Last week, we spoke about the 3 common Microsoft myths that could be holding your business back.
Now, let’s look at the most common leaky buckets we see when reviewing Microsoft 365 environments.
When organisations think about data risk, the same things usually come to mind.
Malware.
Phishing.
Ransomware.
Human error.
But in reality, the biggest data risk we see when reviewing Microsoft 365 environments isn’t any of those.
It’s oversharing.
Not because people are careless or malicious – but because sharing settings are often left on by default, unmanaged, and rarely reviewed.
Over time, this creates a silent but significant data exposure problem.
The #1 leaky bucket in Microsoft 365
Uncontrolled sharing across Teams, SharePoint, and OneDrive is the most common issue we uncover in tenant reviews.
It usually shows up as:
- “Anyone with the link” sharing left switched on
- Old Teams and SharePoint sites still accessible
- External guests added years ago and never reviewed
- Files shared directly from OneDrive, bypassing site controls
- No clear ownership of who can share what (or with whom)
None of these feel especially risky on their own.
But together, they create an environment where sensitive information can easily end up in the wrong place – without anyone realising.
The warning signs tend to come late
Most organisations only become aware of oversharing when something goes wrong, for example:
- Sensitive files landing in the wrong inbox
- Suppliers retaining access long after contracts end
- External users editing or deleting internal documents
By that point, the issue isn’t just technical – it’s reputational, operational, and sometimes legal.
Why locking everything down isn’t the answer
The instinctive reaction is often:
“We need to stop people sharing things.”
But heavy restrictions usually create new problems:
- Collaboration slows down
- Users get frustrated
- People start working around the system instead of with it
The real fix isn’t less sharing.
It’s intentional sharing.
How to close the leak (without killing productivity)
Here are the five areas we recommend starting with.
1. Fix sharing defaults
Make sure your baseline settings support safe behaviour:
- Remove “Anyone with the link” where it’s not genuinely needed
- Default external sharing to Specific people
- Align OneDrive and SharePoint sharing policies
2. Add clear ownership
Every Team and SharePoint site should have:
- A named business owner
- At least two site owners
No owner = no accountability.
3. Review guest access regularly
External access should never be “set and forget”:
- Run quarterly guest access reviews
- Remove dormant or unknown users
- Use expiry policies where possible
4. Use sensitivity labels properly
Labels only work if they’re understood and enforced:
- Use clear labels like Public / Internal / Confidential
- Apply sharing rules based on data type
- Make sure users know when and how to use them
5. Train users on safe sharing
Most data leaks are accidental, not malicious.
Short, role-based guidance:
- Dramatically reduces risk
- Improves confidence
- Helps people make better decisions day to day
The key takeaway
Microsoft 365 doesn’t leak by default.
Misconfigured sharing does.
Fixing this one area:
- Reduces data risk
- Improves compliance
- Builds trust with users
- Keeps collaboration flowing safely
And the best part?
You can usually see meaningful improvements within weeks, not months.
Want a second pair of eyes?
If you’d like help, speak to us about our short Microsoft 365 sharing & guest access review. We’ll highlight where risk exists and what to prioritise first – no disruption, no scare tactics.
Just clarity, practical insight, and a clear path forward.
About Us
We’re a UK-based team specialising in building capability not just in systems but your people. AI strategy, automation, training, and implementation within Microsoft 365.
No jargon. Just practical guidance with measurable results, helping organisations make AI and M365 work for them, today and in the future.
For more, sign up to our Newsletter or get in touch with our team today for a no-obligation chat.
