Sharing files securely in SMBs: without making everyone learn a new app

Most data breaches at SMBs aren't caused by hackers — they come down to a wrongly shared link or a forgotten guest account. Here's how to get secure file sharing sorted in an afternoon.

You've probably seen it happen: a colleague quickly shares a document via WeTransfer, a supplier sends an Excel file containing customer data over WhatsApp, or someone opens a shared folder "just to be safe, for everyone." It works, and nobody complains — until a file ends up somewhere it shouldn't.

Secure file sharing sounds like something for large companies with a dedicated IT department. It isn't. With a few straightforward agreements, you can sort this out in an afternoon, without buying any new software. Here's a practical approach.

Why this matters (even if you're a small team)

Most data breaches at SMBs don't originate from hackers — they stem from a wrongly sent link or an attachment that's been sitting around too long. Think of:

• A quote containing customer data that's been publicly accessible via a shared link for months.
• A shared folder that last year's intern can still access.
• A ZIP file with payslips sent as a regular email attachment, without a password.

GDPR requires you to take "appropriate measures." For SMBs, that boils down to: make sure only the right people can access data, and only for as long as necessary.

Three types of files, three approaches

Before you start choosing software, first sort out what you're actually sharing. Not everything requires the same treatment.

1. One-off files to external parties

Think of a quote to a prospect, an invoice to your accountant, or a draft contract to a client. One-time sharing, with a defined recipient.

What works: the share link from OneDrive, SharePoint, or Google Drive, set to "specific people" or "anyone with the link and a password." Set an expiry date (14 days, for example). For truly sensitive matters: make the file read-only and remove download permissions for the recipient.

2. Ongoing collaboration

A project folder shared with an external designer, a shared schedule with your accountant, or a client file that two teams are working on.

What works: invite external parties as guests in your Microsoft 365 or Google Workspace environment and grant access per folder. Not per file (that quickly becomes unmanageable) and not at the top-level folder (they'll see more than intended). Put 15 minutes in your calendar every three months to review the guest list.

3. Large or confidential files

Video files, a database export, a folder full of scans containing personal data. Too large for email, too sensitive for a public link.

What works: a temporary shared folder with a password and expiry date, or an encrypted ZIP file where you send the password via a separate channel (phone, SMS). Not the same channel as the file itself — otherwise the password is pointless.

Four practical rules that make the difference

1. Email is for files without sensitive content. A general brochure is fine as an attachment. A customer list, a payslip, or a copy of an ID document is not. In those cases, send a link with access control instead.
2. Never use "anyone with the link" without an expiry date. That link lives forever, even if it gets forwarded. Set 7 or 14 days as your default.
3. Work with folders, not individual files. Managing permissions file by file becomes a mess. Build a folder structure where access follows logically: a client folder, a supplier folder, an internal folder.
4. Clean up when you're done. Project finished? External relationship ended? Remove access that same week. Not "later." Later never comes.

What to avoid

• Sharing work files via WhatsApp. You lose track of who has what, and files end up on personal phones.
• Passing USB sticks back and forth. We've written about this before: that one trade-show stick is a risk in itself.
• Using personal Dropbox or Google Drive accounts for business documents. When that employee leaves, the files leave with them.
• Putting the password in the same email as the file. Sounds obvious — happens every day.

A quick check for next week

No big rollout needed. Block half an hour and do these four things:

1. Open your SharePoint, OneDrive, or Google Drive and check which share links are currently active. Most admin portals show this under "Shared" or "External access."
2. Remove or restrict anything older than three months that's no longer needed.
3. Set the default so that new share links expire after 14 days.
4. Create one central place (an internal note or a short page) that explains: this is how we share files. Two pages is enough.

This may seem small, but it prevents 80% of typical breaches. The rest comes down to clear agreements — not more expensive software.

Want a second pair of eyes?

Want to know who currently has access to your folders, mailboxes, and shared systems? That's exactly what our access check is designed for: a structured review you can act on yourself. And if you want to keep your email secure during this kind of file exchange, take a look at email security with SPF, DKIM, and DMARC.