Most organisations now have some form of antivirus, antimalware and firewall installed to protect their computer networks. However, the lowly fax machine hasn't been given much attention when it comes to security.
As they are considered old technology and are thus often neglected security-wise, fax machines pose potential risks to every organisation where they are used.
As they are considered old technology and are thus often neglected security-wise, fax machines pose potential risks to every organisation where they are used. Yet few companies have a comprehensive and enforced policy covering their use. The main problem is that a fax does not guarantee confidential transmission, either for incoming or outgoing faxes. That means it isn't a naturally secure way to exchange sensitive information.
A mailed document comes in a sealed envelope with the addressee's name on it and an email can be digitally signed and delivered to the recipient's inbox, but a fax document is printed out on a machine that is often located in an open office environment and shared by a number of people. Errors in dialling the destination number can also lead to data leakage; somebody receiving a fax that is not addressed to him or her has no legal obligation to ignore the information contained in the message. Also, how do you know a fax is genuine? There is no data validation or authentication between sending and receiving parties, and a fax's Calling Station Identifier (CSID) can be easily spoofed. Therefore, faxes should not be used in instances where the integrity of the information is vital.
The good news is that most of these fax machine security risks can easily be mitigated with little or no cost by covering the use of faxes in your security policy and implementing a detailed standard operating procedure (SOP) or work instruction for sending and receiving faxes. A copy of your SOP should be displayed at every fax station.
To improve fax security, your SOP should state that all faxes sent should have a standardised cover sheet containing:
- The name, title and company name of both the sender and the recipient.
- Classification of the information being sent.
- The total number of pages faxed.
- A disclaimer stating that the information in the fax is confidential and that the information should not be distributed, copied or disclosed to any unauthorized persons.
- Instructions for the recipient to follow if the fax is received in error.
You can also include a check box where the sender can indicate whether he or she would like the recipient to confirm that they have successfully received the transmission.
The sender should ensure the fax number of the header sheet corresponds with the number displayed on the machine before being transmitted, particularly if speed diallers are used. When information marked "confidential" is being sent, the sender should phone ahead to alert the intended recipient that the fax is about to be transmitted, so that person can receive it directly from the fax machine.
Also within the corporate faxing policy, staff should be forbidden from leaving documents unattended while they're being transmitted and from leaving documents in the fax. Finally, users should print the fax's activity confirmation report showing the time the fax was sent, the destination fax number and the number of pages transmitted.
Your SOP should also detail what employees should do when an errant fax is received: Such faxes should never be forwarded to the recipient. Instead, employees should notify the sender that a fax was received in error and either return it or shred it, depending on what the sender requests. With other incoming faxes, the recipient should check the number of pages of the fax to ensure it matches the number listed on the cover sheet. In the event that pages are missing, the recipient should contact the sender and request a retransmission.
An office setup where all faxes are transmitted to a centralised machine that is accessible by all employees can be a vulnerability, especially in regard to the security of incoming faxes, as these can be easily read by anyone walking past. Depending on the nature of your business, you may need to create a safe-haven fax machine. This machine should have additional safeguards, such as being located in a secure room with controlled and audited access. Given that faxes can come in at any time of the day or night, this ensures that confidential information received during out-of-office hours is not compromised.
It's a good idea to appoint someone to be responsible for your fax machines to ensure pre-programmed numbers are regularly audited to check that the number is indeed current and accurate, and that automatic polling and delayed transmission are turned off. These settings could potentially allow for unattended transmission, which could be interfered with. They should also clear built-in message stores, page caches and incoming fax stores at least on a weekly basis and review the activity reports to ensure there has not been any unauthorized activity.
Most faxes send data over public telephone lines, so, again, depending on the nature of your business, you may want to consider using fax encryption technology. The drawback here is that both senders and recipients must have the same type of fax encrypting hardware, but these encryptions may be useful as a practical safeguard to be used among a closed group of users, such as within a department. SecuriFax from Business Security AB, or an Internet-based fax service such as Fax.com may solve some of your security concerns.
Finally, most people overlook or are not aware of the fact that many modern faxes, printers and copiers have large data drives that store an image of every document faxed, copied or scanned, and they need to be decommissioned with the same rigour as would a desktop or server. This is usually a lot easier if you use the security product available from most major vendors for their products. Sharp Electronics Corp., for example, offers a data security kit upgrade for its fax machines that encrypts data in memory and on the hard drive, as well as provides an overwrite function for the hard drive.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.