25 July 2025
…And what you can do to fix it.
Google Drive and Dropbox have become staples for modern teams, and for good reason – they’re simple, affordable, and easy to use. But as privacy regulations tighten and security expectations grow, many businesses are discovering a hard truth:
Convenience doesn’t equal compliance.
(Note: we’ll cover the recent changes to Australia’s Privacy Act in a future post, so keep a keen eye out for this soon.)
If your organisation handles sensitive information, works in a regulated sector, or wants to partner with security-conscious clients, general-purpose file storage systems are likely to stop you from getting in the door.
Below are five red flags your system might be falling short and why it matters now more than ever.
1. No Audit Trail
Can you reliably track who accessed what, when, and why?
Audit trails are no longer a “nice to have.” They’re now an expected feature in any system that handles personal or sensitive information. Without them, you can’t demonstrate who has viewed, changed, or shared a file – a serious issue if you’re ever asked to show compliance with data protection standards like ISO 27001 or the Privacy Act. Unfortunately, many out-of-the-box solutions that businesses use for handling sensitive information, don’t provide the kind of clarity.
Why it matters:
In the event of a breach or complaint, regulators and clients will expect evidence. No logs = no defence.
2. Inconsistent Version Control
When documents are duplicated, downloaded, edited offline, or renamed across shared folders, it becomes difficult (or often even impossible) to know which version is the latest and most accurate.
This isn’t just inefficient, it opens the door to poor decision-making, accidental leaks, or even legal disputes if the wrong version of a contract or report is used.
Why it matters:
Without enforced version control, you risk data inconsistencies, approval confusion, and a serious lack of accountability.
3. Broad or Outdated Access Permissions
It’s incredibly common for organisations to grant broad folder access and then forget about it. Staff leave, roles shift, and suddenly people can see documents they shouldn’t.
Most generic file storage platforms don’t offer fine-grained, role-based access by default, making it hard to control or audit who has access to what at any given time. Permissions can be difficult to control with tools that aren’t built for purpose.
Why it matters:
Excessive or outdated access increases the risk of internal leaks, accidental exposure, or non-compliance with your organisation’s data handling obligations.
4. No Lifecycle Management
Files don’t just need to be stored, they need to be managed. That includes knowing when a file was created, when it’s no longer needed, and when it should be securely archived or deleted. This then highlights the importance of how and where you archive sensitive documents and information – being set up the right way isn’t just about what happens today…
General storage platforms typically lack features like retention policies, archiving rules, or expiry settings leaving sensitive files to accumulate indefinitely.
Why it matters:
Storing personal or sensitive information beyond its purpose exposes you to unnecessary risk and can be considered a compliance breach under regulations like the Privacy Act.
5. Not Built on Zero Trust Architecture
Tools like Google Drive and Dropbox are well-suited for general-purpose file sharing and collaboration, but they are not optimised for high-security or compliance-heavy environments. While they support per-file access controls, they do not natively enforce more advanced policy features—such as mandatory access control models, file-type-specific governance, or contextual, risk-based access decisions. These are often critical for organisations seeking to implement a full Zero Trust model.
Zero Trust security assumes no implicit trust, even for internal users, and requires continuous verification of identity, device posture, and access context. To support this model effectively, organisations often require more specialised platforms that provide built-in support for strict policy enforcement, auditability, and least-privilege access by design.
(Want to know more about Zero Trust Information Management? Reach out to the Combase team here and we’ll give you the complete overview.)
Why it matters:
If your platform allows broad access once someone is “in,” you may be vulnerable to both internal and external threats and unable to meet modern security expectations. With Zero Trust Information Management set up as part of your system(s), you’re in complete control.
So… What Should You Do About It?
Start by asking:
- What information are we storing, and how sensitive is it?
- Where is the information being stored?
- Who can access it, and can we prove that access is appropriate?
- Do we have audit logs, version control, and clear governance policies?
If the answer to any of those is unclear, it’s time to reassess.
At Combase, we lean on our 4 decades of experience when working with growing organisations to:
- Identify gaps in existing file and data handling practices
- Advise on and help design secure, scalable systems that meet real-world compliance obligations
- Provide practical guidance for teams who want to do better, without unnecessary complexity or inflated costs
We provide strategic, security-led advisory and support that helps you build confidence, transparency, and control into your operations.
Secure your data and your credibility
Talk to us about how to bring structure, security, and accountability to your file storage and information management workflows. Reach out via email here to start the conversation – your future self with thank you for it.
