Shared drives are brilliant, until they’re not. When permissions go sideways, what starts as a convenient way to collaborate can quickly become a security nightmare. We’re talking about confidential files ending up in the wrong hands, ex-employees still rummaging through your company data, and a tangled mess of access rights that nobody can untangle.
If you’re using Google Shared Drives, Microsoft SharePoint, or any other cloud-based file sharing system, chances are you’ve made at least one of these mistakes. The good news? They’re all fixable. Let’s walk through the seven most common shared drive permission blunders and how to sort them out before they cost you.
1. Creating a Disorganized Folder Structure (AKA “The Digital Junk Drawer”)
The Mistake: You let your shared drive grow organically without any real structure. Files get dumped wherever, folders are nested eight levels deep with cryptic names like “New Folder (3)”, and nobody can find anything without a treasure map.
Here’s the problem: when your folder structure is a mess, you can’t effectively manage permissions. You don’t know where your sensitive data lives, which means you can’t protect it properly.
The Fix: Start with a solid folder structure from day one. Think of it like organizing your house, you wouldn’t just throw everything in a pile in the living room, right?
Create top-level folders for major categories (like Departments, Projects, or Clients), then build a consistent hierarchy underneath. Make naming conventions clear and enforce them. A clean structure doesn’t just help people find stuff, it lets you apply the right access controls in the right places.
If your drive is already a disaster zone, set aside time to do a spring clean. It’s painful, but it’s worth it.
2. Granting Permissions to Individual Users Instead of Groups
The Mistake: You give Sarah access to the marketing folder. Then Tom needs it. Then Jessica. Before you know it, you’ve got 47 individual user permissions scattered across your drive like confetti.
Fast forward six months: Sarah leaves the company, but her permissions are still sitting there like a ghost haunting your shared drive. Multiply that by every person who’s left in the past two years, and you’ve got a security mess.
The Fix: Always, always, always assign permissions to groups rather than individuals. Create groups for teams, departments, or project groups (like “Marketing Team” or “Project Phoenix”), then add users to those groups.
When someone leaves or changes roles, you just remove them from the group, done. No orphaned permissions, no security gaps, and way less admin headache. Your future self will thank you.
3. Not Implementing Least Privilege Access (Or “Why Does Everyone Have Edit Rights?”)
The Mistake: You take the easy route and give everyone who needs access to a folder full editing rights. Sure, it’s simpler than thinking through who actually needs what, but it’s also a recipe for disaster.
Someone accidentally deletes an important file. Someone else “improves” a document they shouldn’t have touched. Another well-meaning team member reorganizes folders, and suddenly nobody can find anything.
The Fix: Implement the principle of least privilege. That’s a fancy way of saying: only give people the permissions they actually need to do their job.
If someone only needs to read a document, give them view-only access. If they need to add files but shouldn’t delete anything, adjust accordingly. Most shared drive systems offer multiple permission levels, use them.
Yes, it takes a bit more thought upfront, but it saves you from permission-related disasters down the track.
4. Allowing “Everyone” or Overly Broad Share Permissions
The Mistake: Someone creates a shared link with “anyone with the link can edit” settings, and suddenly your financial projections are theoretically accessible to anyone on the internet. Or you’ve given the “Everyone” group access to folders containing sensitive client information.
It’s the digital equivalent of leaving your front door wide open because it’s easier than keeping track of keys.
The Fix: Lock down your default sharing settings so that files are private by default. Enforce policies that prevent external sharing unless explicitly approved.
For internal sharing, limit the “Everyone” group to truly public resources: company announcements, general policies, that sort of thing. Anything sensitive or departmental should have specific group permissions.
Most platforms let you set organization-wide sharing policies. Use them. And if you need to share externally, use expiring links or restricted access whenever possible.
5. Not Auditing File Sharing Activity (AKA “Flying Blind”)
The Mistake: You set up your shared drives, configure some basic permissions, and then… never look at them again. You have no idea who’s accessing what, who’s sharing files externally, or whether someone’s downloading massive amounts of sensitive data at 2 AM.
Without visibility, you can’t spot problems until it’s too late.
The Fix: Regular audits aren’t optional: they’re essential. At minimum, do a quarterly review of who has access to what. Look for red flags like:
- External users with access to sensitive folders
- Users with permissions they shouldn’t have
- Inactive accounts that still have access
- Overly permissive sharing settings
Most platforms offer audit logs and reporting tools. Set up alerts for suspicious activity like mass downloads, permission changes, or external sharing of sensitive files.
If you’re a Google Workspace customer, check out our Google Workspace Health and Security Checkup service: it’s designed to catch exactly these kinds of issues.
6. Failing to Remove Access for Departing Employees
The Mistake: Someone leaves the company. You disable their email account, collect their laptop, and… forget to remove them from all the shared drives, cloud apps, and external sharing links they had access to.
Months later, they’re still technically able to access sensitive company information. Yikes.
The Fix: Build shared drive access removal into your offboarding checklist. Every single time someone leaves, review:
- What shared drives they had access to
- What individual files or folders they owned or managed
- Any external sharing links they created
- Any groups they were members of
Transfer ownership of their files to their manager or another team member, then remove their access completely. Don’t wait: do it on their last day.
Even better, set up a documented offboarding process that happens automatically. Your IT system or HR platform should trigger a checklist that includes revoking all file access.
7. Neglecting to Document and Monitor Your Permission Strategy
The Mistake: Permissions are managed ad-hoc. Different people handle them different ways. There’s no documentation about who should have access to what, or why. When someone asks “why does Sarah have access to this?” nobody knows.
This creates confusion, security gaps, and a ton of unnecessary work when you eventually have to untangle the mess.
The Fix: Document your permission strategy upfront. Create a clear guide that covers:
- How folder structures should be organized
- Who can grant permissions (and for what)
- Default permission levels for different types of content
- How often permissions should be reviewed
- What to do when someone joins, changes roles, or leaves
Make this document accessible to everyone who manages shared drives. Then actually follow it.
Use your platform’s audit tools to generate regular reports on permission changes. Set up alerts for unexpected changes: like if someone suddenly gets admin access to your finance folder.
Review your permissions quarterly (at minimum) to make sure they still align with your current team structure and business needs.
Take Control Before It’s Too Late
Here’s the thing about shared drive permissions: the problems compound over time. What starts as one messy folder or one orphaned user account becomes dozens, then hundreds. The longer you wait to fix it, the harder it gets.
The good news? You don’t have to fix everything at once. Pick one mistake from this list, tackle it this month, then move on to the next one. Even small improvements make a big difference in your security posture.
And if you’re looking at your shared drives thinking “I have no idea where to even start”: that’s what we’re here for. Cloud-based collaboration is what we do, and we’ve sorted out more permission disasters than we can count.
Get in touch with us if you need help getting your shared drives under control. Sometimes you just need someone who’s seen it all before to point you in the right direction.
About Mathew
Mathew Hoffman started in IT in 1981 and has held senior technology roles at organisations including State Bank of NSW, Minet Australia, Wilhelmsen Lines, and Rothmans of Pall Mall. A career highlight was working on technology for the Sydney 2000 Olympics.
Since 2001, Mathew has run his own IT consultancy serving small and medium-sized businesses. He became one of the original Google Partners in 2008 and re-branded his business to Cloud Computer Company in 2017, focusing on cloud-based solutions that help businesses work smarter.
Based in Noosa, Mathew enjoys cricket (having played and coached in both Sydney and the Sunshine Coast), spending time with family, the beach, and the occasional round of golf.
