>No amount of beating low level employees will change whether they can accept pdf sent by email or not.

Yes, but a boss being unable to receive a fax because the machine is "otherwise occupied" may do that.

> We are on HN. People who are responsible for overreaching unreasonable security rules ... are basically us.

I don’t think that is true. Rules that you have to use a fax machine are enshrined in outdated laws. No IT professional is going to say to use a fax machine for security.

The same thing is true for a lot of security practices. Our company had silly password rotation policies because of certification requirements, not because our IT team thought it was necessary.

Disagree. Employees need to be responsible and make their voices heard. The whole thing was justified. We enable nightmares with our acquiescence.

>No amount of beating low level employees will change whether they can accept pdf sent by email or not.

I disagree. I'm sorry Karen here needs to bear the brunt, but if this kept up, at some point Karen's boss will take notice, And then it moves up the chain to someone who can affect that policy.

Companies purposefully set us up to communicate bottom-up, so we can either play the game or break the law.

>People who are responsible for overreaching unreasonable security rules ... are basically us

No, it'd be a policy maker or CEO who thinks we're in the 90's and that secure email documentation isn't a thing. "We" could suggest so many ways to handle it that would save costs while being more secure. We're not much higher on the totem pole than Karen.

Yet suddenly, we get these incidents and our bosses are suddenly rushing to IT to find a solution. As if 6 months of deliberation wasn't enough.