Most businesses believe their document security is adequate. Most are wrong. Here are five warning signs that suggest your current setup has gaps — and they're more common than you'd expect.

1. Your most-used sharing method is email attachments

If the default answer to "how do I share this document" in your firm is "I'll email it," you're not in control of your sensitive information. Once a PDF is in someone's inbox, you've lost the audit trail, you can't revoke it, and you can't watermark it. Every forwarded attachment is a lost chain of custody.

2. You can't say who viewed a specific document last Tuesday

Try this exercise: pick a sensitive document you shared last week and try to generate a list of everyone who opened it, when, from where, for how long. If you can't do it in under two minutes, you don't have audit visibility. Shared drives and email don't give you this.

3. You rely on "need to know" folder permissions

Folder-level permissions in SharePoint, Google Drive, or a network file share are usually a sprawling mess. Nested folders inherit permissions in ways people don't remember. Ex-employees still have access weeks after they've left. Contractors have access to parent folders they shouldn't. If you can't tell me right now who has access to your "Client Files" folder, you have a permissions problem.

4. Your passwords are in a spreadsheet

You'd be surprised. Data room passwords, client portal logins, shared service accounts — far too many firms keep them in a spreadsheet on a shared drive. That spreadsheet is itself a sensitive document, and if it's on the same shared drive as everything else, a single permissions mistake exposes your entire security boundary.

5. You've never had a breach (that you know of)

This is the quietest warning sign. If you've never had a reported incident, it could mean you're running a tight ship — but it could also mean you don't have the visibility to detect one. The OAIC reports that the median time to detect a data breach in Australia is 204 days. In the meantime, documents can be downloaded, forwarded, and copied without you ever knowing.

What to do about it

Move sensitive external sharing to a data room with per-document audit trails. Review shared drive permissions quarterly. Use a proper password manager. And set up alerts for unusual access patterns. None of this requires a massive budget, and all of it is cheaper than a breach.