You’ve invested in Microsoft 365. You’ve got security tools in place. Someone internally looks after IT. Access permissions were set up at some point. And generally speaking, you trust your people. So, you believe your business is reasonably secure.
But do you know where your most sensitive data lives today? Who has access to it? How is it being shared externally? When were those permissions last reviewed properly?
That’s where many leaders realise they don’t have nearly as much visibility as they thought they did. Not because they’re careless. They’re simply trying to keep collaboration moving quickly while managing increasingly complex environments with small, stretched IT teams. But over time, files spread across Teams, SharePoint, cloud storage, email attachments, and external links until sensitive data becomes incredibly difficult to govern properly.
Oversharing has quietly become one of the biggest cyber risks organisations face today. As a Cyber Security Specialist at Babble, I spend a lot of time helping businesses understand where these governance gaps exist, how data exposure develops over time, and why insurers, regulators, and customers are becoming far more focused on visibility and control.
And the challenge isn’t necessarily that organisations lack security tools. More often, they simply don’t know where sensitive data lives, who can access it, and how it’s being shared as the business evolves. That’s exactly what I unpack in this article, alongside some practical ways to regain control without slowing collaboration down.
When people hear the phrase “oversharing”, they usually think about awkward social media posts. But from my perspective as a cyber security specialist, the bigger issue is what’s happening quietly inside businesses every single day.
Most SMBs don’t suddenly lose control of their sensitive data overnight. It happens gradually.
Someone shares a Teams link externally because it’s quicker. An employee changes departments but keeps all their previous access rights. A project folder gets opened up to everyone temporarily, and access never gets restricted again. A colleague downloads a file locally because they can’t find the latest version quickly enough.
Individually, none of those decisions feels dangerous. In fact, most are made with good intentions. People are simply trying to collaborate faster and keep work moving.
But over time, those small operational shortcuts start stacking up.
Permissions expand. External sharing becomes normalised. More employees gain access to information they don’t really need. And eventually, organisations reach a point where nobody has a completely clear picture of who can access what anymore.
That’s the part that worries me most: once visibility starts to disappear, control usually disappears with it.
One of the things I see repeatedly when working with SMBs is what I’d describe as “silent data sprawl”. Sensitive information slowly spreads across SharePoint, Teams, local drives, email attachments, cloud storage platforms, and third-party apps until the environment becomes incredibly difficult to govern properly.
At that point, organisations often lose track of the master copy. Multiple versions of the same document exist in different places. Files have been downloaded, edited, duplicated, and reshared multiple times. Sensitive information sits across disconnected locations with inconsistent permissions and little classification. And because everything still appears to function normally, nobody immediately sees the risk building under the hood.
That’s why we often say, “You can’t protect what you can’t see.” Because the real challenge isn’t always the lack of security tools. It’s the lack of visibility over where sensitive data lives, how it’s moving, and who can actually access it.
Modern collaboration tools make sharing incredibly easy, sometimes too easy. You can now share files through Teams, SharePoint, external links, cloud storage, guest accounts, and AI-powered tools in seconds. But very few organisations have built governance processes that have evolved at the same pace as those technologies.
What makes this particularly difficult is that most SMBs don’t intentionally create these scattered environments. Usually, they’re trying to make collaboration easier. They trust their employees. They want teams to work quickly without unnecessary friction.
The problem is that the convenience of “everyone having access to everything” almost always expands faster than governance. And honestly, not everybody needs access to all company data.
At Babble, for example, there is certain highly sensitive data that I don’t need access to for me to do my job effectively. That’s normal, and unless you’re the CEO, I’m sure you can agree. Good governance isn’t about restricting people unnecessarily; it’s about understanding who genuinely needs access to what and when.
I understand that it’s much easier to have overly broad permissions, especially in smaller businesses where there’s often one person wearing several hats: infrastructure, compliance, support, cyber security, vendor management, and everything in between. So governance reviews naturally fall down the priority list.
But from a cyber security perspective, not staying on top of your data creates a risk that silently grows over time. And that delayed discovery is where situations become particularly dangerous.
In cyber security, we often talk about “dwell time”, which is essentially the amount of time exposure exists before the organisation realises something has gone wrong. The longer sensitive data remains exposed, the greater the potential impact becomes. If someone malicious has access to that information, extra time gives them more opportunity to use it, copy it, manipulate it or distribute it further.
And by the time they discover the exposure, the damage has often already started. This brings me back to the importance of having governance conversations as early as possible. Too often, we hear versions of: “We’ll deal with that if something happens.”
But take it from me, prevention is always less painful than recovery.
Especially now that insurers, regulators, and customers are all becoming much more focused on data governance.
A few years ago, cyber insurance conversations were relatively straightforward. Businesses could purchase policies without needing to demonstrate significant governance maturity. That’s changed dramatically. Insurers now want evidence. They want to see multi-factor authentication (MFA) on everything. They want to understand how access is managed. They want proof that policies are reviewed and tested. And increasingly, they want organisations to demonstrate visibility over how sensitive data is handled.
The same pressure is coming from compliance frameworks like Cyber Essentials and ISO 27001, where governance, access controls, and policy management are becoming increasingly important.
Check out this article for a deeper dive into the Cyber Essentials April 2026 changes.
But this goes beyond compliance. This is really about operational resilience, trust and good old housekeeping.
Your customers trust you with sensitive information, so you need to know where that information lives, who can access it, and how it’s being protected. Otherwise, you’re relying on an assumption rather than visibility (which isn’t exactly a security strategy).
You might get frustrated when you hear words like “controls”, “policies”, or “data governance” and immediately imagine productivity slowing down. But good governance should never feel like punishment for employees.
The goal is to make environments easier to manage because data governance gives you clarity. It helps organisations understand what data is sensitive, who owns it, what controls need to exist around it, and how sharing should happen safely.
That’s where things like data classification and Data Loss Prevention (DLP) become incredibly valuable. But before jumping straight into enforcement tools, you first need visibility.
You can’t enforce sensible controls around data you haven’t identified properly yet. This is where the HIDDEN framework comes in. It helps businesses understand what sensitive data they hold, where it exists, who currently has access to it, and how it’s being shared internally and externally.
Governance isn’t something you implement once and forget about, either. Businesses evolve constantly. Employees change roles. Teams restructure. Suppliers come and go. Collaboration expands. New technologies appear. AI tools enter workflows. If governance processes don’t evolve alongside the business, access exposure slowly starts creeping back in again.
This is why regular reviews matter so much. One of the simplest but most valuable questions your organisation can ask is: “Does this person still genuinely need access to this data?” You’d be surprised how often the honest answer is no.
If your most sensitive data were exposed today, what should you do? It’s not a nice thought, but another critical question to ask. Because many of the organisations I’ve worked with over the years don’t have a clear answer.
When advising a business dealing with active exposure, my priority will always be containment:
From there, the business can start understanding what failed operationally and where the gaps exist.
But if the exposure is severe enough, sometimes you have to make difficult decisions very quickly. In extreme cases, that may mean effectively “killing the switch” temporarily while you regain control of the environment and assess the damage properly.
That sounds dramatic, but remember, time is of the essence: delayed action is often what makes situations worse.
Losing control of your sensitive data doesn’t happen overnight. It happens over time. A Teams link gets shared externally because it’s quicker. Permissions are never reviewed after someone changes roles or leaves the business. Files get duplicated across various platforms until nobody is completely sure which version is the master copy anymore. And because everything still appears to function normally on the surface, the underlying risk often goes unnoticed.
That’s the real challenge businesses need to solve. Not by buying more tools, but by gaining clearer visibility over where sensitive data lives, who can access it, and how it’s being shared as the business evolves.
As a cyber expert who works closely with organisations on these challenges every day, I completely understand why governance often isn’t a priority. Internal IT teams are stretched thin, collaboration needs to happen quickly, and most businesses are simply trying to keep operations moving without adding unnecessary friction.
But taking control of your data relies on good governance. Understanding what sensitive data you hold, where it exists, and whether the right people still have the right level of access creates the foundation for everything else: from compliance and cyber insurance to customer trust and business continuity in the face of a breach.
Want a clearer view of your data exposure?
If you’re not fully confident that you can clearly see where your sensitive data lives today, who has access to it, or how it’s being shared internally and externally, the first practical step is gaining visibility into where your exposure sits.
Our Cyber Security Snapshot helps businesses like yours:
Because the biggest data risks are often the ones you can’t yet see hiding inside your everyday collaboration habits, permissions, and processes.