uproar that led to the resignation of several top executives and ultimately, the division president.

     

  • 2016: The Democratic National Committee had its emails hacked and more than 20,000 of those were published on Wikileaks (Wired), the effects of which are still reverberating through U.S. politics today.

     

  • 2018: HealthEquity email hack compromised the private data of 190,000 patients, including personal details such as name and address social security numbers, diagnosis/treatment and credit card details, just the types of information that can be used for identity theft and insurance fraud. (HealthITSecurity)

Even email providers themselves, such as Yahoo!, have been successfully breached by cybercriminals, compromising the personal accounts and passwords of hundreds of millions of email users.

high_profile_hacks

Email Wasn’t Designed for Secure Data Exchange

Why are even the most sophisticated organizations in the world vulnerable to email hacks? A major reason, as a Digital Trends article puts it, is that “Email was not designed with any privacy or security in mind.”

And many industries and regulatory agencies are well aware that certain types of information should never be sent in unsecured (plaintext) email.  Examples include financial loan docs, tax returns, legal court filings, and any documents containing personally identifiable healthcare information, personal signatures, and passwords. So the secure choices are limited to postal (snail) mail, which takes days; courier or delivery services which are expensive, and fax, which is inexpensive and almost as fast as email.

Yes, corporate IT professionals can apply security measures to their companies’ email networks. The problem is that an email message’s journey is often complex and includes several applications and systems along the way that are largely outside the sender’s control. Consider how many ways a typical email message (even one with encryption) could be compromised during its path across the internet.

 

Email’s security vulnerabilities:

  • The sender’s email device or service
  • Networks between sender and recipient (there might be several)
  • Mail servers along the way (which may store copies of the data, often without security)
  • The recipient’s desktop email client.

And even if the sender has implemented security and encryption on emails they sent, it does not guarantee that the receiver at a different organization can support the same security and authentication protocols, and they may not be able to open an encrypted message once received without going through a cumbersome process that simply will not scale to large volumes or clients.  For this and other reasons, secure email has not been widely implemented outside of organizations.


But Faxing Has Weaknesses of Its Own

Given its inherent lack of security, and the many high-profile stories of corporate email theft we still see year after year, you can understand why so many organizations still need to send their most sensitive data — patient health records, client financial information, etc. — by fax.

There’s also another important reason: Many federal data-privacy laws, such as HIPAA, tend to view faxing as more secure than email, meaning it’s safer legally for these regulated businesses to use fax.

But none of this is to suggest that faxing in and of itself is entirely safe or that it necessarily complies with privacy regulations.

Legacy faxing in particular — desktop fax machines, multifunction devices, or in-house fax servers — has its own security and regulatory shortcomings. For example:

  • Sensitive faxes can be left sitting on an office fax machine, where unauthorized staff might see or take them.
  • The purging of fax-server hard drives can leave the hard copies vulnerable.
  • The memory of fax machines and multifunction printers, which store unsecured copies of sent or received faxes, are often forgotten and not properly sanitized.
  • And finally, it has recently been discovered that fax machines and multifunction printers can be a vector for malware through the analog lines that bypass the corporate firewall.  The only protection against this exploit is to pull the plug on legacy fax lines.


The Solution: Cloud Faxing

Email isn’t secure. Legacy, paper-based faxing isn’t secure. So, what’s the answer for a business that needs to transmit electronic data securely and in a way that complies with federal data-privacy laws? Secure cloud fax services without fax machines or fax lines over encrypted communication channels.

the_solution_cloud-faxing

To learn more about the security weaknesses of email and legacy fax infrastructure — and why cloud faxing is the answer — read our free white paper: “Why Email Failed to Replace Fax for Secure Document Exchange.”

David Hold

About David Hold

Sr. Product Marketing Manager

David Hold is Sr. Product Marketing Manager at j2 Cloud Services™, Inc. and is responsible for the go-to-market strategies for the eFax Corporate® suite of solutions.

Search eFax Corporate

Retire Your Fax Server and Move to Cloud Faxing with eFax Corporate

logo-efax-corp-white

eFax is the world’s #1 online fax service. Millions of customers rely on eFax to send and receive faxes from their computer, smartphone and email. See how we've made faxing simple for over 20 years. Start Faxing »