data.day

‘Just Share a Drive’: The Lie That Costs Us Sign-Off

Shared drives feel easy until the client sees a file they weren't supposed to. Stop relying on luck and start managing access.

The Permission Panic

It is Tuesday morning. The team is moving fast. We are collaborating with the client’s internal IT team and their external Audit firm.

Someone on our team—trying to be helpful, trying to be fast—creates a Google Drive folder. They hit “Share with anyone with the link” because the Audit firm has weird firewalls.

Two hours later, I get a ping. “Paolo, why can the Auditors see the ‘Internal_Margin_Analysis’ sheet?”

My heart stops. Mamma mia.

The drive settings inherited permissions. The internal folder was inside the shared folder. The link gave access to everything.

This is not a technical glitch. This is a professionalism failure.

The Old Way: The “Hope and Pray” Model

We tell ourselves that shared drives are “agile.” We are lying. They are lazy.

When you use a basic shared drive (Google Drive, Dropbox, generic SharePoint links), you are operating on Hope.

  • You hope nobody drags a private file into the public folder.
  • You hope the client doesn’t forward the link to a competitor.
  • You hope the “Editor” doesn’t accidentally delete the master copy.

Hope is not a strategy. And in a high-stakes deal, lack of control looks like incompetence. If I cannot control who sees the document, how can the client trust the document?

The Deliverable: Access by Role, Not by Luck

We need to stop “sharing folders” and start “provisioning access.”

This sounds like IT speak. It is not. It is Deal Speak.

We use a Deal Room where I can define Roles.

  • The Client: View Only. No Download. (They can look, but they cannot steal).
  • The Lawyer: Download allowed. (They need to redline).
  • The Banker: Upload allowed. (They need to add the models).

I set this up once. I add users to the bucket. I do not touch individual file permissions.

And the most important part? The Audit Trail.

I can see exactly who opened what. “Did the client read the risk disclosure?” I check the logs. Yes, they opened it at 14:02 on Tuesday.

Now I have proof. I have control. I have a professional environment that respects the sensitivity of the data.

“Shadow IT” does not mean being reckless. It means using better tools than the standard issue. Use a tool that understands the difference between a Partner and an Intern. Subito.

FAQs

Why is a shared drive bad? It is fast.

It is fast to set up, and fast to destroy your reputation. One wrong click and you leak sensitive data.

Doesn't a portal take too long to set up?

Not if you use the right tools. I can set up a secure room faster than you can figure out SharePoint permissions.

Do clients really check the audit logs?

They don't check until something goes wrong. Then, the audit log is the only thing that saves you.