Protect your sensitive business data with our guide to secure file storage and transfers. Learn about encryption, access controls, and the best tools for sharing files safely.
File storage and transfer practices are among the most significant data security risks for Australian businesses — not because of sophisticated attacks, but because of everyday habits: emailing sensitive documents, using personal Dropbox for client files, sending unencrypted attachments, or storing sensitive data on personal devices.
The Australian Privacy Act places obligations on businesses to take reasonable steps to protect personal information. This guide covers what “reasonable steps” looks like in practice for file storage and transfer.
The Risks You Are Actually Managing
Accidental disclosure: Files shared via email can be forwarded to unintended recipients. A “Reply All” with an attached client report goes further than intended. A shared link sent to the wrong email address exposes the document.
Interception in transit: Files sent over unencrypted connections (standard email, unencrypted FTP) can be intercepted on compromised networks. This is rare but the risk is real for highly sensitive documents.
Unauthorised access to storage: Files stored in poorly configured cloud storage — public SharePoint links, shared drives with overly broad permissions — can be accessed by people who should not have access.
Malware delivery: File transfers are a primary vector for malware delivery. A ZIP attachment from an unknown sender is a classic payload delivery mechanism.
Secure Storage: What Good Looks Like
For Business Files: SharePoint and OneDrive
Microsoft SharePoint (for shared business files) and OneDrive (for individual files) are the standard for Microsoft 365 organisations. Both provide:
- Encryption at rest and in transit
- Granular access controls (specific users, groups, or organisation-wide)
- Version history and recycle bin for recovery
- Audit logging of who accessed and modified files
- MFA-protected access
- DLP (Data Loss Prevention) policies to flag sensitive content
If your organisation is using Microsoft 365 and still relying on local file servers, shared network drives, or personal Dropbox accounts for business files, you have a security and compliance gap worth addressing.
Access Control Principles
Apply the principle of least privilege: staff should only have access to the files and folders their role requires. This is rarely implemented perfectly, but “everyone has access to everything” is a serious risk.
Practical steps:
- Review SharePoint permission groups quarterly
- Remove access immediately when staff leave
- Avoid sharing files with “Everyone” or “All authenticated users” by default
- Use SharePoint groups rather than individual permissions (easier to manage)
Secure File Transfer: Matching Method to Sensitivity
Not every file transfer needs the same level of security. Match the mechanism to the sensitivity of what you are sharing.
Low Sensitivity (Internal, Non-Confidential)
Teams, email, standard SharePoint sharing. These are encrypted in transit and protected by your organisation’s authentication controls.
Medium Sensitivity (Client Documents, Business-Confidential)
SharePoint sharing with specific people (not “anyone with the link”). The recipient receives a link that requires authentication. You can set expiry dates on shared links and revoke access at any time.
Avoid: Attaching sensitive documents to standard email. Use a SharePoint or OneDrive link instead — it provides access tracking, can be revoked, and does not create uncontrolled copies in email inboxes.
High Sensitivity (Legal Documents, Financial Records, Health Information)
Options:
- Encrypted email: Microsoft 365 Message Encryption (OME) encrypts emails end-to-end and requires recipients to authenticate before viewing. Available in most M365 business plans.
- Password-protected files: For documents that must be attached (PDFs, Word docs), apply document-level password protection and communicate the password via a separate channel (phone or SMS).
- Secure client portals: For practices that regularly share sensitive documents with clients (legal, accounting, financial planning), a dedicated secure client portal (e.g. ShareFile, Citrix Content Collaboration) provides audit trails, recipient authentication, and controlled distribution.
What to Avoid
- Standard unencrypted email for sensitive attachments: Widely used, not secure. At minimum, use SharePoint sharing links.
- Consumer file sharing services: Dropbox, Google Drive personal accounts, and WeTransfer do not have the enterprise access controls, Australian data residency guarantees, or compliance logging that business data requires.
- USB drives for sensitive data: Physical media is easily lost. If USB is unavoidable, use encrypted drives.
Australian Data Residency Considerations
Under the Australian Privacy Principles, personal information must be protected when sent overseas. Most major cloud providers — Microsoft, Google, AWS — offer Australian data centres, but not all storage configurations guarantee Australian residency.
For Microsoft 365, Australian data residency for core data is available on all business plans when the tenant is created with an Australian region selection. Verify your tenant’s data location in the Microsoft 365 Admin Centre under Settings → Org Settings → Organization Profile.
Building Better File Security Habits
The biggest improvements in file security come from habit changes, not technology purchases:
- Stop emailing sensitive attachments. Use SharePoint links.
- Review and tighten SharePoint permissions at least twice a year.
- Remove access on the day staff leave, not weeks later.
- Don’t use personal cloud storage for business files.
- Train staff to recognise malicious attachments — file types to be wary of (.exe, .zip, .docm, unusual file extensions).
CX IT Services helps Melbourne businesses configure SharePoint correctly, implement DLP policies, and establish file handling procedures that comply with Australian privacy requirements. Contact us to discuss your current file security posture.
