Too Secure?

Is it possible to be too secure? This morning I was working on a personal financial matter that required me to send some information to another person. The information was on a paper document and I did not have a machine readable version of it. I scanned the document and sent it via email as an eFax attachment. I first called the person to let them know that I would be sending the email. By making the call I was able to verify that the person was who they said they were and the person would then be able to expect the email and who it was coming from and what it contained. Five minutes later I got a call.
The person said that he had been informed by the IT department that they do not allow efx (the file type for eFax) attachments. Period. “Tell the sender they have to send a paper fax”, he was told. They do however allow pdf attachments. This company’s policy is just plain wrong. It is analogous to a bank deciding that in order to avoid bank robbers coming into the bank they will build a wall around the bank and only allow people in who “look like” they are not a bank robber. No debate about attachments being potentially very dangerous. Any attachment — not just ones that you are not familiar with. Viruses can be carried in any attachment I can think of — including PDF files.
A more informed policy would focus on authentication. At a minimum a company should have a procedure to allow important business information to be received via email. The procedure can be very simple. If the recipient knows that an attachment with a specific name and file type (e.g. important_document.efx) will be arriving from a specific person (e.g. [email protected]) at a specific time (e.g. within the hour) then what is the risk in receiving that email attachment? Extraordinarily small. If a company has a *lot* of exceptions then there must be a reason and the IT department should provide a solution. There are numerous solutions to making the process simple. One is to use the digital ID process that is built into IBM, Lotus, Microsoft, and other software. Digital ID’s are simple to use and provide for encryption in addition to authentication. Another solution is establish a web site that allows a user to securely upload and download documents. There are many ways to accomplish the goal. Telling the customer to “fax it” is not a very progresssive one.
The good news is that I have a very current example to use in my keynote at the Inside ID Conference next week where I will be talking about the importance of digital ID’s..